How Microsoft's DoD Monopoly Threatens National Security
I'll never forget my first day at a nonexistent cyberwarfare organization. A Fortune 100 company was presenting a Microsoft vulnerability they had supposedly discovered, exploited, and commercialized with the casualness of someone selling accounting software. The PowerPoint presentation highlighted how easily Microsoft software could be compromised – which would be beneficial assuming the "bad guys" were the only targets.
Fast forward a decade, and in a twist of irony, Microsoft’s vulnerabilities have come back to haunt them. The U.S. Department of Homeland Security Cyber Safety Review Board (CSRB)’s bombshell March 2024 report outlines the “cascade of security failures” that led to both Russian and Chinese compromises of Microsoft’s network.
Even more alarming for national security, the CSRB reported that Microsoft has no idea how or when Chinese intelligence obtained the signing key that grants "full access to essentially any Exchange Online account anywhere in the world." This raises the critical question: Are the Chinese still embedded in Microsoft's network? It appears that Microsoft might not even be able to answer that. Anyone with basic cyberwarfare training knows that persistence is crucial, and China has had ample time to establish and maintain that persistence.
Instead of holding Microsoft accountable, the DoD Chief Information Officer is advocating for the entire DoD to upgrade to a more expensive version of Microsoft 365 by June 3, 2024, citing its “best-in-class productivity applications with advanced security,” according to Axios. This decision to further entrench the DoD in Microsoft's ecosystem by upgrading to more costly licenses is deeply troubling. It not only overlooks the significant security risks associated with Microsoft's products but also perpetuates a monopoly that stifles competition and innovation within the defense sector.
"It is concerning for any department to further entrench itself into Microsoft's ecosystem before the company has demonstrated that it has satisfied the recommendations of the [CSRB] report," Ryan Triplette, executive director of the Coalition for Fair Software Licensing , told Axios. Triplette also said the E5 licenses are significantly more expensive and could limit other vendors to compete for contracts or assist in any government security incidents.
Microsoft's track record of security failures is well-documented. The CSRB's report on the 2023 Microsoft Exchange Online intrusion highlights a "corporate culture that deprioritized both enterprise security investments and rigorous risk management." The report reveals that Microsoft's negligence led to the compromise of senior U.S. government officials' emails, including those of the Commerce Secretary and the U.S. Ambassador to China. This breach was not an isolated incident. Microsoft's history of security lapses includes the 2021 hack by Chinese government hackers and the 2023 breach by Russian government hackers, as reported by Wired and PC Mag. These incidents underscore Microsoft's inability to safeguard sensitive data and protect national security interests.
The DoD's reliance on Microsoft's products creates a single point of failure, making it an attractive target for adversaries like China and Russia. This over-reliance on a single vendor not only heightens the risk of large-scale breaches but also limits the DoD's ability to benefit from the strengths of other cybersecurity providers. Diversifying its technology portfolio would enable the DoD to create a more resilient and secure environment, less susceptible to systemic failures.
Moreover, Microsoft's monopolistic practices stifle competition and innovation within the defense sector. By locking the DoD into its ecosystem, Microsoft discourages the development of alternative solutions that could potentially offer superior security and functionality. This lack of competition ultimately harms taxpayers and customers, who are forced to pay inflated prices for products that may not fully meet their needs.
Recommended by LinkedIn
Breaking Microsoft's monopoly in the DoD and Defense Industrial Base would benefit taxpayers and customers in several ways:
Increased Competition: Competition would drive down prices and improve the quality of products and services. The DoD's proposed plan to upgrade to Microsoft E5 licenses, as detailed in the Axios article, comes at a "significantly increased cost." Microsoft’s solution for the Defense Industrial Base, Government Community Cloud - High (GCC-High), is around $100/user/month. Since it’s built in a legacy “govcloud,” it’s subject to lower availability as evidenced with the service’s outage on May 21, 2024. By opening up the market to other vendors, the DoD can negotiate better deals and ensure it gets the best value for taxpayer money. Competition would incentivize vendors to offer innovative solutions at competitive prices, ultimately benefiting both the DoD and taxpayers.
Improved Security: A more diverse technology portfolio would reduce the risk of large-scale breaches and improve overall security. The CSRB report emphasizes that Microsoft's security culture is inadequate and requires an overhaul. By diversifying its technology portfolio, the DoD can avoid the risks associated with relying on a single point of failure with a history of security failures. A multi-vendor approach would distribute risk and make it more difficult for attackers to exploit vulnerabilities across the entire system. Additionally, it would allow the DoD to leverage the unique strengths and specializations of different vendors, creating a more robust and adaptable security posture.
