Microsoft president tells lawmakers 'red lines' needed for nation-state attacks

Microsoft president Brad Smith testified before a congressional committee on Thursday, at times accepting responsibility for the company’s recent cybersecurity mistakes while simultaneously deflecting criticism of the tech giant’s practices. He also called on the government to create "consequences" for nation-state hackers who compromise U.S. systems. 

The House Homeland Security Committee brought Smith in to discuss a recent DHS report on a 2023 incident where hackers allegedly tied to China’s government breached the email accounts of senior U.S. government leaders.

The Cyber Safety Review Board (CSRB) behind the report concluded the intrusion “should never have happened,” and throughout their review they “identified a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management.”

In submitted testimony and at the beginning of the hearing, Smith said Microsoft “accepts responsibility for each and every one of the issues cited” without “equivocation or hesitation” and “any sense of defensiveness.”

But later in the hearing, Smith was asked about the makeup of the review board and implied that Microsoft’s rivals had used it as a cudgel against them.

Without naming any of the alleged “rivals,” Smith said it is “probably a mistake to put on the board people who work for competitors of a company that is the subject of a review.” He said he was concerned that in the future others will use the board to “just make hay out of others' mistakes.”

Another committee member noted later on that any employees of perceived Microsoft competitors had been recused from participating in the creation of the report. 

When asked by ranking member Benny Thompson (D-MS), Smith committed to providing Congress with timelines and benchmarks for Microsoft’s implementation of the 16 recommendations included in the CSRB report as well as updates on the progress of Microsoft’s Secure Future Initiative. 

Smith spoke at length about a recently announced endeavor to tie parts of executive compensation packages to the cybersecurity posture of Microsoft. But when pressed on the specifics of the initiative and how it would work in practice, Smith said he did not know and would provide more information at a later date. 

Red lines, Recall and deepfakes

The committee used the hearing as a chance to ask Smith about a range of other cybersecurity issues concerning Microsoft. 

Several members asked what Microsoft believes the federal government can do to better protect U.S. infrastructure from nation-state cyberattacks and criminal incidents. 

Smith said the U.S. government needs to “draw red lines” so it is clear to the world “what they cannot do without accountability.” 

“We need collective action with the private and public sector and with allied governments so that when those red lines are crossed, there is a public response and people know what has happened,” he said. “We need to start defining some consequences right now because these threat actors are living in a world where they are not facing consequences.”

Other lawmakers pressed Smith about the company’s foray into artificial intelligence and the recent concerns about the creation of deepfakes. Following an incident earlier this year involving deepfake pornography made of singer Taylor Swift, another prominent musician came out this week to say she too had seen similar content created using her likeness.

A lawmaker told stories of teenage girls being bullied with deepfake pornography and questioned whether regular citizens would be provided with the same kind of protections as political candidates — who can report deepfakes to Microsoft. 

Smith said he would go back to his team and provide more answers at a later date about what can be done to create more guardrails around AI. 

He also addressed the recent controversy over the new Recall feature that allows devices to screenshot every action a person takes on their PC. After weeks of complaints and criticisms of how the feature could be abused by hackers, Microsoft decided to turn it off as a default last week. 

Smith hailed the fiasco as evidence that Microsoft’s commitment to security was having tangible effects. The incident was part of a “culture change,” and Smith said it was a “great lesson” that when creating features designers have to “think about the security aspects.” 

“Culture change requires constant role modeling and practice, and so each time through this, we're talking very publicly, so that everybody can see, inside and outside Microsoft, quite tangibly, how people can weave this into the design decisions they're making,” he said. 

“When you do technology, I think one of the mistakes you can make is to think that you have all the answers. You only get to the best answers when you have these kinds of collective and public conversations.”

Several representatives asked Smith about a story from ProPublica that came out on Thursday morning about Microsoft executives ignoring warnings from one of its security researchers about a vulnerability that was eventually used by the Russian hackers who conducted the SolarWinds breach. 

Smith repeatedly said he had not read the story and could not comment on its revelations. 

The hearing was the second time in as many months that an executive was brought in to face pointed questions about their company’s cybersecurity practices. UnitedHealth CEO Andrew Witty was grilled in May about the ransomware attack that had shut down operations at its subsidiary, Change Healthcare, creating a massive digital bottleneck in the American health industry.