In June, Microsoft President Brad Smith appeared before Congress to discuss the company’s cascade of security failures that allowed Chinese hackers to steal tens of thousands of emails from the U.S. government. The hearing focused on a recent report by the Department of Homeland Security’s Cyber Safety Review Board (CSRB) that found the attack was preventable and faulted Microsoft for preventable errors that left federal agencies vulnerable to the intrusion.
The CSRB’s report and lawmakers’ questioning of Smith have raised troubling concerns about how Microsoft’s inadequate security culture compromises the United States’ most critical economic and security interests. Microsoft has committed to “trying to focus on culture change,” but that isn’t enough. To make meaningful progress, the U.S. government must now assess the state of its digital ecosystem and bring about the fundamental shifts it calls for in its National Cybersecurity Strategy (NCS), namely rebalancing the responsibility to defend against cyber threats and realigning incentives to favor long-term investments in security.
To start, the U.S. government needs to triage its near complete dependence on Microsoft — which is by far the U.S. public sector’s largest IT provider— by assessing the full damage done to date, the current threats to its IT systems, and future potential vulnerabilities. In the interim, the U.S. government should pause efforts to further integrate Microsoft into its technologies and systems until officials can explore alternative security products and services. Microsoft’s executive vice president of security, Charlie Bell, has admitted that the company is “ground zero” for foreign government-backed hackers — and it continues to prove itself defenseless.
Just six months after the intrusion by Chinese hackers, Russian hackers breached Microsoft’s corporate systems and gained access to emails between federal agencies and Microsoft’s cybersecurity and legal teams. The CSRB’s report raises concerns that the Russian hack occurred because Microsoft had not addressed the security weaknesses and control failures within its environment after the Chinese hack. Undoubtedly, the U.S. government will continue to be the target of similar attacks, and as its largest IT provider, Microsoft must be held to the highest standards.
That’s why, as a second step, the U.S. government must rebalance the responsibility to defend against cyber threats by asking more of technology providers, especially ones as large as Microsoft. As it stands, end users — the individuals, small businesses and governments that use the technology — bear too much responsibility for our collective cybersecurity and resilience. Instead, providers like Microsoft should be expected to protect our data and ensure the reliability of our critical systems. After all, they should be the ones most capable and best positioned to mitigate cyber risks and be the stewards of our digital ecosystem.
If a vendor repeatedly proves itself incapable of defending its customers — as Microsoft has done — that vendor should be held entirely responsible. As the world’s largest customer, the U.S. government must use its purchasing power to foster a competitive and diverse marketplace of cybersecurity providers which, as the CSRB’s report found, maintain security controls that Microsoft does not. Federal agencies — and ultimately the American people — shouldn’t have to continue suffering the consequences of cyberattacks when Microsoft’s technology repeatedly fails them.
Finally, to avoid repeating past mistakes, the U.S. government should seek to understand how it got to this point and what it can do differently to ensure a more resilient and secure future. This means thoroughly examining how it allowed a single vendor to establish the monopoly-like position that Microsoft holds in today’s public sector market. The short-term incentives for renewing contracts with Microsoft, such as perceived inconvenience or risks of transitioning to other vendors’ products, aren’t sufficient reasons for maintaining the status quo (remember those two fundamental shifts called for in the NCS, specifically realigning incentives to favor long-term investments).
The U.S. government needs to focus on long-term care by shifting its IT procurement process to foster a more competitive environment that incentivizes innovation, vendor diversity, interoperability and security. Improving federal cybersecurity will require long-term efforts and vision. To build a secure future, it is critical that the U.S. government invest in a resilient, defensible digital ecosystem by rewarding security and promoting collaboration — the opposite of letting Microsoft’s insecure monoculture continue.
When the smoke rises and the alarms ring out, it’s reckless to silence the warning and return to business as usual. Having already heard from Microsoft, the U.S. government needs to now show Americans how it will walk the talk called for in its NCS by triaging its digital ecosystem, rebalancing the responsibility to defend against cyber threats, and leveraging its purchasing power to drive long-term security investments.
This should be a turning point for IT modernization and cybersecurity in the U.S. government. As the NCS notes, “The United States has an opportunity to rebalance the incentives necessary to lay a stronger, more resilient foundation on which to build the future of our digital ecosystem.” Now is the moment for the U.S. government to lead by example and show Americans — and governments worldwide — how that is done.
Cory Simpson is the CEO of Gray Space Strategies, a professional services and strategic advisory firm based in Washington, D.C., and the Institute for Critical Infrastructure Technology (ICIT), a nonprofit, nonpartisan, 501(c)3 think tank dedicated to improving the security and resilience of critical infrastructure that provides for people’s foundational needs. He also serves as a Senior Advisor to the Cyberspace Solarium Commission 2.0. The opinions expressed in this article are his own and do not reflect the views of any employer or affiliated organization.
The US government’s Microsoft problem and what to do about it
To build a secure future, it is critical that the U.S. government invest in a resilient, defensible digital ecosystem.
