The U.S. government has a Microsoft problem.
Market dominance, inertia, and savvy PR have almost completely insulated the hack-plagued company from meaningful oversight, even as Biden officials preach corporate accountability.
My new @WIRED story: wired.com/story/the-us-g…
Market dominance, inertia, and savvy PR have almost completely insulated the hack-plagued company from meaningful oversight, even as Biden officials preach corporate accountability.
My new @WIRED story: wired.com/story/the-us-g…
I asked cyber experts, lawmakers, fmr govt officials, & employees of Microsoft's competitors why the company has struggled w/ security and why those woes haven't threatened its business.
Their comments and criticisms mirrored the recent findings of the Cyber Safety Review Board.
Their comments and criticisms mirrored the recent findings of the Cyber Safety Review Board.
Why has Microsoft experienced so many high-profile hackers recently?
Because, experts said, MSFT has underinvested in the security improvements needed to protect both its legacy products and cloud services from modern threats.
Several recent hacks suggest major negligence.
Because, experts said, MSFT has underinvested in the security improvements needed to protect both its legacy products and cloud services from modern threats.
Several recent hacks suggest major negligence.
As I did interviews for this story, I repeatedly heard people express amazement at the revelations of how and where Microsoft's security was failing to prevent breaches.
One cyber expert called MSFT's underinvestment "a huge fuckup" for such a large and capable firm.
One cyber expert called MSFT's underinvestment "a huge fuckup" for such a large and capable firm.
Industry vets, incl. execs at MSFT competitors, echoed the CSRB's critique of MSFT's culture & forthrightness.
"Their track record on security focuses more on preserving their business and reputation than protecting their customers or being truthful," said Tenable CEO @ayoran.
"Their track record on security focuses more on preserving their business and reputation than protecting their customers or being truthful," said Tenable CEO @ayoran.
Microsoft declined my interview requests but provided written answers to my questions.
A security exec listed several improvements that MSFST has already made to address issues called out in the CSRB report, adding, "We do agree that we haven’t been perfect and have work to do."
A security exec listed several improvements that MSFST has already made to address issues called out in the CSRB report, adding, "We do agree that we haven’t been perfect and have work to do."
Microsoft's defenders note that it faces challenges that its top rivals Google and Amazon don't. It still has to protect legacy technology, some of it designed long before sophisticated nation-state cyber threats. And forcing customers to migrate to the cloud would be disruptive.
"Think of the impact to small and medium businesses around the country" of a forced cloud migration, one ex-Microsoft employee told me. "The company's in a no-win situation. They're damned if they do and they're damned if they do."
That argument didn't hold water with many experts, who said that (1) Microsoft has a responsibility to protect the legacy products it's selling and supporting, and (2) Microsoft is one of the few companies actually capable of going toe to toe with nation-state threat actors.
Instead of doubling down on cybersecurity improvements, experts say, Microsoft has focused on building a business out of charging extra for basic security features.
This strategy has been as controversial as it has been profitable.
Remember the SolarWinds logging uproar?
This strategy has been as controversial as it has been profitable.
Remember the SolarWinds logging uproar?
Microsoft wouldn't tell me if it planned to make other premium security features free, but the executive who answered my questions said the company disagrees with criticisms of the company's security profit center.
Despite these failures & controversies, Biden administration officials have refused to directly criticize Microsoft on the record.
Why?
Two big reasons:
(1) USG's complete dependence on MSFT products, robbing it of all leverage
(2) MSFT's extremely savvy "kumbaya" PR strategy
Why?
Two big reasons:
(1) USG's complete dependence on MSFT products, robbing it of all leverage
(2) MSFT's extremely savvy "kumbaya" PR strategy
The government's overwhelming reliance on Microsoft is the product of multiple factors: MSFT making it hard to switch to or integrate competing products; agency IT leaders refusing to abandon MSFT out of loyalty or comfort; and the inertia of familiarity in complex systems.
"Microsoft has a lot of leverage in that relationship," says @GrottoAndrew. "Switching costs are high. There aren't a ton of alternatives to Microsoft. Those alternatives don't have the experience and track record that Microsoft has navigating the federal contracting ecosystem."
This reliance doesn't just sap the govt's leverage over Microsoft. It also makes it easier for adversaries to cause widespread damage by attacking one vendor.
“The US government’s dependence on Microsoft poses a serious threat to US national security,” @RonWyden told me.
“The US government’s dependence on Microsoft poses a serious threat to US national security,” @RonWyden told me.
The government effectively has only one vendor for user authentication/identity management, productivity software, and email/collaboration.
As one cyber expert who works at a Microsoft competitor put it, "We would never contract with just one type of ship maker."
As one cyber expert who works at a Microsoft competitor put it, "We would never contract with just one type of ship maker."
To neutralize criticism, MSFT operates what @GrottoAndrew calls "by far the slickest" reputation-management campaign of any tech firm.
It funds nonprofits, helps lawmakers write bills, & touts its threat intel prowess.
Its lobbyists learned the lesson of the antitrust battles.
It funds nonprofits, helps lawmakers write bills, & touts its threat intel prowess.
Its lobbyists learned the lesson of the antitrust battles.
The result of Microsoft's PR and business strategies is that the government has virtually no influence over Microsoft.
Government officials almost never criticize the company. They certainly don't use the kind of blunt language found in the CSRB report.
Government officials almost never criticize the company. They certainly don't use the kind of blunt language found in the CSRB report.
This government deference to Microsoft is particularly evident at @CISAgov.
Despite CISA talking tough about companies' responsibility to be "secure by default," agency officials lavished praise on MSFT for begrudgingly making log data free after multiple hacks forced its hand.
Despite CISA talking tough about companies' responsibility to be "secure by default," agency officials lavished praise on MSFT for begrudgingly making log data free after multiple hacks forced its hand.
One argument I heard a lot is that, as one expert put it, "there's a misconstrued sense of fairness" at play here.
People think the govt believes that criticizing Microsoft would look like favoritism toward competitors.
It wouldn't, that expert said. "Call a spade a spade."
People think the govt believes that criticizing Microsoft would look like favoritism toward competitors.
It wouldn't, that expert said. "Call a spade a spade."
Microsoft's response to the latest wave of harsh criticism has balanced firm pushback with muted acknowledgement of its shortcomings.
"We expect and welcome fair scrutiny," the exec told me. But he also said MSFT "wouldn't mind" more scrutiny of its competitors' tactics.
"We expect and welcome fair scrutiny," the exec told me. But he also said MSFT "wouldn't mind" more scrutiny of its competitors' tactics.
It remains to be seen if the CSRB report will be the turning point that forces the USG to hold Microsoft accountable, in keeping w/ Biden's National Cyber Strategy's emphasis on shifting the burden of security onto big tech vendors.
But experts said it's past time for that.
But experts said it's past time for that.
For the moment, our national cyber posture is disproportionately dependent on the whims of a company that has proven impervious to govt pressure.
As @juanandres_gs put it, "No harm comes from doing nothing, at least not to these companies. And that’s what's going to destroy us."
As @juanandres_gs put it, "No harm comes from doing nothing, at least not to these companies. And that’s what's going to destroy us."
You can read my full story about Microsoft in @WIRED here: wired.com/story/the-us-g…
• • •
Missing some Tweet in this thread? You can try to
force a refresh
