Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Microsoft Government United States

Ex-White House Cyber Policy Director: Microsoft is a National Security Risk (theregister.com) 124

This week the Register spoke to former senior White House cyber policy director A.J. Grotto — who complained it was hard to get even slight concessions from Microsoft: "If you go back to the SolarWinds episode from a few years ago ... [Microsoft] was essentially up-selling logging capability to federal agencies" instead of making it the default, Grotto said. "As a result, it was really hard for agencies to identify their exposure to the SolarWinds breach." Grotto told us Microsoft had to be "dragged kicking and screaming" to provide logging capabilities to the government by default. [In the interview he calls it "an epic fight" which lasted 18 months."] [G]iven the fact the mega-corp banked around $20 billion in revenue from security services last year, the concession was minimal at best.

That illustrates, Grotto said, that "they [Microsoft] just have a ton of leverage, and they're not afraid to use it." Add to that concerns over an Exchange Online intrusion by Chinese snoops, and another Microsoft security breach by Russian cyber operatives, both of which allowed spies to gain access to US government emails, and Grotto says it's fair to classify Microsoft and its products as a national security concern.

He estimates that Microsoft makes 85% of U.S. government productivity software — and has an even greater share of their operating systems. "Microsoft in many ways has the government locked in, he says in the interview, "and so it's able to transfer a lot of these costs associated with the security breaches over to the federal government."

And about five minutes in, he says, point-blank, that "It's perfectly fair" to consider Microsoft a national security threat, given its dominance "not just within the federal government, but really in sort of the boarder IT marketplace. I think it's fair to say, yeah, that a systemic compromise that affects Microsoft and its products do rise to the level of a national security risk."

He'd like to see the government encourage more competition — to the point where public scrutiny prompts software customers to change their behavior, and creates a true market incentive for better performance...
This discussion has been archived. No new comments can be posted.

Ex-White House Cyber Policy Director: Microsoft is a National Security Risk

Comments Filter:
  • wait 'til after the election to say such. MS has deep pockets, can easily influence election by lubricating politicians with "campaign donations" and lobbying.

  • Honestly, if the federal gov't really had such major qualms about MS's practically absolute monopoly in the gov't space, all they have to do is use the FTC scissors to slice and dice up MS.

    Either MS Shape up or ship out w/ the FTC.

    Done and dusted.

    • by jhoegl ( 638955 )
      They already added exceptions to allow MS to continue to be a monopoly.

      Mostly windows XP continuation due to government usage, keeping special versions of MS for government use that dont include all the shit everyone gets that spies on them, and much more.

      I dont care what party people are in, those that allowed it in the 90s fucked us over.
  • Back in the good old days, when Ma Bell was considered a (considerably lesser) problem?

    Well?

  • Good Lord (Score:4, Insightful)

    by Random361 ( 6742804 ) on Monday April 22, 2024 @01:37AM (#64413372)
    Then they can just run Linux (preferably SELinux) and solve the problem. It's typical of government and big corporations to sit around and bitch about things we already know, yet do nothing to address it except... more bitching.
    • Re:Good Lord (Score:5, Insightful)

      by gtall ( 79522 ) on Monday April 22, 2024 @07:14AM (#64413838)

      Replacing MS in the Fed. Gov. will cost money. That money is detailed in appropriations from Congress. If it is not a line item in their budget, they cannot spend money on it. And if it does become a line item in their spending ask to Congress, Congress will tell them whether it stays or not. Congress could also mandate they spend x on replacement. However, if they do that without increasing the budget, they have to be precise in what cuts will be made elsewhere.

      • No mod points for me today. Someone please mod parent up as (VERY) Insightful.

        • By the way, I've participated in a couple of studies about what it would take to replace Microsoft on both desktops and back office situations. There's a lot of costs, even if you use low cost/free Open Source products. Those include conversion from the MS product to the replacement, qualification/testing to make sure the replacement isn't worse than what you're replacing, engineering costs for designing and implementing the solution including the transition, retraining for both end users, security infras

          • Good insightful comment. ...But *I* don't need support. ...I wish the Feds would allow devs like me to use something besides Windows, since as a developer I know what I'm doing and now I'm being restricted and that costs real money. The servers I develop for are all FOSS/LAMP anyway. The excuse I always hear is, "but then you might install Rando App X, or run a virtual machine and that'd also give you root access to install anything you want. Maybe your machine has malware."

            To which I always reply, you Feds

    • by Junta ( 36770 )

      Don't know if that would have helped.

      We see that the central complaint is that Microsoft was upselling "logging capabilities". Question is what, specifically, is he talking about? I wager it's not just logging, I'm sure even Microsoft provides at least those. I suspect it's about some sort of log analysis, since 'analytics' is a favorite upsell opportunity in the industry (Cisco paid $28 billion for Splunk for example).

      Whether it's Linux or Microsoft technology, I'm wagering they'd still be complaining ab

    • by AmiMoJo ( 196126 )

      It's not clear that Linux would fix anything here. If the feature you need happens to be open source and actually works, great, but if it's some proprietary extension that your vendor offers or you didn't pay them to fix the bugs, you are on your own.

