Republican lawmakers questioned a senior Microsoft executive on Thursday about the company’s presence in China, about a year after Chinese hackers used the tech giant’s systems to launch a devastating hack of federal government networks.
Several members of the House Committee on Homeland Security asked Brad Smith, Microsoft’s president, in an hourslong hearing how a critical contractor for the U.S. government like Microsoft could maintain a commercial business in China, which Mr. Smith said accounted for about 1.4 or 1.5 percent of the company’s sales.
“Is it really worth it?” asked Representative Carlos Gimenez, a Republican from Florida.
Mr. Smith argued that Microsoft’s business in China served American interests by protecting the trade secrets of Microsoft’s American customers operating there and learning from what’s going on in the rest of the world.
He added that Microsoft had denied Chinese government requests to turn over sensitive information. “I will tell you that there are days when questions are put to Microsoft, and they come across my desk, and I say, ‘No,’” he said.
The hearing was a response to a scathing March report by the Department of Homeland Security’s Cyber Safety Review Board. The report detailed how “a cascade of security failures at Microsoft” allowed a hacking team called Storm-0558, which the report said was an espionage group affiliated with the Chinese government, to infiltrate Microsoft’s email systems in May and June last year.
The report criticized Microsoft for having “a corporate culture that deprioritized both enterprise security investments and rigorous risk management” and said the company’s cybersecurity practices were critical national security because “Microsoft’s products and services are ubiquitous.”
The hackers somehow obtained a digital key — what the report called “cryptographic crown jewels” — for Microsoft’s security mechanisms that let them forge the credentials of other users. They compromised the accounts of 22 organizations and more than 500 individuals around the world, including Commerce Secretary Gina M. Raimondo and the U.S. ambassador to China, Nicholas Burns. More than 60,000 emails were downloaded just from the computer network of the State Department, which discovered the breach.
The intrusion “should never have happened,” the report said. It said Microsoft still did not even know how the hackers had obtained the digital key. It also chided Microsoft for making inaccurate public statements about the hack in the fall.
Microsoft has walked a delicate line in China. It has closed some businesses, such as the LinkedIn professional social network, but offers cloud computing services in China and houses engineering teams and a prized research lab there as well.
Mr. Smith said at the hearing that Microsoft had been shrinking its engineering presence in China and last month offered to relocate 700 or 800 employees who “were going to need to move out of China in order to keep their job.”
The company’s top executives, including Mr. Smith and the chief executive, Satya Nadella, have debated the future of the research lab and instituted guardrails that restrict researchers from politically sensitive work, The New York Times reported in January.
Mr. Smith pledged an urgent security effort inside Microsoft through what he called “the single largest cybersecurity engineering project in the history of digital technology.”
Despite the tough report on Microsoft’s security lapses, lawmakers at the hearing did not question Mr. Smith aggressively and instead focused on ways the government and private sector could work together.
“This is not a gotcha hearing,” Representative Bennie Thompson of Mississippi, the committee’s ranking Democrat, said in his opening remarks.
Mr. Smith stunned lawmakers when he described the scale of the challenge. He said Microsoft detected more than 300 million attacks a day on its customers.
Microsoft in January disclosed a separate hack, by a group sponsored by Russian intelligence, that the report did not cover.
In November, Microsoft announced a top-to-bottom overhaul of its security practices, its biggest security initiative in two decades, and in May said it would tie the compensation of its top executives to the overhaul’s progress.
Mr. Smith said the company’s board had approved a plan to tie a third of the individual performance bonuses for senior executives to cybersecurity. He also said all Microsoft employees would be evaluated on cybersecurity in their twice-a-year performance reviews.
Microsoft’s competitors have pounced on its vulnerability. NetChoice, a trade group whose backers include Google, Amazon and Meta, released a poll of voters critiquing the government’s reliance on Microsoft. NetChoice and several other trade groups backed by competitors sent letters to Biden administration officials calling for the government to use a wider variety of technology vendors.
A public relations firm that lists Google as a client regularly emails reporters when negative stories about Microsoft’s hacks appear, at times offering up experts to speak with. This week, the business software company Salesforce sent a comment to reporters promoting its security culture.
Andy Jassy, Amazon’s chief executive, told investors in late April that security would be critical for customers that are choosing which A.I. services to use.
“If you just pay attention to what’s been happening over the last year or two,” he said, “not all the providers have the same track record.”
