Government, Industry
Concerns grow over Department of Defense plans to expand Microsoft investment
Chris Liotta (Chris Liotta) •
June 3, 2024
US lawmakers are raising alarm over the Department of Defense's plans to make further investments in Microsoft products, despite a series of high-profile cybersecurity incidents affecting the tech giant.
reference: How can SLTT protect against cyber threats?
Two bipartisan senators wrote a letter to Defense Department CIO John Sherman expressing “serious concerns” that the Pentagon is “doubling down on its failed strategy of increasing reliance on Microsoft” as Washington reevaluates its reliance on the company's 365 cloud-based product. The letter comes after a memo, first reported by Axios, said all Pentagon departments must upgrade to and implement Microsoft 365 E5 licenses within 12 months, which include security measures such as privacy and insider risk management.
“We are deeply concerned that the Department of Defense has chosen not to adopt a multi-vendor approach that would lead to greater competition, lower long-term costs, and better cybersecurity outcomes,” Sens. Ron Wyden (D-Ore.) and Eric Schmitt (R-Miss.) said in the letter. The Defense Department is one of the largest purchasers of cybersecurity products in the United States.
The letter follows a recent federal report that investigated Microsoft's security flaws after a Chinese hacking campaign successfully targeted the email accounts of senior U.S. government officials last summer (see: Report criticizes Microsoft for security blunders in China hackMicrosoft also faced criticism in January after Russian government hackers used a simple technique to access the email accounts of senior Microsoft executives.
Experts have long called for the federal government and the Defense Department to move away from an overreliance on any single software provider, an approach that they say introduces inevitable vulnerabilities and could put national security at risk. In a letter to the Defense Department on Wednesday, Wyden and Schmidt asked for information about the department's plans to ensure it implements a “multi-vendor approach that fosters innovation and competition.”
“The Department of Defense's requirement of advanced cybersecurity products will have a positive impact across the U.S. Government and will have beneficial outcomes across the public and private sectors,” the letter said, adding that it is “essential” for Congress and the Department of Defense to “work together to ensure a robust cybersecurity posture.”
Roger Koehler, CISO at security platform Huntress and former deputy director of the Defense Department's Joint Artificial Intelligence Center, said Microsoft has been a focus of scrutiny in recent months.
“Microsoft is a large company, so it doesn't leave the Department of Defense or the federal government with many options,” Kohler told Information Security Media Group. The company has “publicly acknowledged the need for improvement,” he added, and is taking steps to strengthen its security measures for customers. Microsoft overhauls security measures after massive breach).
Charlie Bell, Microsoft's executive vice president of security, compliance, identity and administration, said in a blog post in May that the company plans to tie executive compensation to achieving certain security milestones and expand its Secure Future initiative aimed at combating growing cyber attacks.
According to the announcement, Microsoft will now continuously enforce least privilege access for all applications and users, completely eliminating lateral movement of identities between tenants, environments, and cloud networks. In response to recent cyberattacks, Microsoft has enabled default logging for users, allowing organizations with fewer resources, such as small minority-owned businesses, to see the basic log information they need to understand whether they have been compromised due to an incident.
“None of this is a silver bullet,” Koehler said of Microsoft's security enhancements, adding, “But there's no such thing as perfect security.”
The Pentagon did not respond to a request for comment.