US government excoriates Microsoft for 'avoidable errors' but keeps paying for its products

In what other sphere does a bad supplier not feel pain for its foulups?

Analysis You might think that when a government supplier fails in one of its key duties it would find itself shunned or at least feel financial pain.

But when that supplier is Microsoft, and the failure allows access to government secrets, it sails serenely onwards – with not much more than promises to do better next time.

Microsoft made that promise last year after its shoddy security practices allowed Chinese cyber spies to compromise tens of thousands of email accounts belonging to government officials.

Washington's Cybersecurity and Infrastructure Security Agency's Cyber Safety Review Board (CSRB) this week lashed Redmond for a "cascade" of "avoidable errors" that made the Chinese attack possible.

The government's dependence on Microsoft poses a serious national security threat, which requires strong action

The report called on Microsoft to sort itself out, but didn't suggest sanctions or recommend government agencies seek alternatives.

Microsoft has therefore been let off the hook – just as it was after previous security failures that allowed Russia and China to snoop on its customers, including government agencies and other major corporations.

So while the US Cybersecurity and Infrastructure Agency (CISA) rightly slammed Microsoft for its mistakes, there is absolutely no threat to the government money flowing into Redmond's coffers.

And that money comes in torrents: US government data recorded $498.5 million worth of payments to Microsoft in FY 2023.

Microsoft responds to damning report

The Register asked Microsoft to respond to the CSRB report. In a statement emailed to The Register, a spokesperson replied:

We appreciate the work of the CSRB to investigate the impact of well-resourced nation state threat actors who operate continuously and without meaningful deterrence. As we announced in our Secure Future Initiative, recent events have demonstrated a need to adopt a new culture of engineering security in our own networks.

While no organization is immune to cyber attack from well-resourced adversaries, we have mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks. Our security engineers continue to harden all our systems against attack and implement even more robust sensors and logs to help us detect and repel the cyber armies of our adversaries. We will also review the final report for additional recommendations.

While Microsoft has so far not been hurt by its security snafus, pressure to do better is increasing.

US senator Ron Wyden (D-OR) called for the CSRB investigation into Microsoft last August. More recently, he blasted the software giant for yet another "wholly avoidable hack that was caused by Microsoft's negligence" after Redmond confirmed that the compromised account used by Kremlin spies to break into its network and steal source code didn't have multi-factor authentication (MFA) enabled.

"Federal agencies also share blame, for showering Microsoft with billions of dollars in government contracts, without demanding the company meet minimum cyber security standards," Wyden told The Register.

"The government's dependence on Microsoft poses a serious national security threat, which requires strong action."

The senator's suggested responses include "strict, minimum cyber security standards for technology vendors" and ensuring that contractors comply with these rules through independent audits. Wyden also wants tech providers and their senior executives that violate those standards to be held accountable.

At the least, Microsoft will need to prove that it has improved its processes for identifying breaches, according to Jon Clay, VP of threat intelligence at Trend Micro.

"More information on what occurred, and how the adversaries were able to breach them, is good for the public to better understand this, and ensure they themselves can improve their security processes and protections to defend against a similar attack," Clay told The Register.

In the meantime, however, he doesn't anticipate Microsoft's federal contracts drying up. "Microsoft is a major vendor for all of the US government and it would be very difficult for them to be replaced," Clay lamented.

He hopes the Feds give Redmond "a very stern warning and make them improve their internal security controls and processes to ensure the risk of a similar attack is minimized moving forward." He added: "If a fine were imposed, I would be more impressed with the response."

In addition to raking in billions from Uncle Sam, Microsoft earns at least 30 percent of its government revenue through purchase processes that are not competitive.

This includes non-competitive procurement and "limited sources" deals through third parties that specify particular vendors, according to IT procurement consultant Michael Garland's 2023 analysis.

"It's kind of like the mafia," Adam Meyers, head of Counter Adversary Operations at CrowdStrike, argued in an earlier interview. "I mean, what are you gonna do, you're gonna switch to Linux? Get out of here. You've got no choice."

In a very extensive analysis of the CSRB findings (go ahead and check it out – we'll wait) Meyers cited Microsoft's "pattern" of breaches over the past four years and, again, called Microsoft a "national security threat."

That pattern of breaches included falling victim to the SolarWinds supply chain attack in 2020, and being compromised by Lapsus$ hoodlums in 2022. A year later China's Storm-0558 stole Microsoft's secret key and used it to access government secrets. And then this year, we learned that Russia's Cozy Bear had, once again, busted through Redmond's digital perimeter.

"Microsoft is a national security risk, security is a team sport," Meyers Xeeted. "When are we putting them on the bench?" ®

More about

TIP US OFF

Send us news


Other stories you might like