While the head of our National CISA unit, Jen Easterly, was overflowing with ebullient praise for the launch of the U.S. Cyber Trust Mark Program, a cybersecurity certification and labeling program to help Americans more easily choose smart devices that are safer and less vulnerable to cyberattacks, the “Microsoft problem” continues to expand through the MOVEit long tail, and now infects 432 companies and impacts 23,248,304 individuals.

The breach that gave Chinese advanced persistent threat (APT) actors access to emails within at least 25 US government agencies will likely put a much broader suite of Microsoft cloud services at risk than previously thought.

But, we won’t know anything for a while because in spite of how many times really smart folks like Richard Bird and Jeremy Grant talk about its importance, very few companies do authentication logging today. Most companies (according to RiskIQ) don’t keep log data beyond 30 days, and in this case, there are no specific regulations driving disclosure, which means we won’t know the full scope of the actual compromise for weeks, if not months, or perhaps ever?

Simply put, authentication logs display information about authentication events that occur when end users try to access network resources where access is controlled by Authentication Policy rules. Logs are useful to help troubleshoot access issues and to adjust Authentication policy as needed. They are also useful for identifying suspicious activity on the network, and tracing the recent history of that activity.

The lack of authentication logging across many of the Microsoft breach’s victims means that the swiped MSA key would also enable forged access tokens for multiple types of AAD applications, including Outlook, Exchange, SharePoint, Teams, OneDrive, and customers’ applications that support the ‘login with Microsoft’ functionality.

And that would be for every Microsoft online user on the planet.

So, while comparing the benefits of one initiative (An unenforceable, regulation-free promise by the technology executives to make more secure products) to the pending calamity of ADD exploits, its not hard to see why folks like Easterly, Neuberger (NSA), Rosenworcel (FCC Commissioner), and Locascio (NIST Director) would focus on a more secure-by-design technology ecosystem, while ignoring the perils of critical vulnerabilities in the world’s most heavily used software product.

These are four smart women. Too smart to step into a fight they can’t possibly win. But I also know that they are strong influencers and recognize the challenge, its risks and dangers, and are all sufficiently brave to marshal internal support for what must be done to end the madness.