Since 2004, October has been Cybersecurity Awareness Month. The collaborative effort between the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) is meant to bring government and industry together to raise awareness about cybersecurity issues at home and abroad. This year’s theme “See Yourself in Cyber” is an all-too-familiar one for a massive legacy technology company that has accounted for 30 percent of all vulnerabilities tracked by CISA this year yet accounts for 85 percent of U.S. government workplace collaboration systems: Microsoft. Several cybersecurity experts have spoken up and acknowledged Microsoft as the weakest link in the chain of defense against malicious threats. Even the CEOs of Tenable, SentinelOne, and CrowdStrike have come out in recent months to not just lament this legacy company’s issues but dissect the “crisis of trust” among its customers, who are increasingly at risk.
Skeptics may argue that any code base as large and as old as Microsoft’s is at risk and that organizations using their products need to get more serious about their security practices. They have a point – innovation is difficult, and some companies are slower to move than others. However, recent developments demonstrate that Microsoft needs to improve to protect its customers. This past week, CISA, the FBI, and the NSA reported that multiple hacking groups exploited vulnerabilities in Microsoft Exchange – the tech giant’s email and calendar server product – to gain “long-term access” to the server of an unnamed defense company.
You don’t have to be a cybersecurity expert to know this isn’t good news. Defense companies do everything from communicating with senior-ranking Pentagon officials to maintaining control facilities for our nation’s strategic deterrent infrastructure. In the wrong hands, data regarding these operations could undermine our defense posture and potentially put national security at risk. Even more alarming is the fact that the security agencies’ joint advisory came only days after Microsoft admitted a zero-day vulnerability in Exchange was being actively exploited by state-sponsored actors in China. The attack had the potential to impact over 200,000 servers globally, including those storing private healthcare records.
This isn’t just to dump on Microsoft. However, Microsoft’s approach to not just defending against vulnerabilities, but resolving them once they’ve been identified, has put thousands of customers at risk reiterating the fact that we need widespread change. Case-in-point: Microsoft took two years to resolve a zero-day flaw it knew was being actively exploited by hackers, finally releasing its own patch long after third-party security companies had stepped in with their own solutions to protect users. We’re seeing the same trend play out regarding the Exchange vulnerabilities discussed above. It took only three days for security experts to discover that Microsoft’s “mitigation recommendations” for the vulnerability were insufficient and could be bypassed. Once again, third parties stepped in with their own fixes, forcing Microsoft to update its guidance. Yet again, the updated mitigations were almost immediately bypassed. Exchange customers are now left in limbo with no proper solution in sight. These are all fixable problems.
There is palpable frustration in Washington and with owners and operators of our nation’s critical infrastructure that the monoculture of a Microsoft ecosystem has created an unacceptable security environment.
So, what’s the solution? Microsoft and other legacy tech vendors must develop better, robust cyber practices at the outset, making DevSecOps a pillar of their software development process. We must also diversify our vendors in the federal government and rid ourselves of anti-competitive bundling and licensing practices that allow legacy tech companies to amass influence without doing the work of protecting our systems.
Most importantly, we must demand change. This change comes from the way government agencies handle their procurement practices. Software products sold to the government must be as safe and secure as possible and if vendors are unwilling or unable to meet this requirement, there should be consequences. OMB’s recently published guidance on secure software development practices is a welcomed – albeit long overdue – first step in the right direction. Microsoft taking responsibility and overhauling the way they do business, and policymakers and leaders demand more from all our cloud providers – particularly those who already control massive amounts of workplace systems. If this change doesn’t happen voluntarily, government agencies must be willing to use their procurement power with legacy IT and cloud vendors to force change.
The author, Roger W. Cressey is a cyber security and counter-terrorism expert. He has served in senior positions under presidents Bill Clinton and George W. Bush and is a former member of the United States National Security Council staff. He was a Senior Vice President at Booz Allen Hamilton and is currently a partner with Liberty Group Ventures.