Lawfare Daily: DHS Under Secretary Robert Silvers on the CSRB's Report on the Summer 2023 Microsoft Exchange Online Intrusion
Published by The Lawfare Institute
in Cooperation With
In March, the Cyber Safety Review Board issued a report examining the Summer 2023 Microsoft Exchange Online Intrusion. Stephanie Pell, Senior Editor at Lawfare, sat down with Robert Silvers, Under Secretary for Policy at the Department of Homeland Security and Chair of the Cyber Safety Review Board to discuss the report. They talked about the Board’s determination that the intrusion was preventable and should never have occurred, Microsoft’s response to the report, and the Board’s unique role as a true public-private partnership, giving it a powerful position from which to drive change.
To receive ad-free podcasts, become a Lawfare Material Supporter at www.patreon.com/lawfare. You can also support Lawfare by making a one-time donation at https://www.givebutter.com/c/trumptrials
Click the button below to view a transcript of this podcast. Please note that the transcript was auto-generated and may contain errors.
Transcript
[Audio Excerpt]
Robert Silvers
Hackers affiliated with the Chinese government were able to obtain what's called a sign-in key from Microsoft. And a sign-in key is essentially the cryptographic crown jewels of a cloud provider.
Stephanie Pell
It's the Lawfare Podcast. I'm Stephanie Pell, Senior Editor at Lawfare, with Robert Silvers, Under Secretary for Policy at the Department of Homeland Security and Chair of the Cyber Safety Review Board.
Robert Silvers
I think anytime you can make the conversation about security and how to protect customers, that's a really positive thing. And if different cloud companies are responding to the Cyber Safety Review Board's work by upping their security game, that's a fabulous impact that the Board can make.
[Main Podcast]
Stephanie Pell
Today, we're talking about the Cyber Safety Review Board's report on the Summer 2023 Microsoft Exchange Online Intrusion.
Rob, before we get into the weeds of the Cyber Safety Review Board's most recent report, can you give us some background about the Board? What is its mission?
Robert Silvers
The Cyber Safety Review Board conducts deep fact-finding and then issues recommendations in the wake of major cyber incidents. The Board is truly public-private. Half the members are all the key federal leads for cyber security, talking the heads of cyber at the NSA, the FBI, CISA, and the like. And then on the private sector, we have seven luminaries, from the co-founder of one of the biggest cybersecurity companies in the world to the director of security engineering at Google and on and on. And so it's really an incredible group that comes together representing every relevant perspective to find lessons learned when things go wrong.
Stephanie Pell
And you touched on it a bit, but what makes the Cyber Safety Review Board unique when compared to other cyber security entities?
Robert Silvers
We haven't had an organization until now that comes together to study these incidents for the benefit of everyone in the community. When you've had bad cyber incidents—and we've had some doozies over the decades—the victim company itself may investigate, you may have a law enforcement or a regulatory investigation. But those are all for relatively narrow purposes. No one has really rolled it over to say, what happened here and what can we all learn? How can we all do better so this doesn't happen again? And that is why this is a very special organization that has made a lot of impact already. It's still relatively new. We launched the Cyber Safety Review Board in February of 2022. So it's just over two years old, but already we've seen its waves making impact and driving change across the cyber ecosystem at companies, at regulators, at other government agencies. And so this is a model that seems to be working and that people are really drawn to.
Robert Silvers
You explained that there are both members from the government and also members from the private sector. You are currently the Chair of the Cyber Safety Review Board. Who is the current Deputy Chair, and was there a different Deputy Chair for the particular report we're about to talk about than there is now, or there has been generally with other parts of the Cyber Safety Review Board's work?
Robert Silvers
The private sector members all serve in their personal capacities, so they're not allowed to share information they gain during the course of a board review with their employers. But nevertheless, we're very focused on possible conflicts of interest and ensuring that we have strong ethics and recusal rules in place to address that. Every member has to file financial disclosures to DHS. They have to say every asset they own, every stock they own, every income source they have, and the like. And when we're starting a new review, our Career Ethics Council go through each member and whether they have any potential conflicts that would warrant recusal.
