Microsoft is the biggest threat to U.S. National Security
This is morally indefensible, just as it would be for ... airplane manufacturers to charge for properly tightened bolts... - Alex Stamos
That's right folks, I told you this would be irreverent.
If you are like most people, you probably grew up using Microsoft products. Why? It is the default. If you pay attention to the security news AND have the choice AND privilege, it is possible you have been trying to remove Microsoft from your life over the past few years. Why?
Before we get into why, I have to say that it is my firm belief at this point - in the year of our Gourd 2024 (thanks Cory Doctorow for that one): If you are in a position to remove Microsoft products from your personal life or business environment, you should do so as quickly as you can.
There is an old saying "Nobody gets fired for buying IBM", which is now more relevant for Microsoft products than for IBM products. This is because of the inertia of the default - everyone knows Microsoft's products and likely grew up with them professionally and personally.
But check this out: https://www.linkedin.com/pulse/microsofts-dangerous-addiction-security-revenue-alex-stamos-1ukzc/
Alex Stamos: former Facebook CSO, trust and safety expert, Stanford lecturer, and more - had this to say about Microsoft's recent "breach" of a "legacy non-production test tenant" (which btw is Microsoft's invention, a meaningless string of jargon to throw us off the scent) to access email of Microsoft execs:
Microsoft is using this announcement as an opportunity to upsell customers on their security products, which are apparently necessary to run their identity and collaboration products safely! This is morally indefensible, just as it would be for car companies to charge for seat belts or airplane manufacturers to charge for properly tightened bolts... - LinkedIn post, January 26th, 2024
Sick burn Alex, especially the reference to loose bolts...
/cdn.vox-cdn.com/uploads/chorus_asset/file/25212661/1659532518.jpg)
It is worth it to read Alex's whole post, but I just want to pull out a bit more relevant context to make my spicy point. In this post, Alex references how in September 2023, members of the State Department and other U.S. Federal officials had their email compromised by another state-backed attacker:
Did you catch that? 60,000 EMAILS, really?
A point of clarity - in this blog I will not say "Chinese hackers", "Russian attackers", etc. because I think that language is inherently xenophobic. It lumps the majority of a nation's people into a nasty bucket, when in fact "Russian attackers" for example, really means intelligence officers who work for a Russian agency, similar to our own NSA, not civilians. This September 2023 attack was likely perpetrated by people working on behalf of the CCP (Chinese Communist Party), so it is my feeling that we should use specific terminology that reflects that this is not civilians in China. More at "Russian GRU personnel" or "CCP Military actors" than "Chinese hackers". While the popular press likes to simplify things by saying Chinese, Russian, Iranian, etc. <insert hacker sounding word here>, I think we can do better. Not saying the Reuters piece didn't do that, they did say "state-linked", so that does add a bit of clarity - but it doesn't change the headline.
Somewhere in the neighborhood of 85% of the U.S. Government runs on Microsoft products. Granted, the Google study referenced here was conducted by an extremely biased entity - Google - who would love to win U.S. gov contracts and market share for their cloud products, over Microsoft and Amazon, so consider that.
Regardless, it should appall all of us that some massive number of the U.S. government's systems are likely built and maintained by a private company - Microsoft, Amazon, Google, you name it.
I also want to clarify, we are talking about Microsoft here not because of this one incident, take a look at this timeline written by Michael X. Heiligenstein at firewalltimes.com:
Michael X. Heiligenstein
In case you didn't know, the September 2023 attack wasn't the first or largest attack that affected U.S. gov systems - read down to 2020, where Michael writes about the SolarWinds attack and how it affected Microsoft:
The full scope of the attack was vast. Numerous government agencies – including the Department of Defense, Department of Homeland Security, Department of Justice, and Federal Aviation Administration, among others – were impacted by the attack. Additionally, several state governments and an array of private companies were also harmed.
All of this is to say: while we like to blame other hostile nations for their attacks on the U.S., why not hold the vendor (Microsoft in this case) accountable and explore other options for highly sensitive government systems?
There are operating systems and tools developed in the open with security in mind, which are updated and audited by robust communities, like SELinux as just one example:
Contributors to Wikimedia projects
While it would be very challenging, and doubtless take decades to change government systems away from Windows and proprietary software, it would be worth it to gain some degree of digital sovereignty. This kind of mandate needs to come down from the top, I'm looking at you President Biden. ;-)
Open-source software is - no doubt - a pie in the sky solution. Let's not overlook the more reasonable solution of just holding giant corporations like Microsoft fiscally responsible for bad cybersecurity practices, like I don't know - having a "legacy non-production test tenant" exposed that was definitely not legacy, non-production, or for testing because it had access to Microsoft executive's email.
If you are interested in hearing more from Alex Stamos, he did an interview for CNBC based upon the LinkedIn post referenced above: https://www.cnbc.com/video/2024/01/22/microsoft-hack-couldve-been-the-start-of-a-pretty-significant-campaign-sentinelones-alex-stamos.html and you should check out the podcast he does with Evelyn Douek at Stanford about Trust & Safety: https://moderated-content.simplecast.com/, it's great!
This blog © 2024, by Sean Halloran is licensed under CC BY-NC 4.0
