analysis You might think that if a government supplier fails one of its key tasks, it will be shunned, or at least feel financial pain.
But when that supplier is Microsoft, and its failure gives it access to government secrets, it quietly sails away, only promising to do better next time.
Microsoft made that pledge last year after its lax security practices allowed Chinese cyber spies to compromise tens of thousands of email accounts belonging to government officials.
The Washington State Cybersecurity and Infrastructure Security Agency's Cyber Safety Review Board (CSRB) this week accused Redmond of a “cascade” of “avoidable errors” that enabled the Chinese attack.
Government reliance on Microsoft poses serious national security threats and requires strong action
The report called on Microsoft to correct its stance, but did not suggest sanctions or recommend that the agency explore alternatives.
So Microsoft was spared that problem, just as it was after previous security failures that allowed Russia and China to snoop on customers, including government agencies and other large corporations.
So while the U.S. Cybersecurity and Infrastructure Agency (CISA) has rightly condemned Microsoft's mistake, there is no threat to government funds flowing into Redmond's coffers.
And that money comes in torrents. U.S. government data records his payments to Microsoft worth $498.5 million in fiscal year 2023.
Microsoft responds to damning report
register asked Microsoft to respond to the CSRB report. In a statement emailed to registerreplied the spokesperson.
Microsoft has so far remained unaffected by security issues, but pressure to improve is growing.
U.S. Sen. Ron Wyden (D-Ore.) called for a CSRB investigation into Microsoft last August. More recently, he once again criticized Microsoft's negligence after the city of Redmond confirmed that the compromised accounts used by Kremlin spies to infiltrate networks and steal source code lacked multi-factor authentication. It accused the software giant of “a completely avoidable hack that was caused”. (MFA) is enabled.
“Federal agencies also share responsibility for funneling billions of dollars in government contracts to Microsoft without requiring it to meet minimum cybersecurity standards,” Wyden said. register.
“The government's reliance on Microsoft poses a serious national security threat and requires strong action.”
The senators' proposed response includes “strict minimum cybersecurity standards for technology vendors” and ensuring contractors comply with these rules through independent audits. Wyden also calls for accountability for technology providers and their senior executives who violate these standards.
At a minimum, Microsoft needs to demonstrate that it has improved its process for identifying breaches, said John Clay, Trend Micro's vice president of threat intelligence.
“Further information about what happened and how the enemy was able to gain entry will help the public better understand this and improve their own security processes and protections to protect against similar attacks.” “It's useful to ensure that we can do that,” Clay said. register.
But in the meantime, he doesn't expect Microsoft's federal contracts to dry up. “Microsoft is a major vendor for the entire U.S. government, and it will be very difficult for them to be replaced,” Clay lamented.
He expects the Fed to issue Redmond “a very stern warning and direct it to improve its internal security controls and processes to minimize the risk of similar attacks in the future.” He added that he would be “more impressed with the response if a fine was imposed.”
In addition to raking in billions of dollars from Uncle Sam, Microsoft earns at least 30% of government revenue through a noncompetitive purchasing process.
According to a 2023 analysis by IT procurement consultant Michael Garland, this includes non-competitive procurement and “limited source” deals through third parties that name specific vendors.
“It's kind of like a mafia,” Adam Myers, CrowdStrike's head of counter-adversary operations, argued in a previous interview. “So what are you going to do, switch to Linux? Get out of here. There's no other choice.”
very extensive analysis Myers again called Microsoft a “national security threat,” citing Microsoft's “pattern” of breaches over the past four years.
Its breach patterns include being the victim of a SolarWinds supply chain attack in 2020 and being compromised by Lapsus$ thugs in 2022. A year later, China's Storm-0558 stole his Microsoft private key and used it to access government secrets. And this year, we learned that Russia's Cozy Bear has once again broken through Redmond's digital boundaries.
“Microsoft is a national security risk, and security is a team sport,” Meyers-Zieted said. “When are we going to bench them?” ®
