If big tech can’t safeguard itself, can it protect customers?

Former Gov. Nathan Deal says the Georgia Cyber Innovation and Training Center in Augusta will place the state on the frontlines of the critical fight to combat cybercrime. (J. SCOTT TRUBEY/strubey@ajc.com)

Former Gov. Nathan Deal says the Georgia Cyber Innovation and Training Center in Augusta will place the state on the frontlines of the critical fight to combat cybercrime. (J. SCOTT TRUBEY/strubey@ajc.com)

In mid-January, as the rest of the world turned their focus toward the weekend, a major big tech corporation quietly acknowledged another major cybersecurity breach. The attack was directed at the highest levels of its leadership by Russian state-backed hackers and had been reportedly ongoing for months.

The disclosure by Microsoft was not made in a public press release, but in a legally required regulatory report, filed with the SEC a week after the breach was detected. They followed the filing with a blog post to further explain the situation. The blog post said they “are deeply committed to sharing more information and our learnings, so that the community can benefit from both our experience and observations about the threat actor.” They conveniently forgot to mention that their commitment to transparency only plays out in legally required SEC filings.

Nathan Deal

icon to expand image

If this was a one-time event it could possibly be attributed to bad luck, but I am informed this isn’t the first time Microsoft has been hacked by foreign state-backed actors. The company has admitted that this is the third time in less than a year that our most significant global adversaries have penetrated their networks, the first two initiated by Chinese interests. All three hackings likely resulted in privileged information being handed over to Russia and China.

As the former governor of the great state of Georgia, cybersecurity has been a primary focus of my time in public service. More than 70% of all U.S. financial transactions flow through Georgia’s cyber sphere. We knew threats were evolving and worked to constantly modernize the state’s capabilities to combat them. Georgia has always led on technological innovation, so focusing on cybersecurity seemed a natural fit.

In 2015, Senators Johnny Isakson and Saxby Chambliss secured Georgia’s Fort Eisenhower as the new home for the U.S. Army’s Cyber Command. In 2016, Georgia seized the opportunity, established, and constructed the Georgia Cyber Innovation and Training Center in Augusta, creating a public-private effort between state, federal and local partners.

This center, which solidified Georgia’s place on the frontline of this critical fight, aimed to build a 21st century workforce capable of combating these growing threats, providing affordable and substantive training, and offering critical advice to policymakers. We saw a problem and got to work on solving it. We could not be more pleased with the results. I was convinced if Georgia could stand up a facility and train the best and brightest in the public and private sectors, we would be better positioned in a cyber dominated market.

In 2020, that vision was realized when Augusta’s Fort Eisenhower officially became home to the U.S. Army’s Cyber Command, the central post for all the military’s cyber operations. In Georgia we take great pride in that and are dedicated to doing our part to protect this country from these exact sorts of attacks. So cyberattacks like the one against one of the biggest big tech firms that exposed senior internal communications to the Kremlin are concerning to me, and to all Georgians.

According to Microsoft’s “Secure Future Initiative,” the growing range of cybersecurity threats from state and non-state actors across the world “require[s] a new response based on our ability to utilize our own resources and our most sophisticated technologies and practices.”

Microsoft, along with their competitors in this space, receive tens of billions of dollars in federal government contracts – taxpayer money –every year to protect our cyber infrastructure and keep Americans’ data secure. Thousands of major corporations in the United States and across the world have entrusted Microsoft with storing and protecting their data and communications. If they can’t protect themselves, how can we trust them to protect their customers? They can do better, we should require all personal data storage companies to do better.

It is estimated that by 2025, cyberattacks will dent the world economy to the tune of $10.5 trillion. While clearly a significant economic threat, the national security threat is even more disconcerting.

Our nation’s defense industry has spent trillions ensuring the United States has the military infrastructure necessary to meet the conflicts of tomorrow and our technology firms are tasked with protecting those secrets. In recent years, cyberattacks on our defense industry have only increased, including one that provided an American adversary with ‘persistent, long-term access’ to the networks of a yet-unnamed defense contractor.

While that revelation is certainly problematic, the lingering question remains - what don’t we know?

Given everything that is on the line in the global fight against cybercrime, Microsoft should voluntarily provide a far more thorough accounting of what exactly happened with this recent intrusion. By their own admission, this was a relatively basic hacking technique known as “password” spray, and it resulted from a failure to follow their own recommended security protocols.

If they – and other defense contractors and technology companies – are to be trusted with our nation’s most sensitive secrets, the American public deserves answers. Customers and clients deserve to know if their data is safe, what information was stolen from Microsoft, how the networks were accessed, if the intrusion has been entirely mitigated and addressed, and what steps have been taken to ensure this does not happen again.

Anything less than full transparency is simply not satisfactory.

Nathan Deal served as the 82nd governor of Georgia from 2011 to 2019.