by Craig Silverman, ProPublica
ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox. This story was originally published on ProPublica.
Series: Zero Trust:Inside Microsoft’s Cybersecurity Failures
Investigating how the world’s largest software provider handles the security of its own ubiquitous products.
After Russian intelligence launched one of the most devastating cyber espionage attacks in history against U.S. government agencies, the Biden administration set up a new board and tasked it to figure out what happened — and tell the public.
State hackers had infiltrated SolarWinds, an American software company that serves the U.S. government and thousands of American companies. The intruders used malicious code and a flaw in a Microsoft product to steal intelligence from the National Nuclear Security Administration, National Institutes of Health and the Treasury Department in what Microsoft President Brad Smith called “the largest and most sophisticated attack the world has ever seen.”
The president issued an executive order establishing the Cyber Safety Review Board in May 2021 and ordered it to start work by reviewing the SolarWinds attack.
But for reasons that experts say remain unclear, that never happened.
Nor did the board probe SolarWinds for its second report.
For its third, the board investigated a separate 2023 attack, in which Chinese state hackers exploited an array of Microsoft security shortcomings to access the email inboxes of top federal officials.
A full, public accounting of what happened in the Solar Winds case would have been devastating to Microsoft. ProPublica recently revealed that Microsoft had long known about — but refused to address — a flaw used in the hack. The tech company’s failure to act reflected a corporate culture that prioritized profit over security and left the U.S. government vulnerable, a whistleblower said.
The board was created to help address the serious threat posed to the U.S. economy and national security by sophisticated hackers who consistently penetrate government and corporate systems, making off with reams of sensitive intelligence, corporate secrets or personal data.
For decades, the cybersecurity community has called for a cyber equivalent of the National Transportation Safety Board, the independent agency required by law to investigate and issue public reports on the causes and lessons learned from every major aviation accident, among other incidents. The NTSB is funded by Congress and staffed by experts who work outside of the industry and other government agencies. Its public hearings and reports spur industry change and action by regulators like the Federal Aviation Administration.
So far, the Cyber Safety Review Board has charted a different path.
The board is not independent — it’s housed in the Department of Homeland Security. Rob Silvers, the board chair, is a Homeland Security undersecretary. Its vice chair is a top security executive at Google. The board does not have full-time staff, subpoena power or dedicated funding.
Silvers told ProPublica that DHS decided the board didn’t need to do its own review of SolarWinds as directed by the White House because the attack had already been “closely studied” by the public and private sectors.
“We want to focus the board on reviews where there is a lot of insight left to be gleaned, a lot of lessons learned that can be drawn out through investigation,” he said.
As a result, there has been no public examination by the government of the unaddressed security issue at Microsoft that was exploited by the Russian hackers. None of the SolarWinds reports identified or interviewed the whistleblower who exposed problems inside Microsoft.
By declining to review SolarWinds, the board failed to discover the central role that Microsoft’s weak security culture played in the attack and to spur changes that could have mitigated or prevented the 2023 Chinese hack, cybersecurity experts and elected officials told ProPublica.
“It’s possible the most recent hack could have been prevented by real oversight,” Sen. Ron Wyden, a Democratic member of the Senate Select Committee on Intelligence, said in a statement. Wyden has called for the board to review SolarWinds and for the government to improve its cybersecurity defenses.
In a statement, a spokesperson for DHS rejected the idea that a SolarWinds review could have exposed Microsoft’s failings in time to stop or mitigate the Chinese state-based attack last summer. “The two incidents were quite different in that regard, and we do not believe a review of SolarWinds would have necessarily uncovered the gaps identified in the Board’s latest report,” they said.
The board’s other members declined to comment, referred inquiries to DHS or did not respond to ProPublica.
In past statements, Microsoft did not dispute the whistleblower’s account but emphasized its commitment to security. “Protecting customers is always our highest priority,” a spokesperson previously told ProPublica. “Our security response team takes all security issues seriously and gives every case due diligence with a thorough manual assessment, as well as cross-confirming with engineering and security partners.”
