Experts Highlight Continued Software Vulnerabilities
SIGNAL Media is reaching out to Microsft Corp. for comment and this article will be updated accordingly.
This spring, the governments of the United States, Australia, Canada, New Zealand and the United Kingdom issued an advisory detailing the 15 worst digital vulnerabilities exploited by cyber attackers in 2021, finding that nine of those came from Microsoft Corp. Several times this year—and as recently as this month—Microsoft had to release updates to address several new vulnerabilities in its software, which enable attackers to exploit the security weaknesses and take control of an affected system or network. The consistent prominence of these cybersecurity deficiencies, along with Microsoft’s dependence on China for revenue and the U.S. government’s incredible reliance on the company’s products, give cyber and national security experts considerable cause for alarm.
“I actually think there are two Microsoft problems,” says homeland security and cybersecurity consultant Paul Rosenzweig, founder of Red Branch Consulting and previous deputy assistant secretary for Policy, U.S. Department of Homeland Security (DHS). “One of the problems is the dependency of the federal government on Microsoft systems and the fact that we're essentially wanting a monoculture. And so, a vulnerability in Microsoft is a vulnerability in something like 85% of all federal computers. The other problem is Microsoft's dependence on China for a significant fraction of its business. From my perspective, the fact that the two [issues] are happening at the same time, with the same company, that exacerbates the problem.”
“What alarms me more than anything else is, especially from a marketplace perspective, is that a company that quite frankly does not have a very good record on security does not seem to be losing market share for its products as a result,” said Steve Weber, professor, Graduate School Program, School of Information, University of California, Berkeley, and author of numerous books, including, The End of Arrogance: America in the Global Competition of Ideas and The Success of Open Source. “Markets don't seem to be really functioning to put pressure on Microsoft to do better on this score, because their enterprise software is embedded in many different organizations, different companies and in the government in particular.”
“The caveat is that there's no such thing as perfect security,” explained Andrew Grotto, the William J. Perry International Security Fellow at Stanford University and the founding director of the Program on Geopolitics, Technology and Governance at the Stanford Cyber Policy Center. Grotto also is Stanford’s faculty lead for the Cyber Policy and Security specialization in its Ford Dorsey Master program in International Policy. “Systems, despite best efforts, can still have vulnerabilities that emerge. So, the standard isn't perfection. I do think it's fair to compare the prevalence and severity of vulnerabilities affecting Microsoft products with [other] vendors, and clearly, Microsoft, by any objective measure, falls short.”
Weber stipulated that as bad as the cyber risks are to the government, it has not yet been enough for procurement organizations to change course. “When working inside of a big organization with an IT [information technology] department that is really stretched, procurement folks who are buying enterprise software packages, they are kind of creatures of inertia,” Weber stated. “I don't mean to be criticizing them for that, as they have incredibly hard jobs. But the last thing they want to do is make a big change. In some sense, the security situation has not become so bad and so expensive and so profound that it's going to force them to make that big change.”
When purchasing software products, U.S. procurement officials should be concerned foremost with price and security. Instead, they are selecting the easiest route, Rosenzweig opined. “What they really care about is ease of installation, backward compatibility, and ‘will it mess up my enterprise,’ and ‘what are my transition costs if I change to a better thing?’ It's the incumbent effect to the nines.”
Moreover, being the incumbent software provider has allowed Microsoft to dominate the market even with the tremendous vulnerabilities in its products. “The real proof point is that if people really were concerned about vulnerabilities, they'd be getting out and they're not,” Rosenzweig emphasized. “CISA [The Cybersecurity and Infrastructure Security Agency] identified that of the top 15 vulnerabilities, nine were Microsoft. And If people are not running from Microsoft after [that], it is abundantly clear that security is not the number one concern in the federal government.”
And although Microsoft may no longer be conducting the predatory market actions that it did in the early 2000s, its monopolistic qualities remain, Weber said, venturing that could be one of the reasons for its chronic software deficiencies—in addition to its unwieldy, aged code base. “Monopolistic-tending organizations, they just get a little sloppy,” he noted. “And part of it is they are dealing with this legacy code base that goes back to an era where cybersecurity just was not as important. So, I think it's a combination of things.”
Grotto also cites the company’s code as an issue that remains despite Microsoft’s efforts.
“Microsoft has this legacy code base that its products are built on, which we know from relatively recent history going back 15 years, has some pretty significant architectural problems,” he stressed. “Microsoft put a ton of money and effort into trying to shore that code back up, but I think it still must be part of the problem. It is expensive to re-engineer a product line as complex as Microsoft's various offerings, but it may well come to that in the future.”
The experts stressed that while federal cybersecurity officials in the White House and at CISA are doing more to protect the country against cyber attacks, it shouldn’t be the government’s responsibility to always have to handle Microsoft’s tremendously deficient products. “They have really doubled down on transparency; their vulnerability reports have improved substantially,” Weber said. “They're fighting, they're out there, and testifying before Congress, using their bully pulpit. But in the best of all possible worlds, I'd like to see a push for a different kind of procurement. I would like to see federal agencies take the attitude of, ‘the current the status quo is unacceptable, and we can't continue to live with this.’”
