Author: Eric Geller
When Microsoft announced in January that its systems had been breached once more by foreign government hackers, the revelation ignited yet another round of criticism concerning the security stance of the world’s largest tech firm.
Despite the disappointment felt by policymakers, security experts, and competitors, Microsoft did not face any backlash for its latest humiliating failure. The United States government continued to purchase and use Microsoft products, and high-ranking officers refrained from publicly rebuking the tech behemoth. This reflected yet again how Microsoft appears to be immune from almost any governmental accountability, even as the Biden administration promises to compel powerful tech corporations to accept more responsibility for America’s cyberdefense.
This situation is unlikely to alter, even in light of a new report issued by the Cyber Safety Review Board (CSRB), an assembly of government and industry experts. The report harshly criticizes Microsoft for not averting one of the worst hacking episodes in the company’s recent history, concluding that Microsoft’s “security culture was insufficient and necessitates a thorough makeover.”
Microsoft’s dominant position is a product of numerous intertwined factors. It ranks as the most significant technology provider for the US government, fueling computers, drafting documents, and driving email communications in institutions ranging from the Pentagon to the State Department to the FBI. Furthermore, it is an indispensable ally in the government’s initiatives for cyberdefense, possessing almost unmatched knowledge about hacker activities and extensive capability to hamper their actions. The company’s executives and lobbyists have also tirelessly portrayed Microsoft as a vanguard in ensuring digital safety.
This advantageous position sheds light on why high-ranking government officials have refrained from criticizing Microsoft even though its computer systems have been repetitively infiltrated by hackers reportedly linked to the Russian and Chinese governments. This information is corroborated by sources like cybersecurity experts, lawmakers, ex-government officials, and personnel from Microsoft’s competitor businesses.
These individuals—some who preferred to stay anonymous to frankly talk about the US government and the tech industry’s uncontested behemoth—assert that this Microsoft-government partnership hampers Washington’s ability to guard against substantial cyberattacks that put sensitive data at risk and threaten key services. According to them, it’s high time Microsoft is subjected to supervision.
Microsoft’s security has been compromised multiple times over the years, but the recent years have been especially tough for the company.
In 2021, Chinese government hackers discovered and used flaws in Microsoft’s email servers to hack the company’s customers, later releasing the flaws publicly to spark a feeding frenzy of attacks. In 2023, China broke into the email accounts of 22 federal agencies, spying on senior State Department officials and Commerce Secretary Gina Raimondo ahead of multiple US delegation trips to Beijing. Three months ago, Microsoft revealed that Russian government hackers had used a simple trick to access the emails of some Microsoft senior executives, cyber experts, and lawyers. Last month, the company said that attack also compromised some of its source code and “secrets” shared between employees and customers. On Thursday, the Cybersecurity and Infrastructure Security Agency (CISA) confirmed that those customers included federal agencies, and issued an emergency directive warning agencies whose emails were exposed to look for signs that the Russian hackers were attempting to use login credentials contained in those emails.
Andy Greenberg
Charlie Wood
Brian Barrett
Matt Kamen
These incidents occurred as security experts were increasingly criticizing Microsoft for failing to promptly and adequately fix flaws in its products. As by far the biggest technology provider for the US government, Microsoft vulnerabilities account for the lion’s share of both newly discovered and most widely used software flaws. Many experts say Microsoft is refusing to make the necessary cybersecurity improvements to keep up with evolving challenges.
Microsoft hasn’t “adapted their level of security investment and their mindset to fit the threat,” says one prominent cyber policy expert. “It’s a huge fuckup by somebody that has the resources and the internal engineering capacity that Microsoft does.”
The Department of Homeland Security’s CSRB endorsed this view in its new report on the 2023 Chinese intrusion, saying Microsoft exhibited “a corporate culture that deprioritized both enterprise security investments and rigorous risk management.” The report also criticized Microsoft for publishing inaccurate information about the possible causes of the latest Chinese intrusion.
Recent breaches have exposed Microsoft’s inability to uphold basic security defenses, as stated by several specialists.
Adam Meyers, the Senior Vice President of intelligence at the security firm CrowdStrike, emphasizes the Russian’s skill to shift from a testing setting to a production environment. “Such a thing should not take place,” he states. An additional cyber expert working at a company that competes with Microsoft underscores China’s capability to surveil multiple agencies’ exchanges via a single intrusion, mirroring the CSRB report that criticized Microsoft’s authentication system for permitting wide-ranging access with only one sign-in key.
“Such types of breaches are not often revealed coming from other cloud service providers,” declares Meyers.
The CSRB report indicates that Microsoft has not adequately emphasized the reconfiguration of its legacy infrastructure to cater to the present threat landscape.
In response to written questions, Microsoft informs WIRED that it is drastically enhancing its security measures to tackle recent events.
