Microsoft’s anticompetitive behavior weakens its customers’ cybersecurity
If left unchecked, Microsoft’s practices will become the industry standard, clearing the path for other providers to harm customers and weaken their defenses.
That was how Rep. Carlos Giminez (R-Fla.) captured the general sentiment when the House Homeland Security Committee questioned Microsoft Vice Chairman and President Brad Smith on the company’s “cascade of security failures.” During the high-profile hearing, real answers were few and far between.
It was a surprising spotlight on a company that has flown under the radar for decades. Many might recall the “Browser Wars” of the 1990s when Microsoft illegally leveraged its dominance in desktop operating systems to gain a foothold in internet browsers. As scrutiny of the company’s cyber practices heats up on Capitol Hill, more are realizing that Microsoft is using that same playbook today — but even they don’t recognize to what extent.
Disguised as the invisible tech behemoth, Microsoft is leveraging its dominant position in desktop operating and productivity software to lock customers in the cloud. It’s a new take on the same problem, but now customers’ security is threatened. When Microsoft software is vulnerable, the global impact is almost incalculable.
The cloud was built to offer customers pay-as-you-go choice and flexibility. Instead, Microsoft is doubling down on the restrictive licensing models that made products like Windows and Office ubiquitous in the workplace to drive the growth of Azure and its other business units, including security.
At Azure’s launch, Microsoft’s “bring your own license” agreements allowed customers to use their existing Microsoft software licenses on other clouds, including the company’s major competitors — Alibaba, Amazon and Google. In 2019, Microsoft reversed course to compel customers to use Azure. There was suddenly no viable option for customers to run Microsoft software on another cloud without forfeiting their existing license for a new subscription.
Microsoft imposed these restrictions and began charging customers more to use major competitors over Azure. On average, Microsoft customers using alternative cloud providers pay 20% more than they did before 2019. One customer reported a $100 million increase. In Europe, an analysis showed customers pay more than €1 billion annually to run Microsoft software on the competitor cloud of their choice.
Microsoft also tied more software products to its Microsoft 365 cloud-based Office product and limited the integration capabilities of competing products despite no technical imperative. Today, the company has used its growing suite of interdependent products to successfully entrench itself in emerging technology sectors. For security, this is another threat. Microsoft has essentially removed the market mechanism for improving security in favor of creating dependency on its offerings.
The high-profile cyber hacks that led to the hearing underscore the risks of this approach. The Department of Homeland Security (DHS) Cyber Safety Review Board (CSRB) report on Microsoft’s Summer 2023 hack, which allowed Chinese actors access to government officials’ emails, found that licensing restrictions worsened the breach. The report prompted the question: How big is the government’s Microsoft problem?
When asked by Rep. Delia Ramirez (D-Ill.) how Microsoft ensures its bundling practices do not limit the ability of customers to prioritize security, Smith said he was “not aware” of any practices that limit what its customers can do in terms of security protections.
In reality, Microsoft implements licensing tactics that create reliance on its technology and lock in customers — including the U.S. government — into an insecure environment that jeopardizes national security. This is a big problem, and these practices have limited customer choice and competition for years.
In the weeks following the House Homeland Security hearing, the European Commission (EC) charged Microsoft with antitrust violations for tying Teams with Office 365 and Microsoft 365 as part of an investigation that has been ongoing since 2023. The EC is also probing Microsoft for preventing customers from using competitors’ services, including cybersecurity solutions like identity and access management software.
In March 2023, German antitrust regulators opened an investigation into Microsoft’s disproportionate power across markets. Months later, the U.K. Competition and Markets Authority (CMA) announced a market investigation, including examining restrictive software licensing. In its June 2024 interim reports, the CMA announced its emerging view that “Microsoft’s licensing practices may affect customers’ choice of cloud provider.”
To date, Microsoft has not resolved these concerns. And why would they, when the company’s stock price has continued to climb and it is awarded large government contracts, or when the company escapes regulatory action by making closed door deals with a handful of providers — that cost them less than half CEO Satya Nadella’s yearly salary?
Regulators must disincentivize this consistently bad behavior if a change is to be expected.
If left unchecked, Microsoft’s practices will become the industry standard, clearing the path for other providers to harm customers and weaken their defenses. Indeed, there are already indications that the model set by Microsoft has taken hold. Oracle forces customers into licensing agreements they do not need or want, and customers have raised alarms about Broadcom’s changes to the licensing terms of VMware products that limit affordable cloud services.
Global regulators have begun to take notice of the impact of Microsoft’s licensing practices. It is now time for U.S. regulators to do the same: to examine Microsoft’s behavior more closely, listen to customers’ and providers’ experiences, and outline the impact on choice and competition in the cloudstack. Only then will the picture become clear — they just cannot trust what Microsoft is saying.
Ryan Triplette is the Executive Director of the Coalition for Fair Software Licensing, a North American-based initiative seeking to unlock greater customer choice, innovation and security in the cloud.
Microsoft’s anticompetitive behavior weakens its customers’ cybersecurity
If left unchecked, Microsoft’s practices will become the industry standard, clearing the path for other providers to harm customers and weaken their defenses.
“I just don’t trust what you’re saying.”
