{"id":1495,"date":"2023-07-20T15:04:25","date_gmt":"2023-07-20T15:04:25","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=75690"},"modified":"2023-07-20T15:04:25","modified_gmt":"2023-07-20T15:04:25","slug":"three-key-unanswered-questions-about-the-chinese-breach-of-microsoft-cloud-services","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2023\/07\/20\/three-key-unanswered-questions-about-the-chinese-breach-of-microsoft-cloud-services\/","title":{"rendered":"Three key unanswered questions about the Chinese breach of Microsoft cloud services"},"content":{"rendered":"<p><head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\"> <meta name=\"robots\" content=\"index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1\"> <!-- This site is optimized with the Yoast SEO Premium plugin v20.5 (Yoast SEO v20.5) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ --> <title>Three key unanswered questions about the Chinese breach of Microsoft cloud services | CyberScoop<\/title> <meta name=\"description\" content=\"Repeated breaches of cloud computing services makes understanding a recent incident affecting Microsoft essential.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/microsoft-cloud-breach-china\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Three key unanswered questions about the Chinese breach of Microsoft cloud services\"> <meta property=\"og:description\" content=\"Repeated breaches of cloud computing services makes understanding a recent incident affecting Microsoft essential.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/microsoft-cloud-breach-china\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2023-07-20T15:04:25+00:00\"> <meta property=\"article:modified_time\" content=\"2023-07-20T15:04:26+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/07\/three-key-unanswered-questions-about-the-chinese-breach-of-microsoft-cloud-services-1.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1280\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"eliasgroll\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <!-- \/ Yoast SEO Premium plugin. --> <link rel=\"dns-prefetch\" href=\"\/\/cdn.parsely.com\">\n<link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-0\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1689625837g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-4\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css?m=1686856099g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1689862762g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=008d053dcbaaeb47b822\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/75690\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<link rel=\"wlwmanifest\" type=\"application\/wlwmanifest+xml\" href=\"https:\/\/cyberscoop.com\/wp-includes\/wlwmanifest.xml\">\n<meta name=\"generator\" content=\"WordPress 6.2.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=75690\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fmicrosoft-cloud-breach-china%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fmicrosoft-cloud-breach-china%2F&amp;format=xml\"> <!-- Google Tag Manager --> <!-- End Google Tag Manager --> <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-75690 single-format-standard\" id=\"readabilityBody\"> <svg viewBox=\"0 0 0 0\" width=\"0\" height=\"0\" focusable=\"false\" role=\"none\"><defs><filter id=\"wp-duotone-dark-grayscale\"><feColorMatrix color-interpolation-filters=\"sRGB\" type=\"matrix\" values=\" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 \" \/><feComponentTransfer color-interpolation-filters=\"sRGB\"><feFuncR type=\"table\" tableValues=\"0 0.49803921568627\" \/><feFuncG type=\"table\" tableValues=\"0 0.49803921568627\" \/><feFuncB type=\"table\" tableValues=\"0 0.49803921568627\" \/><feFuncA type=\"table\" tableValues=\"1 1\" \/><\/feComponentTransfer><feComposite in2=\"SourceGraphic\" operator=\"in\" \/><\/filter><\/defs><\/svg><svg viewBox=\"0 0 0 0\" width=\"0\" height=\"0\" focusable=\"false\" role=\"none\"><defs><filter id=\"wp-duotone-grayscale\"><feColorMatrix color-interpolation-filters=\"sRGB\" type=\"matrix\" values=\" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 \" \/><feComponentTransfer color-interpolation-filters=\"sRGB\"><feFuncR type=\"table\" tableValues=\"0 1\" \/><feFuncG type=\"table\" tableValues=\"0 1\" \/><feFuncB type=\"table\" tableValues=\"0 1\" \/><feFuncA type=\"table\" tableValues=\"1 1\" \/><\/feComponentTransfer><feComposite in2=\"SourceGraphic\" operator=\"in\" \/><\/filter><\/defs><\/svg><svg viewBox=\"0 0 0 0\" width=\"0\" height=\"0\" focusable=\"false\" role=\"none\"><defs><filter id=\"wp-duotone-purple-yellow\"><feColorMatrix color-interpolation-filters=\"sRGB\" type=\"matrix\" values=\" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 \" \/><feComponentTransfer color-interpolation-filters=\"sRGB\"><feFuncR type=\"table\" tableValues=\"0.54901960784314 0.98823529411765\" \/><feFuncG type=\"table\" tableValues=\"0 1\" \/><feFuncB type=\"table\" tableValues=\"0.71764705882353 0.25490196078431\" \/><feFuncA