“Our commitment is towards adjusting to the changing threat environment and partnering across industry and government to safeguard against these increasing and complex global threats,” asserts Steve Faehl, the top technology officer for Microsoft’s federal security department.
As part of Microsoft’s Secure Future Initiative initiated in November, Faehl explains, Microsoft has amplified its capacity to automatically identify and obstruct misuses of staff accounts, commenced scanning for a wider range of sensitive data in network traffic, diminished the accessibility provided by individual authentication keys, and instigated new authorization prerequisites for staff intending to setup company accounts.
Microsoft has also reassigned “thousands of engineers” for enhancing its products and has started arranging high-level executive meetings for status evaluations at least biweekly, Faehl tells.
The new initiative represents Microsoft’s “roadmap and commitments to answer much of what the CSRB report called out as priorities,” Faehl says. Still, Microsoft does not accept that its security culture is broken, as the CSRB report argues. “We very much disagree with this characterization,” Faehl says, “though we do agree that we haven’t been perfect and have work to do.”
Microsoft has earned special enmity from the cybersecurity community for charging its customers extra for better security protections like threat monitoring, antivirus, and user access management. In January 2023, the company touted that its security division had passed $20 billion in annual revenue.
“Microsoft has shifted to looking at cybersecurity as something that’s meant to generate revenue for them,” says Juan Andrés Guerrero-Saade, associate vice president of research at security firm SentinelOne. His colleague Alex Stamos recently wrote that Microsoft’s “addiction” to this revenue “has seriously warped their product design decisions.”
Andy Greenberg
Charlie Wood
Brian Barrett
Matt Kamen
These tensions exploded into the open in early 2021, as Congress and the new Biden administration scrambled to understand Russia’s far-reaching SolarWinds hacking campaign.
After breaching government networks through SolarWinds software, Moscow’s operatives fooled Microsoft’s cloud platform into granting them expansive access. Because most agencies weren’t paying for Microsoft’s premium service tier, they didn’t have the network activity logs necessary to detect these intrusions. Lawmakers were outraged that Microsoft was charging the government extra for such a basic feature, and Biden administration officials spent the next two and a half years privately urging Microsoft to make log data free for all customers. Microsoft finally agreed to do so last July—eight days after announcing yet another major hack, this one discovered by an agency paying for log data.
Microsoft won’t say if it plans to make other premium security features free for all of its customers. “We continue to raise the built-in security of our products and services to benefit customers,” Faehl says.
Asked about experts’ arguments that Microsoft’s strategy of profiting off of cybersecurity is incompatible with a security-first mindset, Faehl says, “We would disagree with that characterization.”
Microsoft’s dominance has prompted concerns that it represents a single point of failure, concentrating America’s technology dependence in such a way that hackers could easily sabotage essential services by targeting one company’s products.
Few services better illustrate the government’s overwhelming dependence on Microsoft—and an area where some experts say a more diversified approach would be safer—than email. A former US cybersecurity official who works at one of Microsoft’s competitors predicts that an attack crippling Microsoft’s email platform would significantly reduce the government’s ability to operate.
Warnings about a Microsoft “monoculture” date back two decades, but the idea is now attracting new attention from policymakers.
“The US government’s dependence on Microsoft poses a serious threat to US national security,” says US senator Ron Wyden. “The government is effectively stuck with the company’s products, despite multiple serious breaches of US government systems by foreign hackers caused by the company’s negligence.”
Last Monday, Wyden announced draft legislation that would set a four-year deadline for the federal government to stop buying collaboration technology like Microsoft Office that critics say doesn’t integrate well with competing services.
Reducing the government’s reliance on a single vendor wouldn’t just benefit the government, experts say. It would also spread the attack risk across more companies, taking some of the pressure off of Microsoft to protect such a vast portfolio of systems. The giant target on Microsoft’s back makes it a magnet for cybercriminals and government hackers, which helps explain its outsize number of breaches.
The government’s reliance on Microsoft also entrenches a sense of familiarity with its products that cements its places in federal networks. While some agencies are exploring alternatives to Microsoft, most of them are sticking with what they know—largely because it’s easier than switching to an alternative platform, the former cyber official says.
Andy Greenberg
Charlie Wood
Brian Barrett
Matt Kamen
Microsoft denies making it difficult for customers to switch to or incorporate competitors’ products. “Our competitors often stoke subjective complaints about ‘compatibility,’” Faehl says, but “we hear this more from the vendors of some third-party products” than from customers trying to use them.
Regardless, experts say, the upshot is clear: The government is dependent on Microsoft, robbing it of the leverage needed to push back on the company’s practices.
Microsoft doesn’t rely solely on its market dominance to weaken government oversight. Following its antitrust battles with the government in the 1990s, the company has developed a sophisticated public policy strategy that combines earnest appeals for cyberspace protection with consistent involvement in government initiatives.
