Cyberwarfare / Nation-State Attacks , Encryption & Key Management , Fraud Management & Cybercrime

German BSI Forces Microsoft to Disclose Security Measures

Company Publishes Information on Double Key Encryption Under Regulatory Pressure
German BSI Forces Microsoft to Disclose Security Measures
A Microsoft office in Cologne, Germany (Image: Shutterstock)

Following a legal intervention by the German federal cybersecurity agency, Microsoft has disclosed additional information on encryption measures it adopted to secure its customer data.

See Also: Fireside Chat: Cybersecurity Judo - Using the Adversary’s Strength Against Them

Microsoft on Thursday published a white paper that details how the company is deploying double key encryption across its platform, including Microsoft 365 and Azure.

"The white paper describes some possible threat scenarios that need to be taken into account, as well as appropriate countermeasures," Microsoft's German office said in a blog spot.

Microsoft's decision to publish the report came after the Federal Office for Information Security, or BSI, in May invoked a clause within the country's Federal Office for Information Security Act, which requires information technology companies to provide "all necessary" information related to security incidents when requested by the agency.

BSI reportedly made the legal case for disclosure after Microsoft repeatedly failed to provide adequate information on its encryption measures to agency requests. BSI's inquiry is related its probe of a 2023 incident that resulted in hackers stealing Azure Active Directory tokens to target U.S. government networks.

The company at the time attributed the attack to a Chinese threat actor tracked as Storm-0558 or Volt Typhoon. Since Microsoft's disclosure of the hack, BSI has been working with the company to review its security measures, particularly to understand data protection steps deployed by the company against similar Violet Typhoon attacks.

A Microsoft Germany spokesperson told Information Security Media Group that BSI did not file a lawsuit, as widely reported by the German media. The company always cooperated with the authorities on "clarifying documents when new or underrepresented threats vectors appear," the spokesperson said.

A BSI spokesperson confirmed that the agency has not filed a lawsuit against Microsoft. The agency on Thursday urged Microsoft users in Germany to deploy the correct encryption service offered by the company to secure their customer data.

BSI's scrutiny of Microsoft comes amid increased criticism of the company over its recent high-profile security failures. In May, the German government said Russian hackers used an unidentified zero-day vulnerability in Microsoft Outlook to target members of the German Social Democratic Party (see: Russian GRU Hackers Compromised German, Czech Targets).

Prior to that, the German Parliament's technology oversight committee held a closed-door meeting with Microsoft senior executives following the computing giant's March disclosure that Russian foreign intelligence hackers obtained access to source code repositories and internal systems (see: Microsoft Questioned by German Lawmakers About Russian Hack).

Recently, Microsoft President Brad Smith during a U.S. congressional hearing acknowledged responsibility for a series of security failures that allowed Russian and Chinese state-sponsored actors to target government institutions across the world and the company (see: Microsoft President Admits to Major Security Failures).

In the wake of that hearing, Microsoft has garnered more political interest from Germany, said Dennis-Kenji Kipker, professor of IT security law at the City University of Applied Sciences, Bremen, in northwest Germany.

"It is also clear to the BSI that the information provided by Microsoft to date is not only completely inadequate, but also gives rise to fears that there are indeed blatant security problems at Microsoft. It is clear that the concept of 'security through obscurity,' which Microsoft has obviously pursued for years, no longer works and is at an end," Kipker said.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing paymentsecurity.io, you agree to our use of cookies.