{"id":1993,"date":"2023-11-02T15:47:00","date_gmt":"2023-11-02T15:47:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=77887"},"modified":"2023-11-02T15:47:00","modified_gmt":"2023-11-02T15:47:00","slug":"microsoft-upgrades-security-for-signing-keys-in-wake-of-chinese-breach","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2023\/11\/02\/microsoft-upgrades-security-for-signing-keys-in-wake-of-chinese-breach\/","title":{"rendered":"Microsoft upgrades security for signing keys in wake of Chinese breach"},"content":{"rendered":"<p><head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\"> <meta name=\"robots\" content=\"index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1\"> <!-- This site is optimized with the Yoast SEO Premium plugin v20.5 (Yoast SEO v20.5) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ --> <title>Microsoft upgrades security for signing keys in wake of Chinese breach | CyberScoop<\/title> <meta name=\"description\" content=\"Policymakers and researchers have sharply criticized Microsoft\u2019s security practices after an illicitly obtained key enabled a wide-ranging espionage operation.&nbsp;\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/microsoft-upgrades-security-for-signing-key-in-wake-of-chinese-breach\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Microsoft upgrades security for signing keys in wake of Chinese breach\"> <meta property=\"og:description\" content=\"Policymakers and researchers have sharply criticized Microsoft\u2019s security practices after an illicitly obtained key enabled a wide-ranging espionage operation.&nbsp;\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/microsoft-upgrades-security-for-signing-key-in-wake-of-chinese-breach\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2023-11-02T15:47:00+00:00\"> <meta property=\"article:modified_time\" content=\"2023-11-02T16:07:04+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/microsoft-upgrades-security-for-signing-keys-in-wake-of-chinese-breach-1.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1135\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"AJ Vicens\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@AJVicens\"> <!-- \/ Yoast SEO Premium plugin. --> <link rel=\"dns-prefetch\" href=\"\/\/cdn.parsely.com\">\n<link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-0\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1698677826g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-4\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css?m=1699042052g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1698989400g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=7dab012cdc88b5676610\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/77887\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.3.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=77887\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fmicrosoft-upgrades-security-for-signing-key-in-wake-of-chinese-breach%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fmicrosoft-upgrades-security-for-signing-key-in-wake-of-chinese-breach%2F&amp;format=xml\"> <!-- Google Tag Manager --> <!-- End Google Tag Manager --> <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-77887 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/microsoft-upgrades-security-for-signing-key-in-wake-of-chinese-breach\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"24.08358662614\">\n<div class=\"single-article__header-content\" readability=\"30.494845360825\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/technology\/\"> <span>Technology<\/span> <\/a> <\/li>\n<\/ul>\n<p> Policymakers and researchers have sharply criticized Microsoft\u2019s security practices after an illicitly obtained key enabled a wide-ranging espionage operation.&nbsp; <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"378\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/microsoft-upgrades-security-for-signing-keys-in-wake-of-chinese-breach.jpg?resize=640%2C378&#038;ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/microsoft-upgrades-security-for-signing-keys-in-wake-of-chinese-breach-1.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/microsoft-upgrades-security-for-signing-keys-in-wake-of-chinese-breach-1.jpg?resize=300,177 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/microsoft-upgrades-security-for-signing-keys-in-wake-of-chinese-breach-1.jpg?resize=768,454 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/microsoft-upgrades-security-for-signing-keys-in-wake-of-chinese-breach-1.jpg?resize=1024,605 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/microsoft-upgrades-security-for-signing-keys-in-wake-of-chinese-breach-1.jpg?resize=1536,908 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/microsoft-upgrades-security-for-signing-keys-in-wake-of-chinese-breach-1.jpg?resize=600,355 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/microsoft-upgrades-security-for-signing-keys-in-wake-of-chinese-breach-1.jpg?resize=284,168 284w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/microsoft-upgrades-security-for-signing-keys-in-wake-of-chinese-breach-1.jpg?resize=570,337 570w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/microsoft-upgrades-security-for-signing-keys-in-wake-of-chinese-breach-1.jpg?resize=1142,675 1142w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/microsoft-upgrades-security-for-signing-keys-in-wake-of-chinese-breach-1.jpg?resize=1426,843 1426w\" sizes=\"(max-width: 1142px) 100vw, 1142px\"><figcaption> (Photo by Peter Dazeley\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"31.261897498475\"><body readability=\"63.732742241925\"><\/p>\n<p>Microsoft announced on Thursday that it will update security protections for signing keys after coming under criticism from policymakers that deficient security controls allowed <a href=\"https:\/\/cyberscoop.com\/microsoft-china-hacking-state\/\">Chinese hackers to steal an encryption key<\/a>, an incident that facilitated an espionage campaign <a href=\"https:\/\/cyberscoop.com\/microsoft-china-signing-key\/\">targeting senior U.S. officials<\/a>.