US lawmakers grill Microsoft president over China ties, hacks

By Zeba Siddiqui

WASHINGTON (Reuters) -Microsoft President Brad Smith fielded questions about the tech giant's security practices and ties to China at a House homeland security panel on Thursday, a year after alleged China-linked hackers spied on federal emails by hacking the firm.

The hackers accessed 60,000 U.S. State Department emails by breaking into Microsoft's systems last summer, while Russia-linked cybercriminals separately spied on Microsoft's senior staff emails this year, according to the company's disclosures.

The congressional hearing comes amid increasing federal scrutiny over Microsoft, the world's biggest software-maker, which is also a key vendor to the U.S. government and national security establishment. Microsoft's business accounts for around 3% of the U.S. federal IT budget, Smith said at the hearing.

Lawmakers grilled Microsoft for its inability to prevent both the Russian and Chinese hacks, which they said put federal networks at risk despite not using sophisticated means.

The company emails Russian hackers accessed also "included correspondence with government officials," Democrat Bennie Thompson said.

"Microsoft is one of the federal government's most important technology and security partners, but we cannot afford to allow the importance of that relationship to enable complacency or interfere with our oversight," he added.

Lawmakers drew on the findings of a scathing report in April by the Cyber Safety Review Board (CSRB) - a group of experts formed by U.S. Secretary of Homeland Security Alejandro Mayorkas - which slammed Microsoft for its lack of transparency over the China hack, calling it preventable.

"We accept responsibility for each and every finding in the CSRB report," Smith said at the hearing, adding that Microsoft had begun acting on a majority of the report's recommendations.

"We're dealing with formidable foes in China, Russia, North Korea, Iran, and they're getting better," said Smith. "They're getting more aggressive ... They're waging attacks at an extraordinary rate."

Thompson criticised Smith's company for failing to detect the hack, which was discovered instead by the U.S. State Department. Smith responded saying: "That's the way it should work. No one entity in the ecosystem can see everything."

But Congressman Thompson was not convinced.

"It's not our job to find the culprits. That's what we're paying you for," Thompson said.

Panel members also probed Smith for details on Microsoft's business in China, noting that it had invested heavily in setting up research incentives there.

"Microsoft's presence in China creates a mix of complex challenges and risks," said Congressman Mark Green from Mississippi, who chaired the panel.

Microsoft earns around 1.5% of its revenue from China and is working to reduce its engineering presence there, said Smith.

The company has faced heightened criticism from its security industry peers over the past year over the breaches and lack of transparency.

Smith's responses at the hearing earned praise from some on the panel, such as Republican Congresswoman Marjorie Taylor Greene. "You said you accept a responsibility, and I just want to commend you for that," Greene told him.

Following the board's criticisms, Microsoft had said it was working on improving its processes and enforcing security benchmarks. In November it launched a new cybersecurity initiative and said it was making security the company's top priority "above all else - over all other features."

(Reporting by Zeba Siddiqui; Additional reporting by Christopher Bing; Editing by Sandra Maler and Nick Zieminski)