Microsoft’s president told Congress on Thursday his company accepted responsibility for major security failures that let China-linked hackers penetrate federal government computer networks, but defended his company’s presence in China.
Brad Smith struck a humble tone in his testimony before the House Homeland Security Committee and promised that the giant tech firm would fix security gaps in its products, which are widely used across federal agencies.
Republican lawmakers, however, focused on Microsoft’s activities in China, questioning how the company could shore up its cybersecurity while also operating in a country where the government demands access to data from businesses and other organizations.
Smith said Microsoft runs data centers and cloud services in China mainly for American and other non-Chinese corporations, which he said helps protect their trade secrets. Smith also said Microsoft’s business in China accounts for only about 1.4% to 1.5% of the company’s revenue.
Rep. Carlos Gimenez, R-Fla., then asked: “Is it really worth it?”
Smith said his company does not comply with a 2017 Chinese national intelligence law requiring firms to hand over information requested by the government and that his company has refused some requests from Beijing, though he did not offer details.
Gimenez asked how Microsoft could manage to defy the law: “Do you have a waiver from the Chinese government saying you don’t have to comply with this law?”
Smith said there are countries that apply every law they enact and others that do not, and that China was in the latter category.
He added: “I will tell you that there are days when questions are put to Microsoft and they come across my desk and I say, ‘No, [the company] will not do certain things.’”
Lawmakers organized the hearing after a scathing government report in April found “a cascade of errors” by Microsoft allowed state-backed Chinese hackers to break into email accounts used by government employees and senior officials. Hackers were able to penetrate the State Department’s network and hack the email of Commerce Secretary Gina Raimondo.
The report from the Cyber Safety Review Board, established in 2022 by the Department of Homeland Security, concluded the breach was “preventable” and blamed a “series of Microsoft operational and strategic decisions that collectively pointed to a corporate culture that deprioritized enterprise security investments and rigorous risk management.”
Smith said Microsoft fully accepted the report’s findings and is enacting its recommendations. The company has deployed roughly 34,000 engineers to focus on security, which he called “the single largest cybersecurity engineering project in the history of digital technology.”
Asked more than once if Microsoft had lost sight of the importance of security, Smith said that was not the case. But he said much of the workforce became too reliant on a large team of security experts to tackle possible cyberthreats, instead of viewing it as a collective responsibility.
Smith said that “it became possible to think that they could rely on those people alone to do a job that we all needed to do together.”
Lawmakers recently received a classified briefing on the security breaches linked to Microsoft’s failures, sources with direct knowledge of the matter told NBC News.
On Wednesday an official from the federal government’s top cybersecurity agency replied to a letter from Sen. Rick Scott, R-Fla., telling him that CISA “has made tremendous progress” in strengthening U.S. cyber defense. Scott asked the Cybersecurity and Infrastructure Security Agency about the ongoing hacks by Russian state actors against Microsoft and other companies that contract with the federal government.
“CISA will continue to act with urgency to defend federal networks and critical infrastructure from our adversaries,” wrote Charles Abernathy, CISA's director of legislative affairs. “This work will require investments — in technology, in people, and in partnerships.”
Democrats at Thursday's hearing said the government’s heavy reliance on Microsoft has made federal agencies more vulnerable to cyberattacks and espionage. Sen. Ron Wyden, D-Ore., has proposed legislation designed to make information technology contracts more competitive and require tech firms to ensure their software can operate with other companies’ products.
“It’s time to break the chokehold of big tech companies like Microsoft on government software, set high cybersecurity standards and reap the many benefits of a competitive market,” Wyden said when he introduced the bill.
Sen. John Cornyn, R-Texas, told NBC News earlier that Microsoft has “got a powerful economic incentive” to fix its security problems. “It’s got a reputation to uphold,” he said.
