Comments
TECH SECURITY - Microsoft hired Andrew Harris for his extraordinary skill in keeping hackers out of the nation’s most sensitive computer networks. In 2016, Harris was hard at work on a mystifying incident in which intruders had somehow penetrated a major U.S. tech company.
The breach troubled Harris for two reasons. First, it involved the company’s cloud — a virtual storehouse typically containing an organization’s most sensitive data. Second, the attackers had pulled it off in a way that left little trace.
He retreated to his home office to “war game” possible scenarios, stress-testing the various software products that could have been compromised.
Early on, he focused on a Microsoft application that ensured users had permission to log on to cloud-based programs, the cyber equivalent of an officer checking passports at a border. It was there, after months of research, that he found something seriously wrong.
The product, which was used by millions of people to log on to their work computers, contained a flaw that could allow attackers to masquerade as legitimate employees and rummage through victims’ “crown jewels” — national security secrets, corporate intellectual property, embarrassing personal emails — all without tripping alarms.
To Harris, who had previously spent nearly seven years working for the Defense Department, it was a security nightmare. Anyone using the software was exposed, regardless of whether they used Microsoft or another cloud provider such as Amazon. But Harris was most concerned about the federal government and the implications of his discovery for national security. He flagged the issue to his colleagues.
They saw it differently, Harris said. The federal government was preparing to make a massive investment in cloud computing, and Microsoft wanted the business. Acknowledging this security flaw could jeopardize the company’s chances, Harris recalled one product leader telling him. The financial consequences were enormous. Not only could Microsoft lose a multibillion-dollar deal, but it could also lose the race to dominate the market for cloud computing.
Harris said he pleaded with the company for several years to address the flaw in the product, a ProPublica investigation has found. But at every turn, Microsoft dismissed his warnings, telling him they would work on a long-term alternative — leaving cloud services around the globe vulnerable to attack in the meantime.
Harris was certain someone would figure out how to exploit the weakness. He’d come up with a temporary solution, but it required customers to turn off one of Microsoft’s most convenient and popular features: the ability to access nearly every program used at work with a single logon.
He scrambled to alert some of the company’s most sensitive customers about the threat and personally oversaw the fix for the New York Police Department. Frustrated by Microsoft’s inaction, he left the company in August 2020.
(Renee Dudley is a tech reporter at ProPublica. Before joining ProPublica in 2018, she was a member of the enterprise team at Reuters, where she reported extensively on issues with college-entrance exams. She uncovered a U.S. higher education admissions system corrupted by systematic cheating on standardized tests. Following public outcry over the use of leaked SAT exams and other issues Reuters uncovered, the test's maker vowed to fix the problems. The series was named a 2017 Pulitzer Prize finalist in National Reporting. This article was first featured in ProPublica.org.)