type=\"table\" tableValues=\"1 1\" \/><\/feComponentTransfer><feComposite in2=\"SourceGraphic\" operator=\"in\" \/><\/filter><\/defs><\/svg><svg viewBox=\"0 0 0 0\" width=\"0\" height=\"0\" focusable=\"false\" role=\"none\"><defs><filter id=\"wp-duotone-blue-red\"><feColorMatrix color-interpolation-filters=\"sRGB\" type=\"matrix\" values=\" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 \" \/><feComponentTransfer color-interpolation-filters=\"sRGB\"><feFuncR type=\"table\" tableValues=\"0 1\" \/><feFuncG type=\"table\" tableValues=\"0 0.27843137254902\" \/><feFuncB type=\"table\" tableValues=\"0.5921568627451 0.27843137254902\" \/><feFuncA type=\"table\" tableValues=\"1 1\" \/><\/feComponentTransfer><feComposite in2=\"SourceGraphic\" operator=\"in\" \/><\/filter><\/defs><\/svg><svg viewBox=\"0 0 0 0\" width=\"0\" height=\"0\" focusable=\"false\" role=\"none\"><defs><filter id=\"wp-duotone-midnight\"><feColorMatrix color-interpolation-filters=\"sRGB\" type=\"matrix\" values=\" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 \" \/><feComponentTransfer color-interpolation-filters=\"sRGB\"><feFuncR type=\"table\" tableValues=\"0 0\" \/><feFuncG type=\"table\" tableValues=\"0 0.64705882352941\" \/><feFuncB type=\"table\" tableValues=\"0 1\" \/><feFuncA type=\"table\" tableValues=\"1 1\" \/><\/feComponentTransfer><feComposite in2=\"SourceGraphic\" operator=\"in\" \/><\/filter><\/defs><\/svg><svg viewBox=\"0 0 0 0\" width=\"0\" height=\"0\" focusable=\"false\" role=\"none\"><defs><filter id=\"wp-duotone-magenta-yellow\"><feColorMatrix color-interpolation-filters=\"sRGB\" type=\"matrix\" values=\" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 \" \/><feComponentTransfer color-interpolation-filters=\"sRGB\"><feFuncR type=\"table\" tableValues=\"0.78039215686275 1\" \/><feFuncG type=\"table\" tableValues=\"0 0.94901960784314\" \/><feFuncB type=\"table\" tableValues=\"0.35294117647059 0.47058823529412\" \/><feFuncA type=\"table\" tableValues=\"1 1\" \/><\/feComponentTransfer><feComposite in2=\"SourceGraphic\" operator=\"in\" \/><\/filter><\/defs><\/svg><svg viewBox=\"0 0 0 0\" width=\"0\" height=\"0\" focusable=\"false\" role=\"none\"><defs><filter id=\"wp-duotone-purple-green\"><feColorMatrix color-interpolation-filters=\"sRGB\" type=\"matrix\" values=\" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 \" \/><feComponentTransfer color-interpolation-filters=\"sRGB\"><feFuncR type=\"table\" tableValues=\"0.65098039215686 0.40392156862745\" \/><feFuncG type=\"table\" tableValues=\"0 1\" \/><feFuncB type=\"table\" tableValues=\"0.44705882352941 0.4\" \/><feFuncA type=\"table\" tableValues=\"1 1\" \/><\/feComponentTransfer><feComposite in2=\"SourceGraphic\" operator=\"in\" \/><\/filter><\/defs><\/svg><svg viewBox=\"0 0 0 0\" width=\"0\" height=\"0\" focusable=\"false\" role=\"none\"><defs><filter id=\"wp-duotone-blue-orange\"><feColorMatrix color-interpolation-filters=\"sRGB\" type=\"matrix\" values=\" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 \" \/><feComponentTransfer color-interpolation-filters=\"sRGB\"><feFuncR type=\"table\" tableValues=\"0.098039215686275 1\" \/><feFuncG type=\"table\" tableValues=\"0 0.66274509803922\" \/><feFuncB type=\"table\" tableValues=\"0.84705882352941 0.41960784313725\" \/><feFuncA type=\"table\" tableValues=\"1 1\" \/><\/feComponentTransfer><feComposite in2=\"SourceGraphic\" operator=\"in\" \/><\/filter><\/defs><\/svg> <a href=\"https:\/\/cyberscoop.com\/microsoft-cloud-breach-china\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.019117647059\">\n<div class=\"single-article__header-content\" readability=\"30.343220338983\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/commentary\/\"> <span>Commentary<\/span> <\/a> <\/li>\n<\/ul>\n<p> Repeated breaches of cloud computing services makes understanding a recent incident affecting Microsoft essential. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/07\/three-key-unanswered-questions-about-the-chinese-breach-of-microsoft-cloud-services.jpg?resize=640%2C426&#038;ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/07\/three-key-unanswered-questions-about-the-chinese-breach-of-microsoft-cloud-services-1.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/07\/three-key-unanswered-questions-about-the-chinese-breach-of-microsoft-cloud-services-1.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/07\/three-key-unanswered-questions-about-the-chinese-breach-of-microsoft-cloud-services-1.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/07\/three-key-unanswered-questions-about-the-chinese-breach-of-microsoft-cloud-services-1.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/07\/three-key-unanswered-questions-about-the-chinese-breach-of-microsoft-cloud-services-1.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/07\/three-key-unanswered-questions-about-the-chinese-breach-of-microsoft-cloud-services-1.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/07\/three-key-unanswered-questions-about-the-chinese-breach-of-microsoft-cloud-services-1.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/07\/three-key-unanswered-questions-about-the-chinese-breach-of-microsoft-cloud-services-1.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/07\/three-key-unanswered-questions-about-the-chinese-breach-of-microsoft-cloud-services-1.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/07\/three-key-unanswered-questions-about-the-chinese-breach-of-microsoft-cloud-services-1.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> A Microsoft sign is displayed on December 7, 2022 in New York City. (Photo by Leonardo Munoz\/VIEWpress) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"68.555583730601\"><body readability=\"137.8698896157\"><\/p>\n<p>For the second time in two years, malicious hackers have taken advantage of a flaw in a cloud provider\u2019s identity service to orchestrate an intelligence coup. In 2021, Russian hackers carried out an operation that began with a supply chain attack targeting the managed service provider SolarWinds and <a href=\"https:\/\/www.atlanticcouncil.org\/in-depth-research-reports\/report\/broken-trust-lessons-from-sunburst\/\" target=\"_blank\" rel=\"noreferrer noopener\">then manipulated flawed Microsoft identity systems<\/a> to penetrate hundreds of victim organizations. And just last week, Microsoft <a href=\"https:\/\/cyberscoop.com\/china-hackers-email-us-government\/\" target=\"_blank\" rel=\"noreferrer noopener\">revealed another operation<\/a> \u2014 this time carried out by hackers based in China \u2014 that also <a href=\"https:\/\/cyberscoop.com\/microsoft-china-hacking-state\/\" target=\"_blank\" rel=\"noreferrer noopener\">took advantage of a flawed identity service<\/a> to access email inboxes, including those belonging to the U.S. secretary of commerce and State Department officials.<\/p>\n<p>Identity is the means of determining who can see, interact with and modify each piece of a digital workspace. Cloud infrastructure providers rely on various services to store and validate these identities. Today, these services are more important than ever as more users move to the cloud, and companies make identity a front line of defense against adversaries. Getting identity services right is essential to delivering the perceived security benefits of cloud computing.<\/p>\n<p>Both the Biden administration and technology companies have urged government and private sector entities to move their technology infrastructure into the cloud, in part out of the belief that doing so will deliver major security benefits. In 2021, for example, Microsoft President Brad Smith <a href=\"https:\/\/docs.house.gov\/meetings\/GO\/GO00\/20210226\/111251\/HHRG-117-GO00-Transcript-20210226.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">said in testimony<\/a> before the U.S. House of Representatives that not doing so was like \u201cleaving your keys on the kitchen table.\u201d If we extend Smith\u2019s metaphor to the most recent operation against the company, it seems that Microsoft left its own keys on the table inside its own house only to have them <a href=\"https:\/\/twitter.com\/AmitaiCo\/status\/1680955485468385281\/photo\/1\" target=\"_blank\" rel=\"noreferrer noopener\">swiped and used against 25 different customers<\/a>.<\/p>\n<p>Holding cloud providers accountable for the security of their infrastructure requires understanding what happens when critical parts of that infrastructure, and not just customer facing products, fail. But key questions remain unanswered about just how hackers based in China were able to abuse Microsoft\u2019s systems to read the secretary of commerce\u2019s emails. If the policy community wants to hold cloud providers, including Microsoft, accountable here are three questions that must be answered.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<h4 class=\"wp-block-heading\" id=\"h-where-did-the-attackers-obtain-a-microsoft-account-consumer-signing-msa-key\">Where did the attackers obtain a Microsoft account consumer signing (MSA) key?<\/h4>\n<p>In carrying out the recently disclosed attack, hackers based in China <a href=\"http:\/\/thehackernews.com\/2023\/07\/microsoft-bug-allowed-hackers-to-breach.html\" target=\"_blank\" rel=\"noreferrer noopener\">obtained a Microsoft account consumer signing key<\/a> that was used to forge authentication tokens for Outlook Web Access and Outlook.com. But it remains unclear how the attackers obtained the key in the first place. Was it obtained from a consumer or enterprise resource, a customer system or the first-party Microsoft corporate network?<\/p>\n<p>The source of this key, as much as the design flaws that allowed it to sign for tokens hither and thither, will influence our perspective on whether this incident is in fact, as one White House official has already <a href=\"https:\/\/www.reuters.com\/technology\/chinese-hackers-accessed-government-emails-microsoft-says-2023-07-12\/\" target=\"_blank\" rel=\"noreferrer noopener\">rashly labeled<\/a> it, \u201cmuch narrower\u201d than the Solar Winds\/Sunburst campaign of several years ago. Was the key and its signing power wholly within Microsoft\u2019s control or was this another gap in the so called \u201cshared responsibility\u201d model in which cloud users must partner with cloud providers to ensure theirs is a safe and happy fate?