Enhanced Innovation: Innovation would be encouraged, leading to the development of new and better cybersecurity solutions. Microsoft's dominance in the DoD has stifled innovation by limiting the opportunities for other vendors to offer alternative solutions. Breaking this monopoly would create a more dynamic and competitive market, fostering innovation and driving the development of cutting-edge cybersecurity technologies. This would not only benefit the DoD but also the broader cybersecurity landscape, as new solutions and approaches emerge to address evolving threats.
Over my 20 years in the DoD and Intelligence Community, I have watched with growing concern as Microsoft's security vulnerabilities continue to jeopardize our national security. Even when Microsoft's software functions as intended, it often falls short of meeting critical mission requirements. Task & Purpose highlights this issue in an article about the Afghanistan evacuation in August 2021, where Office 365 failed to facilitate the evacuation of Hamid Karzai International Airport. Instead, they relied on Google Docs, which, according to a commander on the ground, "saved lives."
Determined to address these vulnerabilities, I became a Google partner when I started my own business. While Google is relatively new to the defense sector and invests far less in boots-on-the-ground sales consultants compared to Microsoft, they offer a far superior product in terms of national security.
It's almost comical that the DoD CIO is promoting Microsoft E5 as a Zero Trust solution while it is actively compromised by China. Google faced its own Chinese compromise in 2010 and responded by rebuilding its infrastructure from the ground up. The Zero Trust model that the DoD seeks was literally developed by Google following this compromise nearly 15 years ago. Yet, the DoD only sees Microsoft as capable of "accelerating and enhancing [DoD’s] cybersecurity posture and ability to reach Target Level ZT before FY27." This approach is baffling.
Fortunately, Google is now addressing this need. This week, they released "A More Secure Alternative," highlighting how they have developed a fundamentally different, more secure approach with Google Workspace. This approach includes a cloud-first, browser-based design, built-in zero-trust controls, and advanced AI protections that could significantly enhance the DoD's cybersecurity posture. It's challenging to combat a monopoly with market forces alone, especially one with strong ties to the DoD CIO’s office. However, I have been encouraged by helping companies move to Google Workspace and meet the same compliance standards with superior security at 40-70% less cost than GCC-High and am confident that parts of DoD would follow suit if given the opportunity.
The DoD's continued reliance on Microsoft's products is a cybersecurity risk we cannot afford to ignore. The recent draft memo suggesting DoD’s plans to purchase even more Microsoft licenses is a step in the wrong direction. It's time to break Microsoft's monopoly in the DoD and create a more competitive and secure environment that benefits taxpayers and customers alike.
Aviation and Missile Technology Consortium (AMTC) Team 2 Lead Technical Manager
6moThat is preaching to the choir.
Visionary Cybersecurity and DoD Sales Executive: Transforming Organizations, Safeguarding Networks, and Advancing National Security | Doctorate Cybersecurity (in progress)
6moInteresting discussion...however it doesn't matter which vendor or network you use the assumption is it compromised. You don't know what you don't know...there will alway be exploits and vulnerabilities we do not know about. Because of that fact you must assume your technology stack has been or will be compromised. Operating under that assumption then dictates your security actions. So there should be more discussion on how to detect issues and defend against them. The vendor argument is a lose-lose discussion. No matter what technology you use make the assumptions it has been compromised and operate accordingly. Just my 2-cents fir what it's worth
Chief Technology Officer @ United States Air Force | Technologist, Innovator, and Agile enthusiast | Passionate about coaching & mentoring the next generation
6moZach Walker interesting opinions but try to keep the fear mongering out of it next time. Show some true alternatives. I’ve looked for 12 years and there aren’t any that meet all our needs Show me a set of companies that won’t back out when they think their tech is being used to target other countries. Show me companies that have invested in multilayered security up to TS. When you do that across the ecosystem we can talk.
Product Manager / Marketing / Blogger
6moIn Singapore government agencies are mandated to use their GCC framework and ensure at least 3 cloud vendors can be used and interchanged... https://www.developer.tech.gov.sg/products/categories/infrastructure-and-hosting/government-on-commercial-cloud/overview.html Swapping from MS to Google for some things isn't really the solution just swapping one vendor for another - in a lot of organizations I've seen people rip out O365 and try force people to use Google Sheets/Docs and you end up with people emailing / downloading docs to use private copies of MS Word or Excel etc.... and if you use a mixture of vendor tools - interop and exchanging docs becomes messy and more dodgy stuff likely to happen - see that a lot with pdf converters.....
SE - solving cyber problems
6moThe definition of insanity…