In the last review we did on Microsoft Exchange Online, the Deputy Chair of the Board, Heather Atkins, who is Head of Security Engineering at Google, recused herself from the review because Google is a direct competitor of Microsoft in a number of lines of business. And so Heather stepped aside for this review. So did a handful of other board members. But we have such a deep bench of talent that we were able to conduct a very strong and fulsome review with 12 members fully participating. And Dmitri Alperovitch, who runs Silverado Policy Accelerator and is the co-founder of the cyber company CrowdStrike, stepped in as the Deputy Chair for that review.
Stephanie Pell
The review of the Summer 2023 Microsoft Exchange Online Intrusion is the Board's third report. The Board's two prior reports focused on the Log4j event and on the Lapsus$ and related threat groups. How is a topic or issue chosen for the Board to study? Can you tell us a bit about the process that the Board undertakes to study a particular issue or major cyber event?
Robert Silvers
The Secretary of Homeland Security or the Director of CISA, the Cyber Security and Infrastructure Security Agency, can task the Board to conduct a review. And what we look at when we're deciding what should be the next review is, what's an incident that had a lot of impact that really seemed to take advantage of a vulnerability or a shortcoming out there, which we feel that an investigation could help bring light to and cause some remedial action to take place? What are areas where there are likely to be lessons learned that haven't been deeply studied already? So we're always looking to drive impact. We're not looking to study things, to write reports for the sake of it. It's about driving change. And so we're looking for big incidents where there's the potential for that to happen. And we actually have published on our Cyber Safety Review Board website a list of criteria that the department and its leadership considers when considering what reviews to commission.
Stephanie Pell
And are board members given access to classified information, if that information is needed as part of the review process?
Robert Silvers
Yes, they are. It is a requirement to serve on the Board that you be eligible to have a security clearance. And in some reviews where there was relevant classified information, we've made that information to all the members, including the private sector members. And so we all get together in SCIFs, secure compartmented information facilities, to look at whatever information is needed. It's helpful that one of the members of the Board is the Head of Cyber Security at the NSA. And so we have an ability to draw upon the most important intelligence to conduct our work. I will say that in the three reviews to date, the vast majority of information that the Board has considered has been unclassified.
Stephanie Pell
So let's turn to the substance of the Board's report on the Microsoft Exchange Online Intrusion. In the opening message from the Chair and Deputy Chair of the Board, you all state, “When a hacking group associated with the government of the People's Republic of China, known as Storm-0558, compromised Microsoft's cloud environment last year, it struck the espionage equivalent of gold. The threat actors accessed the official email accounts of many of the most senior U.S. government officials managing our country's relationship with the People's Republic of China.” Now, needless to say, this was a very serious event. Can you give our listeners a basic explanation of what is known about how the intrusion happened?
Robert Silver
Hackers affiliated with the Chinese government were able to obtain what's called a sign-in key from Microsoft. And a sign-in key is essentially the cryptographic crown jewels of a cloud provider. When an adversary has a valid sign-in key, it can gain access to any part of an IT environment that that sign-in key is authorized access to. And in this case, the compromised sign-in key had huge access, access to virtually any email account of any Microsoft Exchange Online customer, which is many of the largest organizations, private and public sector, in the world. So it was a vast access that the Chinese were able to get a hold of here.
And they appeared to use that access in a relatively tailored way, presumably so as not to reveal or to keep secret for as long as they could the fact that they had it. It seems they didn't want to burn their access. And they compromised about 500 individual email accounts from about 22 organizations around the world. A lot of those organizations and compromised accounts were U.S. government officials that were responsible for managing our country's relationship with China. So they were able to gain access to the email inboxes of Commerce Secretary, Gina Raimondo; U.S. Ambassador to China, Nick Burns; Congressman Don Bacon, who's very prominent on China and Taiwan affairs. And so it was a real intelligence win for the Chinese government.
The Board came in to investigate and determined that the intrusion really was preventable and never should have happened at all and was the result of a series of security failures at Microsoft that allowed the Chinese to get access to all this information of their customers.
Stephanie Pell
And I want to talk more about those failures and the Board's findings and recommendations. But I found it interesting that you all noted in the report that it was the State Department and not Microsoft that first detected the intrusion. Can you talk about what the State Department discovered and how it discovered the intrusion?
Robert Silvers
The State Department deserves a lot of credit here because they set up custom alerts, custom rules, that would allow them to detect unusual activity in their environment. And they, in fact, detected, using those custom rule sets, some activity that showed access to State Department email inboxes that seemed unusual. And the State Department investigated and notified Microsoft, and indeed that is what allowed Microsoft to discover that, in fact, the intrusion was on the Microsoft end.
Stephanie Pell
So Microsoft then, of course, opened up an investigation of its own. And as the Board notes in its report, Microsoft realized it had a major overlapping set of problems. First, someone was using a Microsoft sign-in key to issue their own tokens. Second, the 2016 Microsoft services account, or MSA key in question, was no longer supposed to be signing new tokens. And third, someone was using these consumer signed tokens to gain access to enterprise email accounts. Now this discovery, as the report indicates, triggered an all-hands-on-deck investigation at Microsoft, focusing on the 2016 key that had issued these tokens.
And as I understand it, and as you talk about it in the report, Microsoft was developing some hypotheses for how Storm-0558 obtained the key. Was there one hypothesis that linked back to a compromise of the Microsoft corporate network by Storm-0558?
Robert Silvers
The discovery of what happened at the State Department did trigger a major investigation within Microsoft. And I should note, we know that because Microsoft cooperated fully in the Cyber Safety Review Board's review. We think they answered 100 percent of our questions to the very best of our ability, and they made their executives available for extensive in-person briefings and then follow-up in writing and the like.
It did trigger a lot of concern within Microsoft for the reasons you note, and that triggered a lot of concerns at the Board. This was a sign-in key that was forged in 2016. It should not have been valid still in 2023. Sign-in keys should be rotated much more frequently than that, but this one was not. In addition, it was a sign-in key made for consumer accounts, like if an individual sets up their own Microsoft account, and yet it was able to gain access to enterprise accounts, like those of a company or a government agency. And so these were some of the security issues that the Board observed and that led us to go deeper into the review.
Stephanie Pell
But at the conclusion of the Board's review, the report notes that Microsoft was still unable to demonstrate that it knew how Storm-0588 had obtained the 2016 key. How concerning is that lack of knowledge or inability to determine how the key was acquired? And is it your understanding that Microsoft is still investigating how the key was obtained?
Robert Silvers
As of when the Board finished its work, which was in the middle of March of 2024, Microsoft had not yet been able to determine how it was that the sign-in key was compromised. Microsoft developed a fulsome list of dozens of potential theories of how it could have been compromised and told us about its efforts to investigate and run down each of those potential theories. But as of that time, there was no root cause determined.
And that's a concern because it is one thing to lose control over a sign-in key. It's another thing to not know how that happened because then Microsoft customers don't necessarily have the confidence that the vulnerability has been identified and closed off.
Stephanie Pell
Now, along the way and I will note that the report has some very useful details, but putting together a timeline about the intrusion, the investigation broadens with a number of government incident responders, along with victim organizations, conducting or assisting in various aspects of the investigation. Can you talk about the role played by these entities, government responders and victim organizations, and the capabilities that those entities brought to bear?
Robert Silvers
CISA, which is responsible for the security of federal civilian agencies, already had a team embedded with the State Department. And so CISA went into action helping with the investigation to identify potential indicators and to work the issues down with the State Department and Microsoft. The FBI, given that there was a nation state actor here, came in and initiated an investigation and worked with the parties as appropriate. And so the U.S. government apparatus here did spring into action. But I think we should be candid that at that point, the horse was out of the barn.
