[German]Lousy security culture, products as full of holes as a Swiss cheese, but "to big to fail and everyone is dependent". That's a description of Microsoft – not mine, but the tenor of the statements made by the former White House Director of Cyber Policy, Andrew J. Grotto, in an interview with the British newspaper The Register.
Advertising
Sword of Damocles "security" over Microsoft
In terms of marketing, Redmond is at the top of its game, with a new pig being driven through the village every week: Cloud, Mobile First and now AI using Copilot. On the other hand, Microsoft has been conspicuous for years for its poor software quality and buggy updates, which then have to be corrected at great expense. And then there are the security incidents with Microsoft's cloud services, which are making Microsoft's customers nervous.
- In the summer of 2023, the Microsoft Cloud was hacked by the alleged Chinese hackers of the Storm-0558 group, which made it possible to read the online accounts of US government representatives (see e.g. China hacker (Storm-0558) accessed Outlook accounts in Microsoft's cloud).
- Or there was the hack of the Microsoft Cloud by the suspected Russian group Midnight Blizzard, which became known in January 2024 but may still be ongoing (see e.g. Microsoft hacked by Russian Midnight Blizzard; emails exfiltrated since Nov. 2023). Not only emails from Microsoft executives but also from customers were read and even source code was captured.
In the last 24 months, further security incidents have become known in which Microsoft servers were unprotected and accessible via the internet. I discussed the last case in the article Unsecured Microsoft Azure Server exposes passwords etc. of Microsoft systems (Feb. 2024)).
Basically, the Microsoft Cloud is considered "compromised" and major customers in the US government are looking at how to reduce their dependencies on Microsoft. The US cyber security authority CISA has also issued an order requiring US authorities to check their systems for risks resulting from the Midnight Blizzard hack by the end of April 2024 (see US CISA orders admins in authorities to mitigate the cyber risks of the Microsoft Cloud).
Microsoft under fire, but with no alternative
The situation outlined above is the basis on which the British medium The Register conducted an interview with an ex-director of cyber policy in the White House. The aim was to find out what the US authorities' view of Microsoft is after cyberattacks on Microsoft's cloud became known as a result of serious security flaws.
In the article Microsoft is a national security threat, says ex-White House cyber policy director, The Register asks former White House cyber policy director Andrew Grotto about Microsoft's role in US government agencies.
Advertising
(Source: YouTube)
The interview is available on YouTube via the image above. In my opinion, the core statements from the interview are more than controversial, but they fall within the framework of what I have already touched on several times here in the blog.
- Microsoft has gained a shocking amount of control over IT within the US government.
- And since there is hardly any competition at government level, the Windows manufacturer has no incentive to make its systems more secure.
- According to AJ Grotto (former Director of Cyber Policy at the White House), Microsoft is a national security threat to the USA from this perspective.
It was a tough struggle for the US federal authorities to demand even minor concessions (in terms of log file analysis) from Microsoft after the Storm 0558 hack (see After CISA report on Storm-0558 hack, Microsoft provides customers with enhanced cloud logging). AJ Grotto criticizes the fact that Microsoft generated around 20 billion dollars with security services last year, but was only willing to provide a logging function that should actually be standard in order to detect cyber threats under maximum pressure.
Microsoft simply has a great deal of influence in the (US) authorities and is not afraid to use this influence for its own purposes. Grotto has simple answers to the question of how the problem can be solved. If 85 percent of the productivity software used in the US government (according to Grotto's estimate) comes from Microsoft and the proportion of Redmond operating systems is even greater, there is only one thing to do: "The government must focus on promoting and catalyzing competition".
Grotto also calls for the US government to publicly scrutinize Microsoft and ensure that it is widely known when the company makes mistakes. "At the end of the day, Microsoft, like any other company, will respond most directly to market incentives," Grotto is convinced in the interview. "If this review doesn't lead to a change in behavior among customers, who may want to look elsewhere, then the incentives for Microsoft to change will not be as strong as they should be." So it remains exciting, because this discussion sounds familiar to me from the discussion with my blog readers.
Similar articles:
China hacker (Storm-0558) accessed Outlook accounts in Microsoft's cloud
Stolen AAD key allowed (Storm-0558) wide-ranging access to Microsoft cloud services
Microsoft hacked by Russian Midnight Blizzard; emails exfiltrated since Nov. 2023
Hewlett Packard Enterprise (HPE) hacked by Midnight Blizzard since May 2023
After CISA report on Storm-0558 hack, Microsoft provides customers with enhanced cloud logging
Microsoft hacked by Russian Midnight Blizzard; emails exfiltrated since Nov. 2023
Microsoft confirms: Russian spies (Midnight Blizzard) stole source code while accessing systems
US CISA orders admins in authorities to mitigate the cyber risks of the Microsoft Cloud
Unsecured Microsoft Azure Server exposes passwords etc. of Microsoft systems (Feb. 2024)
Advertising
