On the occasion of an executive order from the US President to improve cyber security, the USA founded the Cyber Safety Review Board (CSRB). It is intended to “review major cyber events and make specific recommendations.” Such a “major” cyber event was the intrusion of presumably Chinese attackers into Microsoft’s cloud. After all, they spied on the emails of two US authorities and at least potentially had access to the data of all cloud customers. Therefore, the CSRB is now taking on this incident and cloud security in general. This investigation is to result in a report with concrete recommendations for action, which will be presented to US President Biden and Jen Easterly, head of the Cybersecurity and Infrastructure Security Agency (CISA).
This announcement is a major setback to Microsoft’s attempts to downplay this glaring incident. The cloud giant still stubbornly refuses to reveal the specific details of the failure of its own security measures. So far it is not known how and where the master key was stolen, nor what the ominous “verification error” is about that made it work at all. As it turned out after Microsoft’s original statement about the allegedly mitigated attacks, it granted unauthorized access to almost the entire Microsoft cloud.
It became clear early on that at least CISA was taking the incident extremely seriously. It is thanks to your insistence that Microsoft will in future at least provide the log files, with which such attacks can be detected, at no additional cost. It remains to be seen whether this CSRB investigation will now lead to more clarity and, above all, pressure on Microsoft to deal with the issue of security in a more transparent manner.
Reactions from Europe? None!
But this announcement already means a slap in the face for all European security and data protection authorities. According to Microsoft, the primary victims of the attack were European government agencies. So it would be quite obvious that they would now stand on their hind legs and demand full disclosure from Microsoft as to how such a failure could have happened. A re-evaluation of their use of Microsoft and other cloud services should actually be high on the agenda.
But nothing: “The incident (…) does not lead to a fundamental reassessment of the security of cloud computing by the BSI,” says the statement from the top German security authority, which reached us after more than a week. It is still not known which European authorities were spied on and to what extent. When asked about this by heise Security, the BSI replied that they were working closely with Microsoft on the matter; but at the moment there is “no evidence that federal administration facilities are affected”. In my comment “20 years of blaster worm: the next worst case scenario is waiting in the cloud” I called it “tolerance rigidity” somewhat provocatively.
#Microsofts #stolen #master #key #USA #put #cloud #security #test