(The author is a Reuters Breakingviews columnist. The opinions expressed are his own.)

 

LONDON - Even a $1.7 trillion market capitalisation doesn’t buy immunity from hacking. Tens of thousands of organisations’ email systems have been compromised by flaws in Microsoft’s software, the company and U.S. government officials revealed last week. It’s the second massive global cybersecurity problem in just a few months.

Small-and medium-sized businesses, local governments, police departments and airports are among those whose email may have been breached. The hackers are linked to the Chinese government, according to Microsoft. Software fixes take time to roll out, and the ultimate count of victims could be far higher.

Big companies largely escaped because they more often use fully cloud-based email services. It’s Outlook accounts hosted on local servers that were affected. Cloud services should always be protected by the latest cybersecurity tools. That’s a recommendation for the cloud, potentially turning a technological embarrassment into a business benefit for Microsoft.

So-called “on-premises” setups are a weak link. A serious hack attributed to a Russian group and revealed in December, involving networking software provided by Texas-based SolarWinds, started in private systems, according to Senate testimony last month from Brad Smith, a senior Microsoft executive. The attack was detected only when hackers moved to the cloud.

Smaller, less wealthy organisations don’t necessarily have the latest hardware, software, cybersecurity tools and people in place. Baseline “cyber hygiene” is lacking even in sensitive federal agencies, Smith said. Investing in better, more up-to-date technology and processes could reduce the risk. So too could moving vulnerable services to the cloud, though even that is not infallible.

Another requirement, as Smith noted, is to share information rapidly as soon as an attack is identified. This remains an imperfect process, especially between America’s public and private sectors. Washington could do more both to incentivise and to enforce collaboration. Speaking of D.C., an effective response to cyberattacks backed by foreign governments – whether via sanctions or other means – remains elusive.

Part of the burden should also fall on software providers. The $5 billion SolarWinds’ valuation remains more than 30% below where it stood before its software’s vulnerabilities were revealed. Microsoft won’t take that kind of hit. But lawmakers may not give boss Satya Nadella a pass. And if customers and investors vote with their wallets, it’s a message that’s hard to ignore.

 

CONTEXT NEWS

- More than 20,000 U.S. organisations have been compromised through a back door installed via recently patched flaws in Microsoft's widely used email software, a person familiar with the U.S. government's response told Reuters on March 5.

- The latest hack, dating back to Jan. 6, 2021 according to information available so far, has left channels for remote access spread among credit unions, town governments and small businesses, according to records from the U.S. investigation. Tens of thousands of organisations in Asia and Europe are also affected, the records show.

- All of those affected appear to run web versions of Microsoft email client Outlook and host them on their own machines, instead of relying on cloud providers.

- Microsoft attributed the latest hacking campaign to a Chinese state-backed group known as Hafnium, operating primarily from leased virtual private servers in the United States.

- Internet security professionals remain engaged in addressing another large-scale hack, the compromise of network software made by SolarWinds that was discovered in December. Microsoft has said the two are unrelated. The SolarWinds attack has been attributed to a suspected Russian intelligence group.

(The author is a Reuters Breakingviews columnist. The opinions expressed are his own.)

(Editing by Rob Cox and Sharon Lam) ((richard.beales@thomsonreuters.com; Reuters Messaging: richard.beales.thomsonreuters.com@reuters.net))