      That is assuming that the software you need is even Linux native. If you are running it in WINE then good luck.

      • The entire SolarWinds product offering could have been replaced quite effectively with OpenSSH and a couple shell scripts. Even if this wasn't a feigned fuck-up orchestrated by criminals who had more to gain by failing at their job than by succeeding at it, it would still be the biggest boondoggle of all time.

    • Then they can just run Linux (preferably SELinux)

      SElinux is not a kind of Linux. It is a feature of Linux.

    • by Tom ( 822 )

      Then they can just run Linux (preferably SELinux) and solve the problem.

      I wish, and I would welcome it if they did.

      However, as one of the foremost SELinux advocates in its early days, I doubt that the government of all places has the capability to do so. Few sysadmins can configure SELinux halfway decently (i.e. beyond the default policies) and the government (outside the military and secret services) isn't a good tech employer.

      Also, MS is far more than the OS. With Office and a bunch of other tools, plus lots of custom software made only for Windows, the entrechnment is really

  • Too big to fail (Score:5, Insightful)

    by bradley13 ( 1118935 ) on Monday April 22, 2024 @01:38AM (#64413374) Homepage

    After the 2008 debacle, one thinks of banks, when one hears "too big to fail". We (the collective world) were supposed to ensure that no single institutions remained "too big to fail" - not that we've done that.

    Anyway. No single company should be allowed to become so large that its failure would be a catastrophe. That's just another aspect of anti-trust regulations. I submit that Microsoft has long since passed that threshold. Entire governments, indeed, all governments in the West are utterly dependent on Microsoft software. That should ring all sorts of alarm bells.

    • by gweihir ( 88907 )

      Yep, pretty much. MS is a massive problem these days, nothing else. And they behave like a problem too.

    • Problem is, do you want security handled by a bunch of companies where expertise and communications gaps become massive liabilities? Then, when there are failures, fingers will get pointed all around the world, nobody will take responsibility and mistakes will be perpetuated because nobody was accountable,, til the next crisis. Yes, we have some of that now under MS, but using a patchwork o companies, it would be much worse.

  • ...I guess they'll just have to use Microsoft forever. Meanwhile Microsoft stock seems to be doing alright despite very sensible, low maring pricing. It's a miracle.
  • by Greymane ( 949969 ) on Monday April 22, 2024 @02:34AM (#64413426)
    As a former federal scientist, we were forced under the Trump Administration to move all our files to the cloud (MS OneDrive) over objections from our agency's IT Security staff. We vocally and in written communication complained that this was dangerous. Of course it fell on deaf ears, as the fix was in. We made sure to back up all the files in our office to a stand alone drive to ensure access if the system went down. We would otherwise not been able to work if the network went down. We needed it several times in the few years before I retired.
    • by argStyopa ( 232550 ) on Monday April 22, 2024 @09:18AM (#64414142) Journal

      Let's be clear that this has been the experience for a LOT of people in a lot of companies.

      My firm is an ardently left-leaning European manufacturer who is all-in about a host of left-of-center values such as sustainability, DEI, etc etc. ...and we too are compelled to move to Onedrive, despite lots of objections and (by now) many examples of Onedrive's shortcomings.

      Maybe the point of this isn't political, it's about a shit piece of software that's not ready for the critical needs to which it's being put, management choices that have little to do with actual staff needs, and IT accountability for following those dumb fads.

      WHETHER we're talking about an organization led by an orange-colored nutball, or a senescent child-sniffing grandpa.

      • by King_TJ ( 85913 )

        That's my feeling too. I work in a private sector business that's basically "all Microsoft" (like most of our competitors). Once you get on the "Microsoft train", you ride their rails and go to the stops they dictate. You have to jump back off otherwise.

        We ran into the typical situation where once people saw they had OneDrive capabilities to share files or folders with other people or groups, they started trying to create folders of information needed by entire teams. If they left the company, all of that

  • Duh (Score:5, Insightful)

    by gweihir ( 88907 ) on Monday April 22, 2024 @03:00AM (#64413468)

    It has been for a long time. And while MS is not actually getting (much) worse, they are not getting any better at security (or reliability and usability), while pressure from attackers and more and more critical functions done with their systems raises and raises. At the same time, MS still makes beginner's mistakes with critical and very critical functions, see, for example, their catastrophic Azure compromise in 2023, were they did _everything_ wrong they could do wrong where that would not be immediately obvious. Oh, and that is for the attack path they think the attackers might have taken, because they _still_ do not know what happened and they do not keep security audit logs for that "long". For functions that handle cloud master-keys. Fucking up on top of fucking up.

    MS should have been kicked to the curb as the 3rd rated wannabe technology provider they are 10 or 20 years ago. They are not just incompetent and careless, their whole organization is fundamentally incapable of doing competent IT security or producing good and reliable products. Incompetence that bad cannot be fixed without replacing the whole organization. Instead most people just looked the other way and continue looking the other way. Not smart at all, but all to common with the human race.

