Microsoft can’t keep itself safe — why are we trusting it with our national security?
Recently, Microsoft made the stunning admission that Russian-based hackers breached its systems and gained weeks-long access to the emails and accounts of senior executives. For the U.S. government, which overwhelmingly relies on Microsoft products, these incidents amount to a five-alarm fire about the security of one of its largest technology partners.
Nation-state hackers that attack our government and the vendors it relies on pose a clear threat to our national security. Now is the time to move beyond criticism and actually hold government technology contractors with repeated cybersecurity issues accountable.
Much like efforts to hold the defense industry accountable, Congress should consider a wide range of options, from demanding higher baseline cybersecurity standards to incentive payments that reward effective cybersecurity. To jumpstart progress, Congress must hold Microsoft accountable and press the administration to pause additional funding for Microsoft IT contracts until the company gets its security house in order.
As one of the U.S. federal government’s primary technology vendors, Microsoft should hold itself to a higher cybersecurity standard. Indeed, the company has touted itself repeatedly as one of the leaders in global cybersecurity. Microsoft holds an 85 percent market share in the U.S. government’s productivity software, provides cybersecurity services to the U.S. government and its allies and serves highly classified workloads on its Azure cloud service — responsibilities that make Microsoft a primary target for nation-state activity. Yet, the cavalier attitude Microsoft takes toward product security has resulted in multiple, successful nation-state cyberattacks against the IT software our government agencies depend upon.
In this most recent incident, Microsoft failed to protect itself against a password spray attack, a simple breach tactic avoidable even by rudimentary cybersecurity measures. The fact that this hack could have been stopped by implementing basic cybersecurity best practices is egregious and representative of the company’s cultural failures in its approach to cybersecurity in general. The incident comes on the heels of a breach of Microsoft’s systems by Chinese state-sponsored hackers in July that compromised the accounts of several top lawmakers, including those of Commerce Secretary Gina Raimondo and Ambassador to China Nicholas Burns.
The threats posed by nation-state actors have been clear to IT vendors for many years.
The Russian hacking group known as Nobelium and Midnight Blizzard was the same outfit responsible for the infamous 2020 SolarWinds attack, in which the group exploited flaws in Microsoft technology to potentially access the data of multiple governmental organizations and key government partners in the private sector. Microsoft’s failure to fix known problems in its cloud software, which allowed hackers to exploit a major backdoor in third-party vendors reliant on Microsoft systems, drew significant backlash from elected officials concerned that Microsoft was either unwilling or incapable of ensuring the products they provide to our government are safe and reliable.
We need to hold our providers of software to the security standards we need, as cybersecurity threats become more sophisticated — especially those from nation-state actors. In any other industry, a recurring issue that threatens the safety and security of the American public — a plane failure, a contaminated food product, or an oil spill to name a few — would be grounds for immediate investigation of the company and products in question. Why then do we let the IT companies that serve the government off the hook?
The Department of Justice’s 2021 Civil Cyber-Fraud Initiative utilizes the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients. Perhaps it is time for the department to take a serious look at software vendors who continue to provide products to the federal government that fall far short on security and safety and actually increase our vulnerabilities to Russian, Chinese and other nation-state actors who wish us ill. The well-known quote that the definition of insanity is “doing the same thing over and over again and expecting a different result” certainly applies to the government’s approach with Microsoft products. We keep expecting that Microsoft will get its security house in order, yet they continue to fall dangerously short.
The Biden administration must take serious action to hold the government’s largest software provider accountable and pause new funding for Microsoft’s products until they see a different result on security. Otherwise, we will keep living through the insanity of relying upon vulnerable software that places our nation at risk.
Roger Cressey served in counterterrorism and cybersecurity positions in the White House under Presidents Clinton and George W. Bush. He is currently a partner at Mountain Wave Ventures where he advises clients, including Google Cloud, on matters of cybersecurity.
This post has been updated to more accurately reflect the author’s background.
Copyright 2023 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed. Regular the hill posts