'I just don’t trust what you’re saying': Lawmakers grill Microsoft executive on cyber lapses

Microsoft President Brad Smith came to Congress on Thursday determined to win back lawmakers' trust following a sweeping Chinese hack into U.S. networks last summer — but he may not have helped the tech giant’s case.

Multiple lawmakers on the House Homeland Security Committee pressed Smith about whether he was being transparent about the company’s response to the breach, other recent security lapses, and its continued business in China.

“I'm sorry, I just for some reason, I just don't trust what you're saying to me,” Rep. Carlos Gimenez (R-Fla) said Thursday to Smith, during a heated exchange about whether Microsoft's work in China leaves it more vulnerable to the country’s intelligence services.

The hearing came as Microsoft faces rising scrutiny on the Hill for its cybersecurity practices, which some argue are endangering U.S. national security.

It focused on a scathing government report this April that concluded Microsoft had committed a “cascade” of avoidable errors in the summer hack, easing the way for Chinese hackers to steal unclassified emails from top U.S. officials. Shortly after that report was published, the Cybersecurity and Infrastructure Security Agency warned other federal agencies that another hack of Microsoft products had allowed Russian hackers to siphon off more emails from U.S. officials.

Smith, the lone witness at the hearing, attempted to defuse some of that frustration by taking ownership of all of the errors called out in the Cyber Safety Review Board’s April report.

“I think the most important thing for me to say, the most important thing for me to write in my written testimony, is that we accept responsibility for each and every finding in the CSRB report,” he said.

But many lawmakers appeared to leave the hearing with greater doubts about the company.

At one point, Rep. Clay Higgins (R-La) pressed Smith about why Microsoft was indecisive in correcting information it had published on the hack but later determined was misleading — a key finding of the report.

When Smith said the company hesitated because it didn’t consider the new information “actionable,” Higgins shot back: “That answer does not encourage trust.”

Smith’s task was made harder by the publication Thursday of a damning ProPublica investigation, which found that Microsoft for years failed to address a design flaw in its cloud computing products. In 2020, Russian hackers exploited that issue as part of a campaign to penetrate nine federal agencies and roughly 100 companies.

“My concerns about whether we can rely on Microsoft to be transparent were heightened this morning when I read a ProPublica article,” Rep. Bennie Thompson (D-Miss.), the ranking member of the committee, said Thursday during his opening statement.

Repeated questions on the article from other lawmakers appeared to rankle Smith, in a rare moment of frustration for the normally unflappable executive.

“This is the classic, ‘let's have an article published the morning of a hearing so we can spend the hearing talking about it,’” Smith retorted following a pointed question on the article from Rep. Delia Ramirez (D-Ill.).

Despite the scrutiny, several lawmakers argued it was not fair to pin all the blame on Microsoft.

Many said they were encouraged by steps the company has made in recent months to overhaul its security, including a new commitment unveiled Thursday to tie the bonuses of the company’s senior leadership team to cybersecurity.

“That’s encouraging,” Rep. Mark Green (R-Tenn.), the chair of the committee, said after hearing Smith’s explanation of the new compensation plan.

Another common flashpoint for lawmakers Thursday was indirectly linked to cybersecurity: whether Microsoft-run data and research centers in China exposed U.S. technology to Chinese espionage.

Smith argued that the company’s business there represents a small portion of its revenue, and it helps protect the intellectual property of U.S. companies there.

But Gimenez was incredulous with Smith’s deflections about how the company avoids complying with a 2017 law that requires individuals or businesses operating in China to assist the country’s intelligence services.

“You operate in China and you're sitting there telling me that you don't have to comply with the laws of China?” Gimenez asked.