White House cyber policy director calls Microsoft a security threat

In recent years, Microsoft’s actions have come under scrutiny globally, be it acquisitions, eliminating competition, or reportedly unfair practices. And a recent statement by a White House cyber policy director calling Microsoft a national security threat has been getting a lot of attention.

In an interview with The Register, AJ Grotto, a former senior White House cyber policy director, claims that Microsoft owns 85% of the market for federal government’s productivity software service and an even higher share when it comes to operating systems, making them a dominant supplier of IT services for the federal government.

Grotto goes on to say,

It gives them an awful lot of leverage over the government when it comes to negotiating terms because the government can’t easily walk away from a vendor it’s so reliant upon. You know, Microsoft, in many ways, has the government locked in. And so, it’s able to transfer a lot of these costs associated with security breaches over to its customers, including the federal government.

When asked if Microsoft is at all concerned about the recent episodes and is willing to change, Grotto highlighted that the Redmond-based tech giant has a lot of leverage. He recalled the SolarWinds episode and Microsoft’s actions that followed.

If you go back to the SolarWinds episode from a few years ago, Microsoft was essentially up-selling logging capability to federal agencies. As a result, it was really hard for agencies to identify their exposure to the SolarWinds breach.

For the unversed, Microsoft’s default security and service package for federal agencies didn’t include logging capabilities earlier. This led to an 18-month-long negotiation between Microsoft and the government, which ultimately led to the former providing default logging.

Grotto believes that it shouldn’t have taken Microsoft this long, given it’s the largest cyber security service provider globally and reported $20 billion in revenue in security services last year, double from the year before. He calls providing default logging capabilities to the federal agencies a non-concession.

When asked if he believes Microsoft is a national security threat, Grotto said,

Given Microsoft’s dominance not just within the federal governemnt but really in, sort of, the broader IT market place, I think it is fair to say that systematic compromises that affect Microsoft and its products do rise to the level of national security risk.

Government must focus on encouraging and catalyzing competition

Former White House cyber policy director AJ Grotto believes the government must encourage and catalyze competition.

What has enabled Microsoft to pass more risk than it should on to its customers is that fact that it has, in many cases, the customers locked in, with the federal governemnt being no different because switching costs are just so high.

Grotto goes on to underline the security benefits of having a diversified software base as opposed to relying on a single or dominant vendor. With the latter, you always run the risk of facing massive issues if a problem emerges with the vendor’s products as it scales up.

But switching to alternatives also comes at a cost and isn’t as straightforward as many would imagine. First comes the price of the new product, followed by the time and expense of training the workforce, and many would have a hard time with the transition.

While elaborating on what changes could help get Microsoft to improve the security infrastructure, Grotto called for higher scrutiny of Microsoft’s actions and holding it to account through media or Congressional action hearings. And then he goes on to highlight another side of the situation,

At the end of the day, Microsoft, any company, is going to respond most directly to market incentives. Unless this scrutiny generates changed behavior among its customers who might want to look elsewhere, then the incentives for Microsoft to change are not going to be as strong as they should be.

Everything AJ Grotto revealed is in line with the information already available in the public domain, and cyber experts have repeatedly raised concerns about it. Recently, we reported about the US government not sanctioning Microsoft for its security failures.

Although some government customers have moved away from Microsoft, the bigger picture remains pretty much the same. It will be exciting to see how things pan out, whether Microsoft benefits from the leverage it holds or the government finally sees more potential in the alternatives.

What do you think about Microsoft being called a national security threat? Share with our readers in the comments section.