Modern Warfare

The Bloomberg piece on which this article is based can be accessed via the archive.is website

Pentagon Has a Huawei Dilemma Congress Doesn’t Want to Solve
Subhead: Military pushes to waive ban on anyone using Huawei equipment

Link

The Pentagon has a problem: How does one of the world’s largest employers avoid doing business with companies that rely on China’s Huawei Technologies Co., the world’s largest telecommunications provider?

So far, the Defense Department is saying that it can’t, despite a 2019 US law that barred it from contracting with anyone who uses Huawei equipment. The Pentagon’s push for an exemption is provoking a fresh showdown with Congress that defense officials warn could jeopardize national security if not resolved.

As it has done since the law was passed more than five years ago, the Pentagon is seeking a formal waiver to its obligations under Section 889 of the 2019 National Defense Authorization Act, which barred government agencies from signing contracts with entities that use Huawei components.

5 Likes

Ahem, Microsoft ought to know a thing or two about security lapses :wink:

CISA published a report shortly before Easter, on 3/20/24, regarding the security breaches detected in June 2023 (source)

Review of the Summer 2023 Microsoft Exchange Online Intrusion

Makes for very interesting reading, given it looks like Microsoft can’t explain how the signing keys were “lost” and whether these are the only keys that were lost. The lost key had been issued in 2016, so it’s unclear how long the threat actors were in possession of it before the intrusion was detected last June.

In May and June 2023, a threat actor compromised the Microsoft Exchange Online mailboxes of 22 organizations and over 500 individuals around the world. The actor—known as Storm-0558 and assessed to be affiliated with the People’s Republic of China in pursuit of espionage objectives—accessed the accounts using authentication tokens that were signed by a key Microsoft had created in 2016. This intrusion compromised senior United States government representatives working on national security matters, including the email accounts of Commerce Secretary Gina Raimondo, United States Ambassador to the People’s Republic of China R. Nicholas Burns, and Congressman Don Bacon.

Signing keys, used for secure authentication into remote systems, are the cryptographic equivalent of crown jewels for any cloud service provider. As occurred in the course of this incident, an adversary in possession of a valid signing key can grant itself permission to access any information or systems within that key’s domain. A single key’s reach can be enormous, and in this case the stolen key had extraordinary power. In fact, when combined with another flaw in Microsoft’s authentication system, the key permitted Storm-0558 to gain full access to essentially any Exchange Online account anywhere in the world. As of the date of this report, Microsoft does not know how or when Storm-0558 obtained the signing key.

Reading between the lines, Microsoft could be seen as initially stonewalling

In response to Microsoft’s blogs, Wiz, a cloud security company, launched a limited independent review of the incident. Wiz concluded that the compromised 2016 MSA key could sign access tokens for many types of applications, far beyond Microsoft’s initial reporting. For Wiz, this revelation underscored the need for a broader awareness and proactive measures across all affected stakeholders. CISA also conducted an in-depth review of Microsoft’s public statements. CISA’s findings pointed to the need for greater clarity and transparency from Microsoft about the initial compromise’s blast radius, token scope, and impact. Specifically, CISA noted information gaps in what additional capabilities the stolen key granted the threat actor, Microsoft’s incident response measures, and the potential for threat actors to access internal servers or additional key material.

6 Likes

By the sounds of it, CISA/CSRB (along with most of industry [1]) is deeply unhappy about the current state of affairs with MS cyber security. It seems that people are starting to realize just how much the West’s government’s (and others) rely on Windows, Excel, and Azure. The USG has tried asking nicely (eg. Congressman Ron Wyden sent a letter asking for info [2]) and now they are starting up the threaten and fine playbook.

The FTC is also getting to the mix, looking into security product (lack of) bundling in standard Azure plans. [3]

Edit: On the other hand, if we lose PowerPoint it’s a net win.

[1] Srsly Risky Biz: Microsoft deserves the stick - Risky Business
[2] Risky Business #715 -- Pressure mounts on Microsoft to explain itself - Risky Business
[3] Risky Business #751 -- Snowflake, operation Endgame and Microsoft's looming FTC problem - Risky Business

7 Likes

“They are lazy”

1 Like