Stephanie Pell
Now, we talked about the fact that the intruder here was a hacking group known as Storm-0588, assessed to be associated with the government of the People's Republic of China. And this wasn't the first time that this particular group had come on Microsoft's radar. And the reports give some assessment of that particular group. Can you talk about how the report looked at and assessed the group, and whether the Board thought that this hacking group was seeking or prioritizing certain goals in this intrusion?
Robert Silvers
This hacking group has been tracked for over a decade, 15 years or longer, and they are pretty good at exploiting weaknesses in identity and authentication controls at companies and other kinds of organizations. Storm-0558 was associated with the hack of Google and other companies in 2009 called Operation Aurora, hack against RSA in 2011, and now this one in 2023. Now what we found as a Board was that many of the large U.S. cloud service providers had learned the lessons of Operation Aurora and those earlier hacks and built entire architectures for identity and authentication to prevent against this kind of attack happening, but that Microsoft had not adopted some of those key security controls.
Now, I will note that in just recent weeks since the Cyber Safety Review Board published its report, Satya Nadella of Microsoft has come out and expressed to his entire workforce in a memo that security comes first and is to be prioritized over the development of new products and features and that, in fact, executive compensation for his senior management team is now going to have achievement of security milestones as a key criterion. It is very good to see that, really important to see that. And I think that Microsoft appears to have taken note of what we found and taken some key steps to address that about prioritizing security within their environment and for their customers. We are going to look forward to partnering with Microsoft at CISA, at our department, as it implements those new security action plans that it has published. But it was good to see those published.
Stephanie Pell
So I want to drill down on two statements that you made. The first is, you talked about the steps that other cloud service providers had taken in response to the Storm-0558 group and the threat they presented. I presume that the investigation and review that the Board conducted involved interviewing not just Microsoft, but a host of cloud service providers that our listeners are probably very familiar with.
Robert Silvers
That's exactly right. We spoke with all the major U.S. cloud service providers and at least four others in addition to Microsoft. And I think that was a very important piece of our work because it allowed us to baseline for what are really the best practices out there, what is the state of the art when it comes to cloud security.
It also shows the unique power of this Board to be able to gain open access to not just the victim company here, Microsoft, but also many of the other largest technology companies in the world, and to be able to ask them about nonpublic information about what they do for security, so that we can shine a light and set publicly what the baseline ought to be, is really new and unique and is a powerful impact of this board. Because one of the things that the Board recommended was a set of security best practices that any cloud service provider should have in place, whether it's Microsoft or any of the others. And what we also announced is that CISA is going to now annually be assessing each cloud provider’s compliance with our recommended baselines and publishing its findings, so that there's transparency and so that companies and organizations can make informed purchasing decisions based on security.
Now, it's not a regulation. It's not required that any company, that any cloud provider work with us in developing that annual assessment. But if they don't work with us, we will publish that they didn't provide the information to us. And I think there's going to be a lot of powerful incentive in that mechanism for companies to provide the information to us so that we can provide it to the public, and a powerful incentive for companies to want to be at the leading edge of security so that our annual findings reflect that.
Stephanie Pell
So I want to hit upon some language you just used, which is, “the power and unique role of the Board.” And that language resonated with me as I thought about another statement that the Board made in its report: “The Board conducted a deep fact finding around the incident and concluded that the incident was preventable and should never have happened.” You say it was able to proceed, “because of a cascade of security failures at Microsoft.” That strong language, and I assume the members of the board meant it to be, part of the reason is to drive the kind of change you were just talking about.
Robert Silvers
We're always going to be direct in what we say. We call balls and strikes on this board. And in this case, like in all others, we called it like we saw it. And then it's time to put that out there. And then importantly, it's time to move forward with recommendations and actions to make everyone more secure.
Stephanie Pell
And I just want to bring attention because, again, you use direct language. It was strong language, at least in my view. And part of that came from a series of things that you observed, failures or problems that could have been prevented. You're welcome to highlight any of those failures or problems, but one that particularly stuck out to me was the fact that Microsoft published information that turned out to be inaccurate about facts and circumstances surrounding the intrusion, and that it took too long to correct those factual inaccuracies.