Rosenzweig said, “It shouldn't have to be on CISA. It should be on the vendor. I'll be clear. Nobody should expect the vendor to give you a perfect product because in our space that's impossible. And there will always be a need for CISA and Defense Department [protections], but we should expect the vendor to give us the best product that they can. That's true of Microsoft Office 365, and it's true of anything else we purchase. The vendors should know that they have to provide the best product they can.”
Additionally, the government should harness its weight as such a large procurement body and call for more competition to begin to get away from relying on a monopolistic vendor.
“The government is a lead user and procurer, and they don't always buy the most cutting-edge project products obviously, but they set standards for what other marketplace participants are likely to do and what they can do,” the Berkley graduate school professor said. “With 85% of productivity collaboration software inside the U.S. federal government is Microsoft, that's too high. The federal government [could] adopt a policy of saying, ‘we want to encourage a non-monoculture environment; we want to enhance competition and to do that, we're going to absorb some upfront costs of switching half our agencies over to some other provider.’ And then run a competition and two or three years down the road see who's done better from a security and usability perspective. I think it would enhance the marketplace forces. This is one of the places where the government really should lead rather than follow. That's a big ask particularly right now, but somebody's got to lead, and it's often the case that the government is in a position to do that.”
Procurement efforts could begin to focus on bringing competition into enterprise solutions by conducting subsidized experiments in particular agencies with different vendors, Weber suggested. A subsidy would give organizations a reprise from initial cost concerns of having to switch vendors.
Having a cost-competitive product is another way that helps Microsoft continue to dominate. It is a method that China’s Huawei is using to achieve global market share, Rosenzweig pointed out. “Maybe Microsoft is cheaper too, which would be a reason [the government is choosing the software],” he said. “That is why Huawei is winning all the battles outside of the United States. It is the only product that gets sold because they flood the market with their sloppy, cheap goods.”
The ironic part is that amidst its great security lapses, Microsoft is growing its billion-dollar security practice. “Microsoft has a $15 billion a year security business now,” Grotto shared. “That is up from about $10 billion last year, and I think that $10 billion figure was up 40% from the year before. This is a real area of revenue growth for Microsoft, and it's got to be a really exciting point for Microsoft shareholders to have this new revenue stream. What gets tricky from a security perspective is that it creates an incentive within the company to try and monetize security. It does give Microsoft a strong incentive to try to upsell security, with the default offerings that are rather weak on security and their ability to kind of get away with that.”
Moreover, Microsoft’s dependence on China as part of the company’s business model is problematic. “Most American tech companies have some business with China,” Rosenzweig acknowledged. “There are a few exceptions. Google pretty much has left, but Amazon Web Services has data centers. Intel is trying to stop building its chips there, but they can't. But of all the major players in the hardware and software manufacturing space, Microsoft has more invested in China qualitatively than the others. I've seen estimates that say as high as 10% of their revenue comes from China. I think they have four cloud server farms, and they said they are going to open more, so they're still moving in when others are moving out of China.”
More alarming are the apparent conceits that Microsoft has agreed to with the People’s Republic of China (PRC) to conduct business in that country—especially since the PRC has given itself legal authority to have industry do its bidding, Grotto stressed. “We have seen examples where even if the corporate entities resist or try to fight some instance of compelled disclosure, the PRC is able to find someone in the organization to do their bidding for them by virtue of them being in the country.”
Rosenzweig points to steps Microsoft has already taken to appease the PRC. “Since the last decade, as a condition of doing business there, they've agreed to share some of their source code with China,” he stated. “And there is no proof point, but one has suspicions that it is a cause of the Chinese hacking. And we clearly have seen evidence of them editing [their software] to please the Chinese. Things like the Bing [search engine] not pulling up Tiananmen Square if you use it in China. And for a while, they even edited it out of searches outside of China until they got too much blowback.”
Microsoft also agreed to have personnel from China sit on the company’s China-based boards.
“The linkage between Microsoft's dependence on China and the compromises they've had to make, those are significant,” Rosenzweig warns.
In terms of solutions, Weber advised U.S. officials to include cyber vulnerability costs into purchase or relicensing considerations when using Microsoft as a vendor. “I always advise against monocultures,” he stated “They are really attractive because it is easy to manage but don't overlook the security costs. You are basically putting yourself in a position where you have a single point of failure and that's never a good thing. And in this case, it's really a bad thing.”
Enough federal agencies—civilian and military—need to raise concerns about the Microsoft problem, Stanford’s professor added, to raise the issue to be a much bigger governmentwide kind of problem. “The federal government has the ability to intervene in the marketplace, specifically through federal procurement,” Grotto noted. “That is one area where we need to demand more security from our vendors—Microsoft or any other vendor—and put a premium on products that are more secure.”
Without competition, Grotto is pessimistic about Microsoft actually changing its stance and improving its products. “The fact that there is no competition makes me unfortunately rather bearish on Microsoft's ability to turn the ship around in near term. Maybe in the medium-to-long-term, if there is more competition, they'll feel more heat and their products will get better. Absent from competition, we are not likely to see real shifts in the prevalence of Microsoft vulnerabilities.”