Shaming Microsoft won’t strengthen US cybersecurity. It’s time for alternatives.
Next week, Microsoft President Brad Smith will testify before the House Committee on Homeland Security on his company’s “cascade of failures” after Chinese state-affiliated hackers compromised over 500 federal cloud accounts last May. During the hearing, legislators will hear updates on new cybersecurity practices from Microsoft leadership and examine what else can be done to strengthen the company against attacks. What likely won’t be discussed: Alternatives to the United States’ cloud storage oligopoly if its adversaries continue to access critical government data in the future.
Size and scalability allow major cloud vendors to offer services and pricing to governments that local competitors can’t match. Just three U.S. tech giants — Google, Amazon, and Microsoft — are responsible for storing most sensitive government databases across the Americas and Europe. Even when their cloud architecture isn’t “locked in” to a single provider, states can lose their ability to negotiate favorable terms due to lengthy mega-agreements that are expensive to implement and even costlier to back out of.
In the United States, where federal spending on cloud computing exceeded $19 billion last year, select IT providers play a central role in national cybersecurity. Only two firms, Microsoft and Amazon, are eligible for Department of Defense cloud hosting contracts comprising billions of dollars annually, and over 30 percent of Microsoft’s contracts were awarded without effective competition. Remarkably, this is a less centralized environment than in previous years; Microsoft was set to receive nearly $10 billion in exclusive contracts in 2019 before competitors Amazon and Oracle sued over alleged violations of federal procurement law.
While it seems unusual that the U.S. would wind up with so few vendors for a service that’s been offered for nearly 20 years, continuing to trust an industry leader brings substantial benefits. Under a giant like Microsoft, federal agencies have access to an expansive network of services, on-call IT experts, and cybersecurity firewalls at the cutting edge of the market. The interoperability of its software suites means that the infrastructure supporting the cloud is free from data silos, unnecessary duplication, and other inefficiencies. Large tech firms have also been instrumental in providing the technical expertise, products and financial investments that allow agencies to streamline their shift to the cloud and introduce system-wide innovations in times of crisis.
However, if something seems too good to be true, it typically is. Though federal discounts from major cloud vendors are lucrative at first, annual rates for cloud hosting climb precipitously and unequally across the government over time. Unplugging from one ecosystem and into another isn’t easy, and according to vendor lawsuits, anticompetitive corporate practices make switching even more difficult for federal consumers. Despite Microsoft’s impressive scale and market share, experts and insiders have increasingly criticized its failure to implement basic security protocols — a complacency leading to significant national security implications as it protects the U.S. military’s most critical defense technologies and intelligence data.
Given these risks, new federal actions aim to improve market competition and put fire to the heels of big tech. The SAMOSA Act, which quickly gained bipartisan momentum and is awaiting review in the Senate, was introduced to regulate “unlimited” cloud agreements and other predatory corporate practices. The Multi-Cloud Innovation and Advancement Act, which proposes standardizing federal cloud infrastructure, passed through the Senate Homeland Security and Governmental Affairs Committee last month. In the House hearing, Microsoft President Brad Smith will address a report released by the Cyber Safety Review Board in March that stated Microsoft’s security culture was “inadequate and requires an overhaul.”
To some, these actions prove that legislators are finally addressing key systemic failures that have long been neglected. Without a viable alternative, however, the consequences of allowing intrusions to persist are little more than a slap on the wrist. In fact, it may even come with incentives; last year, the Department of Defense announced it would be helping federal cloud vendors enhance their cybersecurity suites. Holding cloud vendors accountable for their stated promises, switching to a more reliable partner, or threatening to build its own cloud management network were not options on the table, despite gross profit margins for the industry climbing to over 50 percent in 2024.
By subsidizing stronger security protocols instead of demanding them, public agencies aim to retain long-standing relationships and maintain ongoing collaboration on federal IT initiatives. Despite big tech firms’ contributions to the state, their ultimate responsibility is to their bottom line — and if federal procurement becomes unprofitable, they will explore other options. To keep their negotiating power, legislators should do the same. When balancing shareholder interests against the security of the U.S. and its allies, there should be no question about where our government stands.
Courtney Manning is a senior research scientist at American Security Project. She specializes in emerging national security risks and military readiness.
Copyright 2023 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed. Regular the hill posts