That was how Rep. Carlos Giminez (R-Fla.) captured the general sentiment when the House Homeland Security Committee questioned Microsoft Vice Chairman and President Brad Smith on the company’s “cascade of security failures.” During the high-profile hearing, real answers were few and far between.
It was a surprising spotlight on a company that has flown under the radar for decades. Many might recall the “Browser Wars” of the 1990s when Microsoft illegally leveraged its dominance in desktop operating systems to gain a foothold in internet browsers. As scrutiny of the company’s cyber practices heats up on Capitol Hill, more are realizing that Microsoft is using that same playbook today — but even they don’t recognize to what extent.
Disguised as the invisible tech behemoth, Microsoft is leveraging its dominant position in desktop operating and productivity software to lock customers in the cloud. It’s a new take on the same problem, but now customers’ security is threatened. When Microsoft software is vulnerable, the global impact is almost incalculable.
Learn how DLA, GSA’s Federal Acquisition Service and the State Department are modernizing their contract and acquisition processes to make procurement an all-around better experience for everyone involved.
The cloud was built to offer customers pay-as-you-go choice and flexibility. Instead, Microsoft is doubling down on the restrictive licensing models that made products like Windows and Office ubiquitous in the workplace to drive the growth of Azure and its other business units, including security.
At Azure’s launch, Microsoft’s “bring your own license” agreements allowed customers to use their existing Microsoft software licenses on other clouds, including the company’s major competitors — Alibaba, Amazon and Google. In 2019, Microsoft reversed course to compel customers to use Azure. There was suddenly no viable option for customers to run Microsoft software on another cloud without forfeiting their existing license for a new subscription.
Microsoft imposed these restrictions and began charging customers more to use major competitors over Azure. On average, Microsoft customers using alternative cloud providers pay 20% more than they did before 2019. One customer reported a $100 million increase. In Europe, an analysis showed customers pay more than €1 billion annually to run Microsoft software on the competitor cloud of their choice.
Microsoft also tied more software products to its Microsoft 365 cloud-based Office product and limited the integration capabilities of competing products despite no technical imperative. Today, the company has used its growing suite of interdependent products to successfully entrench itself in emerging technology sectors. For security, this is another threat. Microsoft has essentially removed the market mechanism for improving security in favor of creating dependency on its offerings.
The high-profile cyber hacks that led to the hearing underscore the risks of this approach. The Department of Homeland Security (DHS) Cyber Safety Review Board (CSRB) report on Microsoft’s Summer 2023 hack, which allowed Chinese actors access to government officials’ emails, found that licensing restrictions worsened the breach. The report prompted the question: How big is the government’s Microsoft problem?
When asked by Rep. Delia Ramirez (D-Ill.) how Microsoft ensures its bundling practices do not limit the ability of customers to prioritize security, Smith said he was “not aware” of any practices that limit what its customers can do in terms of security protections.
In reality, Microsoft implements licensing tactics that create reliance on its technology and lock in customers — including the U.S. government — into an insecure environment that jeopardizes national security. This is a big problem, and these practices have limited customer choice and competition for years.
In the weeks following the House Homeland Security hearing, the European Commission (EC) charged Microsoft with antitrust violations for tying Teams with Office 365 and Microsoft 365 as part of an investigation that has been ongoing since 2023. The EC is also probing Microsoft for preventing customers from using competitors’ services, including cybersecurity solutions like identity and access management software.
Read more: Commentary
In March 2023, German antitrust regulators opened an investigation into Microsoft’s disproportionate power across markets. Months later, the U.K. Competition and Markets Authority (CMA) announced a market investigation, including examining restrictive software licensing. In its June 2024 interim reports, the CMA announced its emerging view that “Microsoft’s licensing practices may affect customers’ choice of cloud provider.”
To date, Microsoft has not resolved these concerns. And why would they, when the company’s stock price has continued to climb and it is awarded large government contracts, or when the company escapes regulatory action by making closed door deals with a handful of providers — that cost them less than half CEO Satya Nadella’s yearly salary?
Regulators must disincentivize this consistently bad behavior if a change is to be expected.
If left unchecked, Microsoft’s practices will become the industry standard, clearing the path for other providers to harm customers and weaken their defenses. Indeed, there are already indications that the model set by Microsoft has taken hold. Oracle forces customers into licensing agreements they do not need or want, and customers have raised alarms about Broadcom’s changes to the licensing terms of VMware products that limit affordable cloud services.
Global regulators have begun to take notice of the impact of Microsoft’s licensing practices. It is now time for U.S. regulators to do the same: to examine Microsoft’s behavior more closely, listen to customers’ and providers’ experiences, and outline the impact on choice and competition in the cloudstack. Only then will the picture become clear — they just cannot trust what Microsoft is saying.
Ryan Triplette is the Executive Director of the Coalition for Fair Software Licensing, a North American-based initiative seeking to unlock greater customer choice, innovation and security in the cloud.
Sign up for our daily newsletter so you never miss a beat on all things federal
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Related Stories
Musk, Ramaswamy should aim at fraud to improve government efficiency
CISA’s SILENTSHIELD assessment requires urgent measures
Servicemember comes full-circle: Serving our nation as an Army sergeant, VA training specialist on the Digital GI Bill