<\/p>\n<p>How the key was obtained may have important implications for whether and how Microsoft is held to account for this incident. The Biden administration\u2019s National Cybersecurity Strategy includes a proposal for a liability scheme, but a more recent \u201c<a href=\"https:\/\/dfrlab.org\/2023\/07\/18\/national-cybersecurity-strategy-implementation-plan-markup\/\" target=\"_blank\" rel=\"noreferrer noopener\">implementation plan<\/a>\u201d has walked that back to a White House-hosted conference sometime next year. However, there is a program on the books today that the administration could use to hold Microsoft and other cloud providers accountable for the secure design of their infrastructure \u2014 the <a href=\"https:\/\/www.justice.gov\/opa\/pr\/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative\" target=\"_blank\" rel=\"noreferrer noopener\">Civil Cyber Fraud Initiative<\/a>, which seeks to use the False Claims Act to go after government contractors that fail to follow cybersecurity standards. The method by which the key was obtained may shape whether the administration thinks this is a sufficiently calamitous incident to act with the tools in hand.<\/p>\n<h4 class=\"wp-block-heading\">Did the attackers use the same MSA key in multiple customer environments?<\/h4>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>A pivotal assumption underlying the cloud computing business model is that providers can reasonably ensure the that customers and their data will be separated and isolated from one another. \u201cMulti-tenancy\u201d allows multiple customers to share the same cloud infrastructure, and it is the assumption upon which the economics of cloud computing are based. It assumes that Wells Fargo, Waymo and Wegmans data can share the same computing infrastructure, transit the same network, without Wells Fargo, Waymo or Wegmans being able to peek at their neighbors. To break this assumption would violate the prime directive that one customer must not be able to intrude on the activities of another.<\/p>\n<p>In this incident, was an MSA key associated with one customer used to access the environment of many different customers? Put another way, did Microsoft promise to give every neighbor in the building a separate lock, then start lending out a master key for anyone to use because it was easier on building management? If Microsoft failed to maintain this separation, it may highlight another crack in the multi-tenant model and raise concerns about an important economic assumption underlying cloud computing offered by all companies and cut into revenues at a moment of critical competition, especially between Microsoft and Google.<\/p>\n<h4 class=\"wp-block-heading\">Did the attackers use this key or the other revealed flaws in Microsoft\u2019s cloud identity infrastructure to move between Office 365 Government and Office 365 Commercial?<\/h4>\n<p>Customers affected by the recently disclosed incident include both private sector entities and government agencies. These agencies supposedly have a different cloud available to them \u2014 Office 365 Government \u2014 than private sector clients. Cloud services can be offered together on the widely available \u201cpublic cloud\u201d or grouped together into \u201ccommunity\u201d or \u201cprivate\u201d clouds. These community clouds, like Office 365 Government, are supposed to be \u201c<a href=\"https:\/\/learn.microsoft.com\/en-us\/office365\/servicedescriptions\/office-365-platform-service-description\/office-365-us-government\/office-365-us-government\" target=\"_blank\" rel=\"noreferrer noopener\">logically segregated<\/a>\u201d \u2014 isolated from a public cloud much like one tenant is supposed to be isolated from its neighbors. This is a substitute for physically separating cloud infrastructure, a model pioneered by Amazon Web Services as a way to save money instead of building government-only data centers and infrastructure.<\/p>\n<p>Here, did the attackers use the same key to compromise accounts in both Office 365 Government and Office 365 Commercial? If so, why was a signing key from Office 365 Commercial allowed to sign tokens in Office 365 Government?<\/p>\n<p>If the attackers did not use the same key to target both Microsoft\u2019s government and commercial offerings, did the hackers target solely personal accounts? Or were senior U.S. government officials being allowed to use Microsoft resources outside of the FedRAMP approved offerings for their agency?<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>If an attacker was able to target both government and public clouds, it undermines the premise of logical isolation between these infrastructures, which cloud service providers have relied on to sell government-only \u201ccommunity clouds.