<\/p>\n<p>To combat hacking campaigns targeting the identity of users, Microsoft said it would move signing keys into a so-called \u201chardware security module,\u201d which is a specialized piece of equipment used to store sensitive encryption keys.&nbsp;<\/p>\n<p>Critics of the company, including Sen. Ron Wyden, D-Ore., have blasted Microsoft for what they see as its negligent approach to security, and have seized on its&nbsp; failure to store signing keys in hardware security modules as a particular point of weakness in the company\u2019s security practices.<\/p>\n<p>A spokesman for Microsoft told CyberScoop that the moves toward using hardware security modules to store signing keys are \u201cnot specific to one event but are a reflection of a changing landscape and a commitment to better safeguard customers in unprecedented times.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Thursday\u2019s announcement is part of a series of changes Microsoft is branding as its \u201cSecure Future Initiative,\u201d and comes in response to continued innovation and aggression from highly resourced nation-state hacking campaigns, Brad Smith, the company\u2019s vice chair and president, said in a <a href=\"https:\/\/blogs.microsoft.com\/on-the-issues\/2023\/11\/02\/secure-future-initiative-sfi-cybersecurity-cyberattacks\/\">blog post<\/a>.<\/p>\n<p>The company <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/11\/02\/announcing-microsoft-secure-future-initiative-to-advance-security-engineering\/\">said in a separate blog post<\/a> that it will be moving \u201cidentity signing keys to an integrated, hardened Azure HSM and confidential computing infrastructure,\u201d so that \u201csigning keys are not only encrypted at rest and in transit, but also during computational processes as well. Key rotation will also be automated allowing high-frequency key replacement with no potential for human access, whatsoever.\u201d&nbsp;<\/p>\n<p>Smith pointed to the company\u2019s revelations in May of an extensive hacking campaign tied to China\u2019s targeting of critical infrastructure entities in Guam and the U.S. as an example of the advanced techniques Thursday\u2019s announcements are designed to address, and noted the targeting of \u201ccloud services infrastructure, including at Microsoft.\u201d&nbsp;<\/p>\n<p>Computer security researchers have sharply criticized Microsoft for its approach to key management after an operation linked to China was able to obtain tens of thousands of U.S. government emails this summer after <a href=\"https:\/\/cyberscoop.com\/microsoft-ai-exposed-data-github\/\">illicitly obtaining a signing key<\/a>.&nbsp;<\/p>\n<p>Industry experts and government officials demanded to know why Microsoft had designed its systems to allow for such a breach. Members of Congress have called for investigations, and the Department of Homeland Security\u2019s Cyber Safety Review Board said in August that it would review the matter as part of a broader look at securing cloud environments.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>In a <a href=\"https:\/\/www.wyden.senate.gov\/imo\/media\/doc\/wyden_letter_to_cisa_doj_ftc_re_2023_microsoft_breach.pdf\">July letter<\/a>, Wyden urged the DHS\u2019 Cybersecurity and Infrastructure Security Agency, the Department of Justice and the Federal Trade Commission to \u201ctake action to hold Microsoft responsible for its negligent cybersecurity practices, which enabled a successful Chinese espionage campaign against the United States government.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"0.45378151260504\">\n<div class=\"author-card\" readability=\"7\">\n<p><h4 class=\"author-card__name\">Written by Elias Groll and AJ Vicens<\/h4>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p> <!-- .popular-stories__stories --> <\/div>\n<p><!-- .popular-stories__inner -->\n<\/div>\n<p><!-- .popular-stories --> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p> <!-- Start of HubSpot Embed Code --> <!-- End of HubSpot Embed Code --> <\/body> <a href=\"https:\/\/cyberscoop.com\/microsoft-upgrades-security-for-signing-key-in-wake-of-chinese-breach\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft upgrades security for signing keys in wake of Chinese<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[613,271,293,625,310,288],"tags":[618,277,299,630,311,294],"class_list":["post-1993","post","type-post","status-publish","format-standard","hentry","category-authentication","category-china","category-department-of-homeland-security-dhs","category-microsoft","category-technology","category-threats","tag-authentication","tag-china","tag-department-of-homeland-security-dhs","tag-microsoft","tag-technology","tag-threats"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/authentication\/\" rel=\"category tag\">authentication<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/china\/\" rel=\"category tag\">China<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/department-of-homeland-security-dhs\/\" rel=\"category tag\">Department of Homeland Security (DHS)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/microsoft\/\" rel=\"category tag\">Microsoft<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/technology\/\" rel=\"category tag\">Technology<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a>","tag_info":"Threats","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1993","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=1993"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1993\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=1993"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=1993"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=1993"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}