In June, Microsoft President Brad Smith appeared before Congress to discuss the company’s cascade of security failures that allowed Chinese hackers to steal tens of thousands of emails from the U.S. government. The hearing focused on a recent report by the Department of Homeland Security’s Cyber Safety Review Board (CSRB) that found the attack was preventable and faulted Microsoft for preventable errors that left federal agencies vulnerable to the intrusion.
The CSRB’s report and lawmakers’ questioning of Smith have raised troubling concerns about how Microsoft’s inadequate security culture compromises the United States’ most critical economic and security interests. Microsoft has committed to “trying to focus on culture change,” but that isn’t enough. To make meaningful progress, the U.S. government must now assess the state of its digital ecosystem and bring about the fundamental shifts it calls for in its National Cybersecurity Strategy (NCS), namely rebalancing the responsibility to defend against cyber threats and realigning incentives to favor long-term investments in security.
To start, the U.S. government needs to triage its near complete dependence on Microsoft — which is by far the U.S. public sector’s largest IT provider — by assessing the full damage done to date, the current threats to its IT systems, and future potential vulnerabilities. In the interim, the U.S. government should pause efforts to further integrate Microsoft into its technologies and systems until officials can explore alternative security products and services. Microsoft’s executive vice president of security, Charlie Bell, has admitted that the company is “ground zero” for foreign government-backed hackers — and it continues to prove itself defenseless.
Just six months after the intrusion by Chinese hackers, Russian hackers breached Microsoft’s corporate systems and gained access to emails between federal agencies and Microsoft’s cybersecurity and legal teams. The CSRB’s report raises concerns that the Russian hack occurred because Microsoft had not addressed the security weaknesses and control failures within its environment after the Chinese hack. Undoubtedly, the U.S. government will continue to be the target of similar attacks, and as its largest IT provider, Microsoft must be held to the highest standards.
Join WTOP Nov. 21 for an exclusive conversation with congressional and health care industry leaders about what is on the nation's health care policy agenda right now. Register today!
That’s why, as a second step, the U.S. government must rebalance the responsibility to defend against cyber threats by asking more of technology providers, especially ones as large as Microsoft. As it stands, end users — the individuals, small businesses and governments that use the technology — bear too much responsibility for our collective cybersecurity and resilience. Instead, providers like Microsoft should be expected to protect our data and ensure the reliability of our critical systems. After all, they should be the ones most capable and best positioned to mitigate cyber risks and be the stewards of our digital ecosystem.
If a vendor repeatedly proves itself incapable of defending its customers — as Microsoft has done — that vendor should be held entirely responsible. As the world’s largest customer, the U.S. government must use its purchasing power to foster a competitive and diverse marketplace of cybersecurity providers which, as the CSRB’s report found, maintain security controls that Microsoft does not. Federal agencies — and ultimately the American people — shouldn’t have to continue suffering the consequences of cyberattacks when Microsoft’s technology repeatedly fails them.
Finally, to avoid repeating past mistakes, the U.S. government should seek to understand how it got to this point and what it can do differently to ensure a more resilient and secure future. This means thoroughly examining how it allowed a single vendor to establish the monopoly-like position that Microsoft holds in today’s public sector market. The short-term incentives for renewing contracts with Microsoft, such as perceived inconvenience or risks of transitioning to other vendors’ products, aren’t sufficient reasons for maintaining the status quo (remember those two fundamental shifts called for in the NCS, specifically realigning incentives to favor long-term investments).
The U.S. government needs to focus on long-term care by shifting its IT procurement process to foster a more competitive environment that incentivizes innovation, vendor diversity, interoperability and security. Improving federal cybersecurity will require long-term efforts and vision. To build a secure future, it is critical that the U.S. government invest in a resilient, defensible digital ecosystem by rewarding security and promoting collaboration — the opposite of letting Microsoft’s insecure monoculture continue.
When the smoke rises and the alarms ring out, it’s reckless to silence the warning and return to business as usual. Having already heard from Microsoft, the U.S. government needs to now show Americans how it will walk the talk called for in its NCS by triaging its digital ecosystem, rebalancing the responsibility to defend against cyber threats, and leveraging its purchasing power to drive long-term security investments.
This should be a turning point for IT modernization and cybersecurity in the U.S. government. As the NCS notes, “The United States has an opportunity to rebalance the incentives necessary to lay a stronger, more resilient foundation on which to build the future of our digital ecosystem.” Now is the moment for the U.S. government to lead by example and show Americans — and governments worldwide — how that is done.
Cory Simpson is the CEO of Gray Space Strategies, a professional services and strategic advisory firm based in Washington, D.C., and the Institute for Critical Infrastructure Technology (ICIT), a nonprofit, nonpartisan, 501(c)3 think tank dedicated to improving the security and resilience of critical infrastructure that provides for people’s foundational needs. He also serves as a Senior Advisor to the Cyberspace Solarium Commission 2.0. The opinions expressed in this article are his own and do not reflect the views of any employer or affiliated organization.
Read more: Commentary
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Related Stories
Four key highlights from the Microsoft cybersecurity hearing
Lawmakers want answers about Pentagon’s increasing reliance on Microsoft
CISA directs agencies to investigate if Russian hackers stole Microsoft account details