The board’s failure to probe SolarWinds also underscores a question critics including Wyden have raised about the board since its inception: whether a board with federal officials making up its majority can hold government agencies responsible for their role in failing to prevent cyberattacks.
“I remain deeply concerned that a key reason why the Board never looked at SolarWinds — as the President directed it to do so — was because it would have required the board to examine and document serious negligence by the U.S. government,” Wyden said. Among his concerns is a government cyberdefense system that failed to detect the SolarWinds attack.
Silvers said while the board did not investigate SolarWinds, it has been given a pass by the independent Government Accountability Office, which said in an April study examining the implementation of the executive order that the board had fulfilled its mandate to conduct the review.
The GAO’s determination puzzled cybersecurity experts. “Rob Silvers has been declaring by fiat for a long time that the CSRB did its job regarding SolarWinds, but simply declaring something to be so doesn’t make it true,” said Tarah Wheeler, the CEO of Red Queen Dynamics, a cybersecurity firm, who co-authored a Harvard Kennedy School report outlining how a “cyber NTSB” should operate.
Silvers said the board’s first and second reports, while not probing SolarWinds, resulted in important government changes, such as new Federal Communications Commission rules related to cellphones.
“The tangible impacts of the board’s work to date speak for itself and in bearing out the wisdom of the choices of what the board has reviewed,” he said.
“We Have Fully Complied With the Executive Order”
The SolarWinds attack was a wakeup call for the federal government and the private sector. The White House’s executive order was designed to allow officials to move quickly to implement new cybersecurity practices.
But the executive order limited what the new cybersecurity board could do: The president cannot allocate funding from Congress or grant subpoena power.
When the board launched in early 2022, it bore little resemblance to the cyber board that Wheeler and her co-authors outlined in their Harvard report.
“Not a single one of our recommendations was adopted,” she said.
Housed in DHS’ Cybersecurity and Infrastructure Security Agency, the board consists of 15 unpaid volunteers — eight from government agencies and seven from the private sector. Silvers said this ensures the board has cutting-edge knowledge and the ability to follow through on its recommendations.
Although the board’s first mandate was to investigate SolarWinds, Homeland Security Secretary Alejandro Mayorkas and CISA Director Jen Easterly tasked the board instead to review a recently discovered vulnerability in Log4j, software used by millions of computers, which could allow attackers to breach systems worldwide, including some used by the U.S. government.
Silvers said it “was a perfect use case” for the board’s first review and that the White House agreed.
The board’s Log4j report, published in July 2022, found there had been no significant attacks on critical infrastructure systems due to this vulnerability. It offered 19 recommendations for companies, government bodies and open-source software developers.
Silvers continued to face questions about the decision not to probe SolarWinds but maintained that Log4j had been the more pressing topic for review.
“We have fully complied with the executive order,” Silvers told media on a call that month.
At first, a government watchdog agency disagreed.
When the GAO conducted its review of the executive order’s implementation, it found that the board had failed to fulfill its mandate. In its draft report, it recommended that Homeland Security direct the board to review SolarWinds as the president had instructed.
That didn’t sit well with DHS, which was given a chance to review and comment on the draft as part of the GAO’s standard process. DHS argued in a letter that the “intent” of a board review of SolarWinds had been met by references to the hack in the board’s Log4j report and previous research on SolarWinds by the DHS agency that administers the board.
Homeland Security also noted that the executive order had set a 90-day deadline for the board to complete the SolarWinds review, which it said was “unachievable.” Directing the board to do such a review now, it argued, would be “duplicative of prior work and an imprudent use of resources.”
“We request that GAO consider this recommendation resolved and closed, as implemented,” the letter said.
GAO agreed. Its final study said the mandate for a board review of SolarWinds had been “fully implemented.” The GAO accepted two government reports in place of one from the board: the Log4j review and a 2021 review of SolarWinds by the National Security Council, which is not public.
