In 2020, U.S. authorities discovered that state-sponsored Russian hackers had stolen sensitive government documents by exploiting a flaw in a widely used Microsoft product. The company insisted it was blameless, assigning responsibility for the incursion to its customers, who it said could have done more to defend themselves, and to the intelligence community, which it said failed to flag the risk.
Multiple government watchdogs and congressional committees investigated the so-called SolarWinds hack, the most damaging to ever strike the U.S., but found little to challenge Microsoft’s narrative. Considering the matter closed, Washington moved on.
SolarWinds, however, was not a one-off. In the months and years following the attack, weaknesses in Microsoft’s products provided entrée for hackers in one intrusion after another, prompting ProPublica reporter Renee Dudley to start digging. She was driven by the fact that Microsoft had grown to become the world’s largest cybersecurity company even as its own products contained the vulnerabilities that enabled America’s adversaries to strike. Her instincts proved correct.
What Dudley found upended the public understanding of SolarWinds and exposed a corporate culture that prioritized profits over customer security — a finding with grave implications for everyone who uses Microsoft’s ubiquitous products, including the federal government.
Dudley found that years before the SolarWinds attack, a Microsoft engineer had repeatedly warned company leaders about the critical flaw that the Russians would ultimately exploit. But the company refused to address it for fear of losing lucrative government contracts and surrendering its business edge to competitors — a decision that left federal agencies vulnerable. While many media organizations had covered the SolarWinds attack after authorities discovered it in late 2020, Dudley’s story was, as one lawmaker later put it, a “bombshell.” Until her piece, no one had examined the central role that Microsoft played in the hack.
Microsoft’s “business-first” culture, as Harris put it, went undiscovered for years, in part, due to the federal government’s own failures to dig deeper. In fact, the federal Cyber Safety Review Board, which President Joe Biden created for the express purpose of investigating SolarWinds, declined to do so. ProPublica made a significant contribution here by revealing the lengths taken by the board to avoid its mandate. A SolarWinds review, an official said at the time, would be “duplicative of prior work and an imprudent use of resources.”
ProPublica’s reporting showed just how wrong that assessment was. Biden ultimately turned to Microsoft to help bolster the nation’s cyber defenses — an announcement that garnered hardly any media coverage. But as Dudley reported in the third story of our series, the invitation enabled the company to capitalize on a crisis of its own making to secure billions in deals with the federal government, the biggest victim of the attack.
Together, the work represents an extraordinary feat of technology reporting that sheds new light on the dire state of modern cybersecurity and holds to account a company whose products are increasingly integral to protecting the nation’s secrets.