“Microsoft is by far the slickest operation in tech when it comes to these issues,” states Andrew Grotto, a former senior White House cyber official who currently heads Stanford University’s Program on Geopolitics, Technology, and Governance and advises some of Microsoft’s rivals. “They learned their lesson 25 years ago and have been applying it ever since.”
Microsoft’s threat intelligence team, reputed to know more about harmful cyber activity than nearly all other companies and most governments, consistently publishes research on cyber threats and cooperates with law enforcement to dismantle hackers’ infrastructure. The corporation also supports groups such as the CyberPeace Institute, which campaigns for a safer internet and aids nongovernment organizations in defending against hackers. It also presents itself as a beneficial collaborator to lawmakers seeking to address cyber issues but unsure of where to begin, occasionally supplying legislators with draft legislative language.
With its market power and political acumen, Microsoft has ensured that officials seldom publicly reprimand it, experts assert.
“The government’s uncomfortable saying bad things about Microsoft because they’re fully committed to them,” says Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, a think tank.
The Biden administration has spoken grandly about wielding the government’s formidable contracting power to force companies to improve their security. But with Microsoft, that leverage is nonexistent, experts say. “There is no realistic chance that the government will wholesale cancel its contracts with Microsoft,” Paul Rosenzweig, a cyber consultant and former DHS policy official, says in an email.
Microsoft disputes this argument. “The idea that the government is too dependent on Microsoft is at odds with reality,” Faehl says.
The government’s lack of leverage means federal officials never use the kind of blunt language found in the CSRB report when discussing Microsoft, even when they insist on speaking to reporters anonymously. The result is a remarkable display of government deference to Microsoft.
After Chinese hackers broke into government email systems and eluded agencies not paying for Microsoft’s premium security features, a senior official at CISA acknowledged that Microsoft’s business model was “not yielding the sort of security outcomes that we seek,” but they declined to directly rebuke Microsoft, instead sticking to talking points about productive conversations with the company.
Andy Greenberg
Charlie Wood
Brian Barrett
Matt Kamen
In fact, despite Microsoft’s yearslong defiance of CISA’s high-profile push for companies to be “secure by design,” CISA has steadfastly refused to criticize Microsoft’s failures. When Microsoft finally bowed to pressure and made logs free last July, CISA director Jen Easterly said she was “extremely pleased with Microsoft’s decision.”
The former cyber official finds the government’s meekness remarkable. “When their own emails are stolen, they don’t seem to push back on the vendor who is the cause of that.”
The White House’s National Security Council declined to comment for this story. In a statement, Eric Goldstein, CISA’s executive assistant director for cybersecurity, says his agency “has a robust partnership with Microsoft and will continue to collaborate in many areas,” while also continuing to “impress upon all technology companies the urgency of developing products that are secure by design so that consumers can trust the safety and integrity of the technology that they use every day.”
Microsoft’s Faehl states that his firm is dedicated to being “secure by design and secure by default.”
A CSRB report regarding the security breach of Microsoft’s cloud has urged for a significant shift in the company’s security culture. Many specialists believe it’s time for the government to assert itself and enforce these changes.
According to Stanford University’s Grotto, “Big, powerful corporations typically don’t alter their actions unless they have some incentive.”
The CSRB report suggests stringent new mandates for cloud service providers like Microsoft that include regular security inspections post federal contracts. Experts believe these requirements could swing corporate incentives towards improved security.
Microsoft appears to acknowledge that its recent security breaches have caused a public relations issue. Faehl states, “We expect and welcome fair scrutiny. As an industry leader, we need to be responsible for the security of our products and services.”
Simultaneously, he suggests that Microsoft “wouldn’t oppose some scrutiny” aimed at its competitors who “try to fuel fear, uncertainty, and doubt about our status in order to gain an edge for their own goods.”
Confronting Microsoft could become a method for the Biden administration to uphold the principles in its National Cybersecurity Strategy. This strategy emphasizes the need to place the responsibility of cybersecurity on large, resourceful tech companies. Grotto states, “They put forth the point that the balance needs to shift. The question now becomes, ‘What will the administration do in response to this diagnosis?'”
Indications are there that the administration is taking this suggestion seriously. During a recent press briefing concerning the likelihood that Russian agents stole government secrets via the most recent Microsoft hack, Goldstein made it clear that CISA and other organizations are “working closely with Microsoft, in keeping with the recommendations of the Cyber Safety Review Board, to promote more progress in Microsoft’s improvement plans regarding its security culture and enterprise as a whole.”
In the meantime, experts say, the status quo allows Microsoft to shirk responsibility for problems that it is uniquely capable of resolving.
“No harm comes from doing nothing, at least not to these companies,” Guerrero-Saade of SentinelOne says. “And that’s what’s going to destroy us.”