Robert Silvers
That's true. In September of 2023, Microsoft published a blog on this incident, and it said that it was likely that the sign-in key had been compromised when Chinese actors gained access to what is known as a crash dump. As it turned out, after publishing that blog, Microsoft realized that it actually didn't really have any evidence that was the cause of the compromise. But it did not correct that blog for quite some time. Microsoft told the Board in November of 2023 that it knew that blog was not accurate. The Board asked if Microsoft was planning to correct it and repeatedly asked Microsoft about that public communication. As the Board was winding up its work in March, and after repeated questioning, Microsoft did update its blog to make clear that it did not have clear evidence that the crash dump was the cause.
The reason that was significant to us was because if you tell customers that you know what went wrong, the customers can gain a degree of confidence that you've gotten to the root of the problem and have closed it off so that it won't happen again. When, in fact, the case was that Microsoft didn't know how the key was compromised, and we thought that was a very significant issue, and that Microsoft's failure to timely correct its blog and to timely inform its customers of the state of its understanding of the incident was an issue that caused us to ask some questions about the culture of security at the company.
Stephanie Pell
And to that point about the culture of security, the report identifies that it was quite lacking. You have mentioned that Microsoft, since that time, has announced this new secure future initiative that they are implementing recommendations from the Board's report. How confident is the Board that this is enough, that this is real progress?
Robert Silvers
So about two weeks ago, from when we're taping today, Satya Nadella, the CEO of Microsoft, as I mentioned, sent a very strong message to all Microsoft global employees about the importance of prioritizing security and, as I noted, how security work would factor into compensation. Also, the same day, Charlie Bell, the Head of Security Architecture at the company, published a very detailed technical action plan for addressing every single one of the Cyber Safety Review Board's recommendations.
So all of that was serious and well-received at our department. We think it set the right tone from the top as a cultural matter of prioritizing security over everything, including speed of product delivery and development. We were also heartened to see that the company reviewed every recommendation the Board made and agreed to implement each one of those. Some of those recommendations included, by the way, the Board recommended that Microsoft CEO should personally take this issue on and hold senior leaders accountable and send the message within the company about what needs to happen. So it was excellent to see the CEO actually do that.
There's a lot of work to do to implement all that work and we look forward to working with Microsoft on it. They're a critical partner of ours. We're heavily invested in their success.
Stephanie Pell
And do you think Microsoft's actions will have a broader positive impact on the cloud ecosystem?
Robert Silvers
I think anytime you can make the conversation about security and how to protect customers, that's a really positive thing. And if different cloud companies are responding to the Cyber Safety Review Board's work by upping their security game and even getting out there publicly to show customers in the world how they're upping their game, that's a fabulous impact that the Board can make. And it's really good to see we are all in on that.
Stephanie Pell
And as you noted before, the Board has recommendations for the broader industry to ensure better security and that commitments are actually effectively implemented. You're planning to track the implementation. So that's going to be an ongoing process. But I imagine the Board has other major cyber incidents in its sight. Are you able to talk about what's next for the Board?
Robert Silvers
We don't have a new review underway since finishing the Microsoft review earlier this spring. I'm sure it won't be long because, regrettably, the serious hits keep coming in cybersecurity. We want to take on a review that's going to be high-impact, lead to recommendations that can really drive change in the ecosystem like we've seen from our first three reviews.
In the meantime, we continue to build up the board staff and architecture. Remember, it's still a relatively new organization and we want to make sure that it can endure for the long haul. So we are fortifying it with additional career staff and experts. We have a new career Executive Director, Liz Kozey, who's terrific. And we have also introduced, now that it's been two years, it's two-year membership terms, some of the original members have rolled off, and some new members are coming on board. So it will be fantastic to get that fresh perspective that new blood can bring to an organization.
