In late June, one of cybersecurity expert Steven Adair’s clients got an alert from Microsoft: one of the client’s employees working on human rights issues had their email account compromised. The client wanted to know if Adair could get to the bottom of it.
Adair, who used to work in cyberdefense at the U.S. space agency NASA before setting up his own firm, Volexity, immediately launched an investigation – and hit a brick wall.
“We pored over every detail related to this user’s behavior,” Adair told Reuters on Thursday. “We couldn’t turn up anything.”
The hackers who broke into his client’s emails were the same set of sophisticated cyber spies Microsoft MSFT.O this week blamed for stealing emails from senior U.S. officials, including State Department employees and Commerce Secretary Gina Raimondo. Microsoft said the hacks worked not by hijacking computers or stealing passwords but by taking advantage of a still-undisclosed security issue with the company’s ubiquitous online email service.
Because Adair’s client – whom he declined to identify – was not paying Microsoft for its premium security suite, detailed forensic data was unavailable and Adair had no way to figure out what had happened.
“We basically became a spectator at that point,” he said.
Adair is now pushing for Microsoft to provide the additional data to its clients free of charge, a campaign that has picked up steam in the wake of the breach amid disquiet with the software giant’s security practices in government circles.
U.S. Senator Ron Wyden said Microsoft should offer all its customers full forensic capabilities, saying that “charging people for premium features necessary to not get hacked is like selling a car and then charging extra for seatbelts and airbags.”
Microsoft did not immediately return messages seeking comment on Adair’s experience, Wyden’s comment, or other criticism of its security.
In a blog post that first outlined the hack late on Tuesday, Microsoft said that “accountability starts with us” and that it was “continually self-evaluating, learning from incidents” and strengthening its defenses.
A STORM IN THE CLOUD
For years individuals, organizations and governments have been moving their emails, spreadsheets and other data off their own servers and on to Microsoft’s, taking advantage of cost savings and the integration with the Redmond, Washington-based company’s suite of office tools. At the same time, Microsoft has promoted the use of its own security products, prompting some clients to abandon what they saw as redundant antivirus programs.
The process of migrating an organization’s data and services to a big tech firm is sometimes called “moving to the cloud.” It can boost security, especially for small organizations that lack the resources to run their own IT or security departments.
But competitors squeezed by Microsoft’s security offering are sounding the alarm over how wide swaths of industry and government were effectively putting all their eggs in one basket.
“Organizations need to invest in security,” Adam Meyers of cybersecurity company CrowdStrike said in an email distributed to journalists on Wednesday. “Having one monolithic vendor that is responsible for all of your technology, products, services and security can end in disaster.”
Frustration is also building with Microsoft’s licensing structure, which charges customers extra for the ability to see detailed forensic logs like the ones Volexity’s Adair could not access. The issue has been a point of contention between the company and U.S. government ever since a hack of business software company SolarWinds (SWI.N) was disclosed in 2020.
Adair said he understood that Microsoft wanted to make money from its premium security product. But he said having more eyes open to cyberthreats would be a win-win for the company and its customers. He noted that the hackers – which Microsoft nicknames Storm-0558 – were caught only because someone at the State Department with access to Microsoft’s top-of-the-line logging noticed an anomaly in their forensic data.
“Having Microsoft further empower customers and security companies so they can work together is probably the best way,” Adair said.