\u201d This has harsh business implications but might force a useful reckoning of the extent to which these isolated clouds are useful for all but the most secretive and sensitive customers.<\/p>\n<p>If cloud service providers cannot reliably separate their infrastructure logically into \u201chigh\u201d and \u201clow\u201d security under existing models, then governments might have to determine, in partnership with the private sector, how to ensure adequate security of all cloud infrastructure for use by private and public sector users alike, physically separating only a small number of defense and intelligence community clouds.<\/p>\n<h4 class=\"wp-block-heading\">Policy for securing cloud systems<\/h4>\n<p>The flaws discovered in Microsoft\u2019s cloud services \u2014 both here and in SolarWinds\/Sunburst \u2014 are design flaws in the infrastructure of Microsoft\u2019s cloud service. They are the sorts of architectural flaws that any cloud provider might be subject to, like a missing support beam that causes a building to collapse with just the right wind. Just because customers may not be able to resolve them with a patch as with many other software vulnerabilities does not mean transparency, accurate recording, and action to address them are not important. These kinds of infrastructure flaws should be the new focus for cloud policy, requiring that regulators hold companies accountable for choices they make in the design of their infrastructure, not just the security outcomes of their products.<\/p>\n<p>It will require tremendous focus from the White House to bring companies to the table to talk about <em>how<\/em> they make these design choices and then hold firms accountable for those choices using existing authorities. This will require adapted policy tools from Congress to perfect, but it\u2019s an effort the administration can start tomorrow with the authorities and resources they already have.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>With a measure of accountability, the cybersecurity community and policymakers can ensure that next time malicious hackers attack cloud infrastructure the flaws are smaller and harder to exploit, the attackers are more rapidly detected and the compromise of a cloud service is less consequential.<\/p>\n<p>If the cloud is as important as documents such as <a href=\"https:\/\/www.lawfaremedia.org\/article\/everything-you-need-know-about-new-executive-order-cybersecurity\" target=\"_blank\" rel=\"noreferrer noopener\">EO 14028<\/a> and the <a href=\"https:\/\/www.atlanticcouncil.org\/content-series\/tech-at-the-leading-edge\/the-us-national-cybersecurity-strategy-mark-up\/\" target=\"_blank\" rel=\"noreferrer noopener\">National Cybersecurity Strategy<\/a> would have you believe, then there\u2019s no time to waste.<\/p>\n<p><em>Dr. Trey Herr is the director of the Atlantic Council\u2019s Cyber Statecraft Initiative under the Digital Forensic Research Lab.<\/em><\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\">\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p> <!-- .popular-stories__stories --> <\/div>\n<p><!-- .popular-stories__inner -->\n<\/div>\n<p><!-- .popular-stories --> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p> <!-- Start of HubSpot Embed Code --> <!-- End of HubSpot Embed Code --> <\/body> <a href=\"https:\/\/cyberscoop.com\/microsoft-cloud-breach-china\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Three key unanswered questions about the Chinese breach of Microsoft<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[642,271,634,280,625,643,639],"tags":[644,277,635,284,630,645,641],"class_list":["post-1495","post","type-post","status-publish","format-standard","hentry","category-brad-smith","category-china","category-cloud","category-commentary","category-microsoft","category-vulnerabilities","category-white-house","tag-brad-smith","tag-china","tag-cloud","tag-commentary","tag-microsoft","tag-vulnerabilities","tag-white-house"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/brad-smith\/\" rel=\"category tag\">Brad Smith<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/china\/\" rel=\"category tag\">China<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cloud\/\" rel=\"category tag\">Cloud<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/commentary\/\" rel=\"category tag\">Commentary<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/microsoft\/\" rel=\"category tag\">Microsoft<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/vulnerabilities\/\" rel=\"category tag\">vulnerabilities<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/white-house\/\" rel=\"category tag\">White House<\/a>","tag_info":"White House","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1495","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=1495"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1495\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=1495"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=1495"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=1495"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}