And we've also proposed legislation to Congress, so that Congress can act to codify this board into statute and give it some of the authorities that it needs to make sure that it can continue conducting meaningful reviews for years and years to come. That includes our call that the Board be granted a limited subpoena authority, so that in every case where we're doing an investigation, we can be sure that we can get the information we need. We were fortunate that in the last review, Microsoft was fully cooperative. We may hit an occasion where a victim company is less cooperative. And in fact, in one of our earlier reviews, we had a number of victim companies that cooperated and provided information, but we had some that did not. And we want to make sure that a victim company's refusal to cooperate in the Board's important work doesn't frustrate the ability to get meaningful security change for the American people.
Stephanie Pell
So you raise a really important point, that the Board was actually established by an executive order. I believe it's EO 14028, Improving the Nation's Cybersecurity. What that essentially means is if another administration decided not to continue to enforce that executive order, the Board would not actually function in the way it is currently functioning, if at all. So the need to codify the Board in statute, I understand would be a very useful step to make sure the board can continue doing its work, across administrations for many years to come. Seems like that shouldn't be a terribly partisan issue? If you can talk about it, what kind of reception are you receiving on Capitol Hill, both for codification, and also, again, to give the board subpoena power so that it can make sure it can conduct the kinds of investigations and get the information needed like occurred in this recent investigation of the Microsoft Online Intrusion?
Robert Silvers
We've received a favorable reaction on a bipartisan basis to the Board's work. Republicans and Democrats alike on Capitol Hill have told us that they see what the Board has done. They've seen this most recent report on Microsoft and the ones before it. And they really like what the Board is doing. I do think there will be an appetite on a bipartisan basis to codify this Board into law. There are some questions. Anytime you talk about creating a new subpoena authority, there's going to be questions. And so I think that's where the action is going to be.
But I think we have a lot of good answers, right? You have members who are open-minded, but they want to make sure that the subpoena power won't be abused. They want to make sure that there's sufficient safeguards in place. They want to understand, huh, this is a board with private sector members. What does that mean to have a private sector member issuing a government subpoena? And they're all fair questions. And I really think our answers check out very well.
So what we're proposing is that only federal members get the opportunity to vote on a subpoena. Everything else is equal on this board, but for issuance of a subpoena, which is an inherently governmental function, we think that power should rest with the federal members only. We should, we think it should require a super majority vote of the federal agencies that are represented on the board to make sure that nothing is done loosely or at the discretion of a single person, even the Chair of the Board. And on top of that, remember, so private sectors wouldn't vote at all on a subpoena. And in any event, any private sectors that have a conflict of interest in the review would be recused off because of what we spoke of.
So there are really good checks and safeguards in place that we're proposing, and I think those are going to land well and we look forward to working with Congress on it.
Stephanie Pell
Anything else you would like to share with our listeners?
Robert Silvers
This is a powerful example of how truly public-private partnership can work. There's no division here between the government and industry when it comes to this board. We're coming together in a single organization to get the best solutions to the American people. We've seen other countries take note and say, we want some of that. So Australia has announced that it is going to be creating its own equivalent of the Cyber Safety Review Board. And we have incoming inquiries from a range of European and other countries that are looking at this model, too. We think it's resulting in impact. It's making the American people safer and more secure. And it's an honor to be here today talking with you about it.
Stephanie Pell
We'll have to leave it there for today. And thank you so much for joining me.
Robert Silvers
Thank you.
Stephanie Pell
The Lawfare Podcast is produced in cooperation with the Brookings Institution. You can get ad-free versions of this and other Lawfare podcasts at by becoming a Lawfare material supporter through our website, lawfairmedia.org/support. You'll also get access to special events and other content available only to our supporters. Please rate and review us wherever you get your podcasts.
Look out for our other podcasts, including Rational Security, Chatter, Allies, and The Aftermath, our latest Lawfare Presents podcast series on the government’s response to January 6th. Check out our written work at lawfaremedia.org.
The podcast is edited by Jen Patja, and your audio engineer this episode was Cara Shillenn of Goat Rodeo. Our theme song is from Alibi Music. As always, thank you for listening.