The old issue of software licensing comes up anew in a hearing

Next month, Microsoft president Brad Smith will appear before the House Homeland Security Committee. He'll answer questions about the nation-state cyberattacks.

Next month, Microsoft president Brad Smith will appear before the House Homeland Security Committee. He’ll answer questions about the company’s recent nation-state cyberattacks and new internal security strategy. This is after a Homeland Security report highlighting some of the flaws. Could licensing practices be a cause? That’s the feeling of groups like the Coalition for Fair Software Licensing. For why on the Federal Drive with Tom Temin, Federal News Network’s Eric White spoke to the group’s executive director, Ryan Triplette.

Interview Transcript: 

Ryan Triplette Well, I think the biggest concern fundamentally, where the coalition comes from is we’re always looking at the software licensing practices of any technology provider. And the importance of these technology providers to ensure that customers have the ability to licenses or to access these products on a predictable, reliable manner, that they understand the costs, that when they talk to their providers, that they understand that they’re going to be able to access and use them in the ecosystem they understand to predict. But also, that they’re going to be able to have that technology interoperate and integrate with the other technology that they use, especially when it comes to cybersecurity. In the case of Microsoft, we’ve been concerned for some time, because, unfortunately, increasing number of customers are feeling that they’re being given a choice of either take it all or really take nothing. And what that creates is a kind of a pretty vast and broad single surface of attack. And unfortunately, it’s something that we have seen, not just with the breach in July of 2023, but also with more recent news with the Russian breach. So it’s something that we’re concerned. Fundamentally, we’re always looking at this from the perspective of ensuring competition. And, customers and other providers out there are able to compete on a fair and balanced, playing field, but also that customers can really access the best in breed technologies to be able to address the new security questions and the new potential vulnerabilities that they’re being exposed to on a day to day basis.

Eric White I’m going to throw your own words at you here from the statement that you all issued regarding the Microsoft issue, that includes a term vendor lock-in of Microsoft security products and subsequent overreliance on its cloud and productivity tools. What does vendor lock-in mean to a person, I’m just a customer here, so what does that mean?

Ryan Triplette Vendor lock-in. It actually can mean a couple of different things from a customer perspective. If you’re a customer, a vendor lock-in can mean, ok, so I’m going through my digital transformation process. I have historically used a certain provider be at Microsoft, be at Oracle, be at SAP. Any of the providers you can think of. And as you’re looking at the cloud transformation process that you want to be able to access, really effectively, make the most of that cloud transformation, you want to be able to access everything, throughout the cloud stack that will meet your needs. But because of the software licensing practices that you’re being forced into some of your legacy providers, in the case of Microsoft, this has been an extremely heavy government reliance on Microsoft in Office 365 products. This is an actually just within the U.S. federal government, this is really kind of across the board in both commercial sector and the public sector. It’s something that whether it’s Excel, whether it’s doc or whatever, you have this huge reliance on that. But that reliance on those products shouldn’t dictate what cloud I’m running on, what cybersecurity products I’m running on, what identity and access management. I’m using everything that really is also integral to make sure that you are able to operate in this fully digital transfer, transformation environment. But unfortunately, we are seeing because of these licensing practices, you have licenses for the Microsoft in office products, discounts being conditioned on running on certain cloud environments. You get the discounts if you go over to Azure, you don’t if you go over to other competitors, but also when you’re looking at ensuring that you have access to different products, whether it’s your communication, collaboration, whether it’s different cyber security product. Really being told, ok, well, if you want to be able to access the Microsoft Office at this level, you have to take the rest of these. We have to take the rest of these products.

Eric White We’re speaking with Ryan Triplette. She’s the executive director of the Coalition for Fair Software Licensing. All right. So allow me to, I guess, play devil’s advocate here. So Microsoft, they have a series of products. What is wrong with them saying, hey these are our products, take them or leave them. And if you want to use our services and our ideas, you’re going to have to also take our security factors, even if they’re not up to your standard.