An aide to Wyden said the senator had not seen the NSC review. Neither has the GAO. Instead, the GAO told ProPublica that it “interviewed key contributors” to the security council’s review. The office also summarized three recommendations that the NSC deemed acceptable for public release, including a call for better information sharing among federal agencies. A spokesperson from the security council declined to comment.
The GAO said it accepted the board’s Log4j review because it included “information from the SolarWinds incident.” But aside from footnotes, the report mentions SolarWinds only once.
A board report would have been more beneficial to the cybersecurity community because it would have offered a detailed, public accounting of a major attack, said Steven Bellovin, a professor of computer science at Columbia University who has written articles and given presentations about the need for an independent cybersecurity board. “A secret report does not accomplish that,” he said.
Trey Herr, an assistant professor of foreign policy and global security at American University who co-authored reports on the CSRB and SolarWinds, also criticized the GAO’s decision. “I don’t know why GAO would suggest a private NSC review and a different CSRB work product are equivalent, given their vastly different authorities, scope, operation and expectations of transparency,” he said.
Asked to explain why it credited Homeland Security for completing a review that never occurred, Marisol Cruz-Cain, a director with GAO’s information technology and cybersecurity team, said in a statement that the office “stands by the statements and assessments.”
“GAO believes the government had taken sufficient steps to review the SolarWinds incident,” she said, including through collaboration with multiple federal agencies and the private sector and “by disseminating relevant guidance about SolarWinds.”
GAO also conducted its own study of SolarWinds, which was published in 2022. Like the other government reviews, it did not probe Microsoft’s role in the attack. A spokesperson said the GAO was focused on the impact the hack had on the federal government, so “we did not engage with Microsoft.”
“This Intrusion Should Never Have Happened”
After the 2023 Chinese-led hack used Microsoft vulnerabilities to infiltrate U.S. systems, the board scrutinized the tech giant’s role in the attack.
The report was scathing. “The Board concludes that this intrusion should never have happened,” the report found, citing a “cascade of security failures at Microsoft.” The board called for an overhaul of Microsoft’s “inadequate” security culture and listed seven areas where the company failed to apply proper security practices or to detect or address flaws or risks.
Microsoft announced a series of changes and said it would implement all of the board’s recommendations.
The report triggered a House Homeland Security Committee hearing with Microsoft president Smith last month. Smith said the company was making security its top priority.
He also raised concerns about the board’s conflicts of interest. While Wyden and other experts have criticized the role of federal officials, Smith complained about the board’s private-sector members, including executives from Google and other Microsoft competitors. “I think it’s a mistake to put on the board the competitors of a company that is the subject of a review,” he said. Smith warned that other companies might not be as cooperative with the board as he said Microsoft had been.
Three of the board’s private-sector members — including board Vice Chair Heather Adkins, a Google executive — recused themselves from the Microsoft report, as did two members from the Office of the National Cyber Director and one from the FBI, who were replaced by one colleague from each agency.
A DHS spokesperson declined to say why the public-sector members recused themselves but said board members are required to step aside if a review includes “examinations of their employers’ products or those of competitors” or if a board member has “financial interests relating to matters under consideration.”
Silvers said every board member, including public-sector members, goes through a “rigorous” review of conflicts of interest. He said the current model has proven effective and is less costly than standing up an independent agency.
“Creating an entirely new agency with a professional workforce would be exceedingly expensive, would take many years to do and could cannibalize the scarce cyber talent that we have in the U.S. government as it is,” he said. “In an era of scarce budgets, belt tightening, competition for talent, it’s really a terrific model.”
Still, DHS acknowledges that the board needs more resources and investigative muscle. Last year, the department released proposed legislation to make the board permanent, with dedicated funding, limited subpoena power and a full-time staff.
Silvers said the bill has the support of the Biden administration, but it has not been introduced and does not have a sponsor.
Wheeler, the cybersecurity executive, said she recognizes how challenging any reforms would be but that she and others will keep advocating for the board to become an independent government agency.
“I am frankly surprised that they got [the board] done at all,” she said. “Now I want them to make it better.”