Google trying to put Microsoft on the spot at SolarWinds hearing

2

Google is lobbying Senate Intelligence Committee members to use a Tuesday hearing on the SolarWinds hack to press Microsoft on whether its products had cybersecurity failures that played a role in the sprawling compromise.

Why it matters: Microsoft has faced intense scrutiny in the two months since the revelation of the SolarWinds campaign over the role of its products in spreading the hackers’ net.

The move by Google is also the latest instance of tech giants working to undermine each other at politically opportune moments. Microsoft itself has used the tactic: Last year, Microsoft President Brad Smith called for governments to increase scrutiny of the antitrust implications of how Apple and Google run their app stores. And as recently as this week, Microsoft publicly backed a push in Europe for companies like Google to pay for linking to news articles.

The hearing: The Tuesday afternoon hearing — the first public congressional inquiry into the SolarWinds breach — will focus on the role that private companies have played in discovering, analyzing and sharing information about the breaches, as well as in fixing any underlying issues in their own products.

The list: On Monday, Google offered up a list to lawmakers of more than a dozen questions that one Senate aide said were aimed at scrutinizing the security of Microsoft products, such as Windows 10, Azure and Office 365. The aide spoke on the condition of anonymity in order to discuss the matter freely.

It’s unclear if every lawmaker on the 16-member panel received the list of queries from Google.

The aide said some, but not all, of the questions are intended for Smith, who will appear before the committee Tuesday afternoon alongside executives from SolarWinds and the cybersecurity firms FireEye and CrowdStrike. The latter two companies have been at the forefront of uncovering the breadth and scope of the likely Russian espionage operation that officials believe specifically targeted nine federal agencies and roughly 100 companies.

A second Senate aide who also spoke on the condition of anonymity described Google’s questions as “bad” and that committee members had been told to be wary of them.

Neither Google nor Microsoft responded to requests for comment.

Figuring out Microsoft’s role: In a Dec. 14 Securities and Exchange Commission filing, SolarWinds appeared to claim that the hackers first accessed its systems through flaws in Microsoft’s Office 365 service. Microsoft vehemently denied that. In the same FAQ, Microsoft denied a Dec. 17 Reuters report that the hackers breached its network and used its products “to further the attacks on others.”

But Microsoft has admitted that the hackers accessed some of its products’ source code and reviewed code related to the products that they later exploited to preserve their access to breached networks.

View original post