Ryan Triplette Fundamentally, I would say, what’s wrong with that, it runs afoul of our competition laws. So that’s first and foremost, in terms of there’s this little thing that the U.S. government doesn’t look keenly upon, buying of these products and having that conditioning the sales of one product on another. But it’s fundamentally also from a customer, and especially in the current environment in which we are operating. You really do want to ensure that you’re able to address your customer’s needs. Frankly, when it comes to cyber security products, having the being forced to take one cyber secure, cyber security solution, and being told, ok, well, it isn’t going to necessarily inter operator integrate well with other providers, and especially with other providers that may have you’ve historically used that have certainly worked well. It also runs contrary to all the cyber resiliency recommendations that have come out over the years, where you want to ensure you have a diversity of technology providers because they’re going to address different vulnerabilities throughout the cloud stack, because they’re going to be able to catch different issues or penetrations into your system. This is important. It’s important that you have that diversity. It’s important that as a customer, you’re not being forced out of having that choice and really being able to access the best in breed to access those technologies that address the specific needs of your system. Whether in a government agency, whether I’m a financial service provider, whether my health care provider, there are different things that you’re going to need, and you need to be able to ensure that all of these different systems talk and work together.

Eric White Yeah, it is kind of odd because typically you see a lot of collaboration, even business to business in the cybersecurity world because, companies are usually happy, like, oh, thank you. You’ve solved this problem for us, we don’t have to worry about it.

Ryan Triplette Historically, the cybersecurity industry really has worked well, and kind of going back to the promise of the cloud. One of the beauties of the promise of the cloud has always been that, as a customer, there’s almost kind of a limitless area of niche offerings that you can provide up here, not whether it is redressing different vulnerabilities, backtracking and identifying where they come from, proactively identifying where you’re having penetration, you can have different companies that specialize in that space, but also beyond even cyber security products. So it’s the same with communication, collaboration with identity and access management really through everything. And historically and really, I would argue up until more recent years when you did begin to see an increasing amount of this vertical integration, especially with a company like Microsoft where it’s really owning that entirety of the cloud stack historically, and especially, I would say prior to 2019, you did have a lot of these integrations and working really well across different companies. And I do think it’s something that the less you listen to your customers, and that they’re calling for this or calling for their different providers to partner and work well together. And the more you’re telling them, no, no, no, you have to do it on our terms, on a take it or leave it bases, only have everything with us, or you can’t really do anything at all. It’s really disconcerting, and especially, as customers are struggling to anticipate what the future is going to bring, and especially this is raising more concerns when we’re looking at AI offerings really being the next generation coming up.

Eric White Gotcha. All right. And I’d also like to take a moment, we’ve done a lot of talk about niches. And speaking of niches, the Coalition for Fair Software Licensing, that is quite a niche to have a coalition around itself. Can you tell me a little bit about your group and how you all came together and what makes this such a passionate issue for you?

Ryan Triplette Absolutely. Well, yes, it’s definitely a niche area. I will tell you, if you are a technologist or an engineer or you probably do want me at your dinner table, if you’re not, I’m a little boring to some other people. But software licensing our membership is over 20 companies, North American based, that are all committed to ensuring and have committed to a series of nine principles, really built around the base of fair and predictable software licensing practices. Our membership includes technology providers, as well as technology customers. We do think that’s important, and where we’re very distinct from other organizations out there, and that we do represent both sides. We’re not just an organization that is just technology providers and only speaking from the perspective of that. We do have our customer perspective. So we make sure that when we’re taking positions, we’re reflecting that kind of holistic universe of issues. And why is software licensing. Well, I will tell you, I’ve always had a passion for the obscure. And especially when it comes to the intersection of intellectual property and competition issues. It really sits at the base of a range of innovation, issues that have driven the past, I would say decade plus of questions. And especially when you’re looking  at software licensing and questions of customer choice, we’re talking about the contracts. It really doesn’t, like you said, it doesn’t get much more niche. It doesn’t get much more gritty or esoteric, but also it doesn’t get much more important. These are contracts, if you’re talking about the federal government, you’re talking about contracts that have a lot of zeros behind them.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Stacy Bostjanick and Jennifer Henderson

    Risk and Compliance Exchange 2024: DoD’ Stacy Bostjanick, DCMA’s Jennifer Henderson on finding ‘any means possible’ to help small biz with CMMC

    Read more
    Amelia Brust/Federal News Networkcybersecurity

    How should software producers be held accountable for shoddy cybersecurity products?

    Read more