Earlier this month, the U.S. Department of Homeland Security (DHS) released the Cyber Safety Review Board’s (CSRB) findings and recommendations following its independent review of the July 2023 Microsoft Exchange Online intrusion (Intrusion) which made the headlines last summer. Storm-0558 (a hacking group assessed to be affiliated with the People’s Republic of China) used forged authentication tokens to access user email from approximately 25 organisations, including government agencies and related consumer accounts in the public cloud.  

CSRB is a public-private partnership which empowers leading government and industry experts to independently investigate and review significant cybersecurity events and provide independent, strategic and actionable recommendations to the US President/Secretary/Director of the Cybersecurity and Infrastructure Security Agency (CISA) to better protect the US from cyber-attacks. 

The Review

CSRB’s review detailed the operational/strategic decisions that led to the Intrusion and recommended the implementation of a number of specific security practices (see below) to try to ensure an intrusion of this magnitude does not happen again. 

CSRB also conducted a broader “inclusive” review of issues relating to cloud-based identity and authentication infrastructure affecting applicable cloud service providers (CSPs) and their customers. It collected data from and conducted interviews with 20 organisations and experts including cybersecurity and technology companies, law enforcement organisations, security researchers, academics and several impacted organisations and developed actionable findings and recommendations, which should be noted by all CSPs, irrespective of their size or location. 

The CSRB’s review found that the Intrusion was preventable. It identified a series of Microsoft operational/strategic decisions that collectively illustrated a corporate culture that deprioritised enterprise security investments and rigorous risk management which was not in keeping with its central position in the technology ecosystem and the level of trust customers place in it to protect their data and operations. The CSRB recommended that Microsoft develop and publicly share a plan with specific timelines to make fundamental, security-focused reforms across the company and its suite of products. Microsoft fully co-operated with the Board’s review and has published details of remediation measures on its website.

A full copy of the CSRB report is available here. Microsoft also completed its own comprehensive technical investigation into the Intrusion which is available here.

CSP Recommendations

The CSRB recommended specific actions to be taken by all CSPs and government partners to improve security and build resilience against the types of attacks conducted by Storm-0558 and associated groups. Key recommendations include:

  • CSP Cybersecurity Practices: the implementation of modern control mechanisms and baseline practices, informed by a rigorous threat model, across their digital identity and credential systems to substantially reduce the risk of system-level compromise.
  • Audit Logging Norms: the adoption of a minimum standard for default audit logging in cloud services to enable the detection, prevention, and investigation of intrusions as a baseline and routine service offering without additional charge.
  • Digital Identity Standards and Guidance: the implementation of emerging digital identity standards to secure cloud services against prevailing threat vectors. Relevant standards bodies should refine, update, and incorporate these standards to address digital identity risks commonly exploited in the modern threat landscape.
  • Cloud Service Provider Transparency: the adoption of incident and vulnerability disclosure practices to maximize transparency across and between their customers, stakeholders and the US government.
  • Victim Notification Processes: the development of more effective victim notification and support mechanisms to drive information-sharing efforts and amplify pertinent information for investigating, remediating and recovering from cybersecurity incidents.
  • Security Standards and Compliance Frameworks: The US government should update the Federal Risk Authorization Management Program and supporting frameworks and establish a process for conducting discretionary special reviews of the program’s authorised Cloud Service Offerings following especially high-impact situations. The National Institute of Standards and Technology (NIST) should also incorporate feedback about observed threats and incidents related to cloud provider security.

As a result of the CSRB’s recommendations, CISA plans to convene major CSPs to develop cloud security practices aligned with the CSRB’s recommendations and a process for CSPs to regularly attest and demonstrate alignment. The adoption of these practices should have a global impact, given the international reach and strategic importance of some US CSPs. 

UK developments

Closer to home, the UK’s National Cyber Security Centre’s (NCSC) 2023 annual review also emphasised the importance of ensuring that critical technologies must be ‘secure by design’ and cyber resilient, as well as supply-chain security and a “whole-of-society approach” to cybersecurity, where Government departments, businesses and industry work together in partnership to make the UK more resilient. For more information see our article here.

The UK government also plans to strengthen UK cybersecurity by expanding the UK Network and Information System (NIS) Regulations to apply to the providers of certain “digital managed services” (potentially bringing the many managed service providers (MSPs) in-scope, including those that process/store confidential/business critical data (i.e. CSPs). More details on these reforms are available here. This work is part of the government’s wider £2.6 billion National Cyber Strategy which is clear that services offered by managed service providers/CSPs should be secure by default with security embedded into organisation’s operations. These UK reforms are expected this year to coincide with the timing of the national implementation of the EU’s NIS2 Directive by October 2024  (which contains even more expansive NIS reforms which also extend to MSPs/CSPs), to try to help international businesses comply with their obligations under both regimes. Watch this space for further cyber-security related updates on these reforms.