STEVE INSKEEP, HOST:
OK. Today a House committee here in Washington, questions the president of Microsoft, Brad Smith.
ROB SCHMITZ, HOST:
That's right. The Homeland Security Committee wants to know about two cyberattacks by China and Russia in the past year. A whistleblower is also talking about a 2020 Russian hack that accessed the networks of around 100 companies and U.S. government agencies, like the department that maintains the nuclear weapons stockpile. The whistleblower said Microsoft had a chance to prevent what was called the SolarWinds cyberattack. And in prepared testimony, Microsoft's president says the company accepts responsibility for every issue cited in a highly critical government report.
INSKEEP: Renee Dudley is a ProPublica reporter whose investigation is out today. Welcome to the program.
RENEE DUDLEY: Thanks for having me.
INSKEEP: OK. I was just yesterday explaining to my kids the way that Microsoft software is throughout our lives. It's used all over the place. And now you've got this whistleblower, Andrew Harris, who said they had a security flaw. What was it?
DUDLEY: So Andrew Harris said that when he was a Microsoft employee a few years ago, he discovered the security weakness in a product that many customers, including the U.S. government, used to log on to their devices. This flaw could allow hackers to masquerade as legitimate employees and rummage through victims' most sensitive data all without tripping alarms. He said he repeatedly raised these concerns about this flaw to his colleagues inside Microsoft, but at every turn, they dismissed him. They said addressing this flaw would undermine their business goals. He was so frustrated that he quit his job in August 2020. Then four months later, the SolarWinds hack, the biggest hack in U.S. history, was discovered. Russian spies exploited this very flaw that Harris had warned about to breach government agencies.
INSKEEP: How could it be that fixing a security flaw would get in the way of the company's business goals?
DUDLEY: I was very interested in that question. And one of the places that I focused on was the MSRC, which is short for Microsoft Security Response Center. This center is like a clearing house for reports of security bugs, and it was Harris' very first stop when he began warning colleagues of the flaw that he discovered. But the issue is that the center itself was understaffed and underresourced. And one employee who used to work there told me that staff is trained to think of cases in terms of how can I get to won't fix. So this center also clashed with the product teams.
INSKEEP: Wait, what does that mean? How can I get to won't fix?
DUDLEY: They were looking for excuses to not address the reports of weaknesses that security researchers like Andrew Harris brought to them. They had so much volume dealing with hundreds or even thousands of reports of weaknesses a month, and they just didn't have the staff or the resources to get to them all. And, you know, another big issue there is that they're clashing with the product teams that they need to fix the actual issues. So they would bring a security vulnerability to a product group. They'd say, you need to fix this flaw. But those groups were often unmotivated to act fast, if at all, because compensation is tied to the release of new products and features.
INSKEEP: OK, so you reveal all of this about the SolarWinds hack back in 2020. What, if anything, is Microsoft saying about your reporting?
DUDLEY: They dispute nothing. They said that their No. 1 priority is customer security. And today, we'll hear from Brad Smith, Microsoft's president, at a hearing before Congress.
INSKEEP: Renee Dudley is a reporter with ProPublica. Thanks so much.
DUDLEY: Thanks very much for having me.
INSKEEP: And we'll note, Microsoft is one of NPR's sponsors, and as you may have just noticed, we cover them as we would any other company. Transcript provided by NPR, Copyright NPR.
NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.
