(Bloomberg) — Three months ago, Microsoft Corp. issued a progress report on what it described as the largest cybersecurity engineering project in history.
Battered by its role in several major hacks, the software giant in late 2023 vowed to overhaul its cybersecurity, in a project called the Secure Future Initiative. The April report noted significant advances, including fostering a “security-first mindset” in employees and making strides in meeting engineering goals.
“Our progress will not be linear,” the report added.
It didn’t take long to prove the company’s point. On Tuesday, Microsoft accused three Chinese hacking groups, two tied to the government in Beijing, of exploiting flaws in SharePoint document management software as part of a global campaign that’s targeted businesses and government agencies, including the US Department of Education.
Attackers have exploited the flaws since July 7, according to cybersecurity researchers.
The full extent of the damage isn’t yet clear. The flaws apply to SharePoint customers who manage the software on their own networks, as opposed to on the cloud. That limits potential victims — though the number could still be significant given Microsoft’s reach.
Roger Cressey, a former cybersecurity official under presidents Bill Clinton and George W. Bush, said errors at organizations as dominant as Microsoft have high stakes and changes are hard to make given its size.
“When you have one provider so omnipresent in our digital ecosystem, the blast radius of their mistakes is enormous,” said Cressey, a partner at Mountain Wave Ventures, whose clients include some Microsoft competitors. “It’s another reminder that Microsoft’s failure on making security a priority is impacting our national and economic security.”
Microsoft quickly rolled out patches for the flaws, though it said in a blog post Tuesday that it had “high confidence” that hackers would continue to use the flaws to attack unpatched SharePoint systems.
The intrusion is another public relations headache for a company trying to bolster its cyber defenses and reputation. Microsoft is the world’s largest software vendor, making it a target for cyber-spies and criminals. It is also the biggest seller of cybersecurity products.
“As part of the Secure Future Initiative, we’re focused on accelerating and strengthening our security incident response,” said Microsoft spokesman Frank Shaw. “In this case, we acted quickly, delivering detailed customer guidance and releasing three new security updates within 72 hours to help protect against adversary attacks.”
There’s little evidence that previous major cyberattacks tied to Microsoft have hurt the company’s bottom line. Anurag Rana, a senior analyst at Bloomberg Intelligence, said it could even help Microsoft by convincing customers to move SharePoint to the tech giant’s cloud, which he described as safer and cheaper in the long run.
What’s less clear is what impact the latest breach will have on Microsoft’s efforts to repair its cybersecurity credentials and appease long-term critics.
One of them, US Senator Ron Wyden, a Democrat from Oregon, said government agencies have become dependent on “a company that not only doesn’t care about security but is making billions of dollars selling premium cybersecurity services to address the flaws in its products.”
“Each hack caused by Microsoft’s negligence results in increased government spending on Microsoft cybersecurity services,” Wyden said in a statement, when asked to respond to the SharePoint vulnerabilities. “The government will never escape this cycle unless it stops rewarding Microsoft.”
In its April report, Microsoft described the Secure Future Initiative as an ambitious undertaking that would take years. For instance, out of 28 engineering objectives, five are nearing completion, 11 have made significant progress and Microsoft continues to work on the others.
“The threat landscape will continue to evolve, resulting in new vulnerabilities and security incidents,” according to the report. “Technology will advance, creating new ways to improve security and new issues to address. Each of these is an opportunity to work with our customers and the industry to strengthen our collective defenses.”
–With assistance from Jake Bleiberg.
More stories like this are available on bloomberg.com