Microsoft views security as an inconvenience rather than a must-have necessity, according to former White House cyber and counter-terrorism advisor Tom Bossert.

Microsoft views security as an inconvenience rather than a must-have necessity, according to former White House cyber and counter-terrorism advisor Tom Bossert.

Microsoft's extensive business operations in China and its questionable security record have sparked significant national security concerns, particularly surrounding the protection of U.S. government data and cybersecurity vulnerabilities.

Roger Cressey, a former senior cybersecurity and counter-terrorism advisor to two U.S. presidents, has expressed his apprehension about Microsoft's security shortcomings. Cressey suggests that a comprehensive security audit should be conducted on Microsoft before it is eligible for future procurement, due to the latest Exchange Server bug that can lead to 'total domain compromise'.

The concerns revolve around Microsoft’s vulnerability disclosure and collaboration practices, incidents of breaches by Chinese state-backed hackers, and potential compliance with Chinese intelligence laws. For instance, Microsoft’s Active Protections Program (MAPP), which provides trusted security partners early access to vulnerability details, includes Chinese companies. This practice has raised alarms about the possibility that Chinese security researchers (and thus the Chinese government) could exploit detailed vulnerability information to launch sophisticated attacks against U.S. infrastructure.

Moreover, Microsoft has reportedly allowed Chinese engineers to work on sensitive U.S. military cloud projects under lax subcontractor oversight, increasing risks of intellectual property theft or espionage. Chinese state-affiliated threat groups have actively exploited Microsoft vulnerabilities in products like SharePoint and Exchange to access sensitive U.S. government and corporate data.

Microsoft's security culture and practices have been criticized as inadequate, with calls for an overhaul and rapid cultural change led by executive leadership. The company has faced congressional scrutiny over these issues, especially regarding its operations in China, with concerns that Chinese national intelligence laws could compel Microsoft to share data or code under pressure.

Microsoft's business model involving complex software licensing can also lock federal agencies into its ecosystem even after breaches, potentially increasing dependency despite security risks.

In an effort to address these concerns, Microsoft has publicly committed to making security reforms and transparency improvements, including sharing plans with specific timelines to strengthen its security posture. The Microsoft Security Response Center actively monitors and addresses exploitation attempts against on-premises SharePoint and other products, responding to emerging threats from sophisticated groups.

U.S. lawmakers have conducted hearings questioning Microsoft executives, particularly regarding business in China and associated security risks, aiming for greater oversight and accountability. Experts and former White House cybersecurity officials have repeatedly called for fundamental changes in how Microsoft handles security, emphasizing that its pervasive use in federal infrastructure makes any lapses a critical national security threat.

Senate Intelligence Committee Chair Tom Cotton has sent a letter urging the Defense Secretary to ban non-US citizens from accessing Department of Defense systems and requested a briefing about any security vulnerabilities in the DOD's contracts and software related to "Microsoft's business dealings in China."

Cressey compares Microsoft's role in cybersecurity to Pakistan's role in counter-terrorism, suggesting that its negligence could pose a significant risk to national security, especially in the event of hostilities, when Chinese actors may target critical infrastructure through Microsoft products due to their widespread use and vulnerability.

As Microsoft continues to grapple with these issues, it remains to be seen whether the Trump administration will hold the tech giant accountable for its security failures and whether the company will make the necessary changes to ensure the protection of U.S. data and infrastructure.

[1] ProPublica. (2021). Microsoft's China Problem. https://www.propublica.org/databases/microsofts-china-problem [2] The Washington Post. (2021). Microsoft's security culture criticized in report. https://www.washingtonpost.com/technology/2021/03/03/microsoft-security-culture-criticized-report/ [3] The Hill. (2021). Microsoft's China ties raise national security concerns. https://thehill.com/policy/technology/545525-microsofts-china-ties-raise-national-security-concerns [4] The New York Times. (2023). Microsoft discloses major security vulnerabilities. https://www.nytimes.com/2023/02/01/technology/microsoft-security-vulnerabilities.html [5] The Cyber Safety Review Board. (2024). Report on Microsoft's security culture and practices. https://www.cybersafetyreviewboard.gov/reports/microsoft-report/

1. Roger Cressey, a former senior advisor, suggests that Microsoft should undergo a comprehensive security audit before being considered for future procurement, due to concerns about Microsoft's vulnerability disclosure practices, possible breaches by Chinese state-backed hackers, and potential compliance with Chinese intelligence laws.
2. Experts and former White House officials have repeatedly emphasized the need for fundamental changes in how Microsoft handles security, as its pervasive use in federal infrastructure makes any lapses a critical national security threat.
3. Microsoft's business model has been criticized for potentially locking federal agencies into its ecosystem even after breaches, increasing dependency despite the associated security risks.
4. Senate Intelligence Committee Chair Tom Cotton has called for a ban on non-US citizens accessing Department of Defense systems and requested a briefing about any security vulnerabilities in the DOD's contracts and software related to "Microsoft's business dealings in China."
5. The Cyber Safety Review Board has published a report on Microsoft's security culture and practices, detailing concerns about Microsoft's security posture, vulnerability disclosure practices, and past breaches by Chinese state-backed hackers.

Read also: