Exclusive: Microsoft could reap more than $150 million in new U.S. cyber
spending, upsetting some lawmakers
Send a link to a friend
[March 15, 2021] By
Joseph Menn, Christopher Bing and Raphael Satter
SAN FRANCISCO/WASHINGTON (Reuters) -
Microsoft stands to receive nearly a quarter of Covid relief funds
destined for U.S. cybersecurity defenders, sources told Reuters,
angering some lawmakers who don't want to increase funding for a company
whose software was recently at the heart of two big hacks.
Congress allocated the funds at issue in the COVID relief bill signed on
Thursday after two enormous cyberattacks leveraged weaknesses in
Microsoft products to reach into computer networks at federal and local
agencies and tens of thousands of companies. One breach attributed to
Russia in December grabbed emails from the Justice Department, Commerce
Department and Treasury Department.
The hacks pose a significant national security threat, frustrating
lawmakers who say Microsoft's faulty software is making it more
profitable.
"If the only solution to a major breach in which hackers exploited a
design flaw long ignored by Microsoft is to give Microsoft more money,
the government needs to reevaluate its dependence on Microsoft,” said
Oregon Senator Ron Wyden, a leading Democrat on the intelligence
committee.
"The government should not be rewarding a company that sold it insecure
software with even bigger government contracts."
Microsoft previously said it prioritizes fixing attacks that it sees in
wide use.
A draft spending plan by the Cybersecurity Infrastructure Security
Agency allocates more than $150 million of their new $650 million
funding for a "secure cloud platform," according to documents seen by
Reuters and people familiar with the matter.
More precisely, the money has been budgeted for Microsoft, according to
four people briefed on the choice, largely to help other federal
agencies upgrade their existing Microsoft deals to improve security of
their cloud systems.
A CISA spokesman declined to comment.
A key service Microsoft provides, known as activity logging, allows its
clients to keep watch on data traffic within their part of the cloud and
spot inconsistencies that could reveal hackers at work.
Officials have sought access to Microsoft's premium tracking capability
after discovering the lack of logs made it much harder to investigate
recent hacks tied to nation states.
Microsoft said Sunday that while all its cloud products have security
features, "larger organizations may require more advanced capabilities
such as a greater depth of security logs and the ability to investigate
those logs and take action." It did not address the fairness issues
raised by lawmakers.
[to top of second column] |
A Microsoft logo is seen on an office building in New York City on
July 28, 2015. REUTERS/Mike Segar/File Photo/File Photo/File Photo
While some senior U.S. cyber officials feel they have no choice but to pay up,
Wyden and three other lawmakers have publicly raised concerns about the plan.
'RAW DEAL'
Most major software has been penetrated by well-financed teams of hackers at one
time or another, but the ubiquity of Microsoft's products makes it a prime
target.
The alleged Russian spying, known for exploiting software from SolarWinds, hit
nine government agencies and 100 private companies, many of whom were exploited
through manipulation of a Microsoft system.
More recent sprawling hacks into tens of thousands of servers around the world
running Microsoft Exchange by a handful of attackers, including some tied to the
Chinese government, relied on four previously unknown flaws in the way those
servers handled web versions of Outlook email. China has denied backing the
attacks.
In a hearing on the SolarWinds breach Feb. 26, Rhode Island Congressman Jim
Langevin challenged Microsoft President Brad Smith about charging extra for
logging, asking: “Is this a profit center for Microsoft, or is it a service
being provided at cost to the customers?”
“We are a for-profit company,” Smith responded. “Everything we do is designed to
generate a return, other than our philanthropic work.”
Microsoft has turned security offerings into a significant source of revenue,
with the business generating $10 billion annually, up 40% from the previous
year.
Rep. Dutch Ruppersberger of the House appropriations committee said Congress
must look into "why security is an afterthought in the procurement process" and
move away from approving only the lowest bidders.
The government could impose new regulations, said Curtis Dukes, a former head of
the defensive mission at the National Security Agency now at the nonprofit
Center for Internet Security, which works closely with CISA. “Maybe with
additional size, vendors should have to do more.”
(Reporting by Joseph Menn in San Francisco and Christopher Bing and Raphael
Satter in Washington; Editing by Chris Sanders and Edward Tobin)
[© 2021 Thomson Reuters. All rights
reserved.] Copyright 2021 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
Thompson Reuters is solely responsible for this content. |