Microsoft President Brad Smith promised to move forward with significant culture changes at the tech giant as the company accepted full responsibility for its security failures, he said in testimony Thursday before the House Committee on Homeland Security.
Smith, who also serves as vice chair, testified before lawmakers Thursday in response to a blistering report from the U.S. Cyber Safety Review Board that analyzed Microsoft’s security culture following the summer 2023 hack of Microsoft Exchange Online by a state-linked threat group.
Smith was asked repeatedly during the hearing about whether Microsoft is changing its culture to encourage workers to speak up about security concerns.
“We want a culture that encourages every employee to look for problems, find problems, report problems, help fix problems and then learn from the problems,” Smith said during questioning.
Microsoft is engaged in the largest engineering project focused on security in the history of digital technology, with the equivalent of more than 34,000 full time engineers working on the project, Smith said.
It has approved a plan to tie annual bonuses for senior executives, in part, to cybersecurity. When Microsoft's new fiscal year starts on July 1, one-third of the individual performance for a senior leader's bonus will be based on their cybersecurity-related performance.
Security will also become part of the biannual review for all employees.
Ryan Kalember, chief strategy officer at Proofpoint, said the hearing revealed long-standing concerns about Microsoft leaving product security in the rear-view mirror in comparison to rivals like Apple, Amazon or Google.
“By prioritizing product interconnectedness over building products that are secure by design, they continually compound the security risks they create themselves, rather than compartmentalizing them,” Kalember said in a statement.
Smith came under additional criticism Thursday when ProPublica published a report about a whistleblower who alleged Microsoft ignored years of warnings from one of its own engineers about a vulnerability that allegedly led to the Sunburst attacks. That engineer, Andrew Harris, left Microsoft in 2020 and later joined rival CrowdStrike.
During the hearing, Smith said he had not had a chance to review the ProPublica report as he had been at the White House prior to the hearing.
Smith was asked if he was aware of any similar vulnerabilities that could impact product security. Smith said he was not, but “everything we’re doing is focused on finding every vulnerability that we can find.”
Smith also noted Microsoft was working to create an environment where employees are encouraged to come forward with such concerns.