    • ... but thats undergoing a slow and sad fucking up process thanks to Poetterings (now an MS employee, not even ironic) systemd. Also the fragmentation doesn't help - it would be good to have a standard base layout, system setup and standard apps (beyond the default *nix cmd line tools) that all distros use, eg package manager, and they just build whatever eye candy they want on top of that but of course many large egos would prevent that ever happening.

      • by gweihir ( 88907 ) on Monday April 22, 2024 @06:13AM (#64413728)

        Yes, that process is definitely there. My take is that more and more people that do not understand the Unix philosophy are getting into Linux and that takes a big toll. Probably many are refugees from Windows that now apply their low-insight mindset in the Linux space. Systemd is one crass example, but all the crap distros like Debian patch into sshd is another. Pure stupidity, grossly bad engineering and prioritization of questionable convenience over security.

        That said, Devuan works nicely. That there is a whole distro now with the single selling point of "no systemd" means there are still a lot of people in Linux that actually understand and can do good engineering. As to fragmentation: That is actually far less of an issue than generally claimed. Again, Unix philosophy. Sure, a specific organization should standardize on one distro, but that already fixes the issue.

        • by Viol8 ( 599362 )

          "Devuan works nicely. That there is a whole distro now with the single selling point of "no systemd""

          I use Slackware and its never used systemd and hopefully never will. If it didn't exist Devuan would definately be my next distro choice.

          • by gweihir ( 88907 )

            Well, Slackware is the Holy Grail, obviously. I am lazy, so I use Devuan and occasionally have a look at Gentoo.

    • Re:Duh (Score:5, Insightful)

      by DarkOx ( 621550 ) on Monday April 22, 2024 @07:21AM (#64413858) Journal

      Logs are often a huge liability. I am not saying this is right, but in my experience very very few IT shops treat them like tier one confidentiality required data that they are.

      developers rarely think critically about what can end up in a log, operating under the assumption that whatever logging framework is responsible for sinking them somewhere safe and if anyone has access all bets are already off; of course in the era of centralized logging, SEIM analysis, and data lakes etc, that is nonsense. I have seen a lot applications that have a ton code and thought dedicated to handling various types of secrets only to have it all wrapped and in
      try { ... } catch ... {} catch ... {} .. catch Exception => ex { Logger.log("Unhandled " + ex.name + " exception - " + ex.message + "Sacktrace:\n" + ex.stacktrace);} and equivalent that under the write conditions will result in these secrets getting into the logs. That is the most innocent case, the far more common pattern in logs is:

      Login failed for user P@$$word!1
      Login success for user gweihir

      and is almost the norm...

      Right now the only things saving corporate and probably government IT from total disaster due to negligent log handling are:

      1) The data volume is large so its difficult to exfil or search in situ without being notices
      2) Searing logs you are not familiar with is hard and regex augmented with traditional correlation rules will only get you so far,

      However attackers will start using ML and similar tools to start slogging thru it and pulling useful data out soon enough and all these data lakes, cloud trails, security workspaces, etc - are going to get some big organizations well and thoroughly pwnd.

      At the very least actual APTs (not some ransomware gangs) will get hold of some Fortune 50s and large government logs and do some next gen-analysis to make sure their trade craft and tools leave exactly NO detectable IOCs. Which frankly I think boads quite badly for having a large WFH work force; nobody is going to be able to separate malicious remote access from legitimate. That is drifting off the topic however.

      In the short term I would suggest to most operators, you don't know what is in your logs, you don't what signals someone might be able to extract from those logs even if you do have all the content identified. You probably should NOT be retaining logs for longer than either a few months or whatever regulatory requirements demand, whichever is greater.

      In this specific instance its unfortunate, but I don't think MS actually got it wrong in terms of policy here.

      • by gweihir ( 88907 )

        Sure. But when you have systems that handle your keys to the kingdom, you want to find out who successfully attacked them. Without logs that is next to impossible. And you need that info to fix the vulnerability the attackers came in on. Not saying that you should keep any and all logs and I have personally edited logs when I screwed up pretty much like your example, but for systems with very high criticality you need to spend the effort and handle the logs on the same criticality and confidentiality level

        • by DarkOx ( 621550 )

          I don't fundamentally disagree. The thing is Azure is to big and complex with to many cooks in the kitchen for there being really any hope of getting it right.

          Microsoft absolutely needs to have a hard, delete after-N policy, and then start writing very specific exceptions around certain critical components of Azure infrastructure. The Federal government should be 'beta-testing' the could with the rest of Industry. Azure / Office 365 are good examples of to much to fast at to high a value.

    • by AmiMoJo ( 196126 )

      That's demonstrably untrue. Look at the Windows XP days, an OS that launched without even enabling the firewall. Then there was Vista that everyone hated because Microsoft beefed up the security model, resulting in large numbers of security warnings. And now the same people are moaning about Windows 11 requiring TPM 2 for securing the boot process, which was of course one of the favourite attack vectors back before Secure Boot became mandatory for OEMs.

      Meanwhile, as Linux's popularity increases, so does the

      • What? Secure boot hasnt fixed jack squat. It was about confusing the linux install process.

        Prior to secure boot I could have talked someone into booting a linux installer over the phone.

        After each system was vastly different, and big scary warnings were shown. Also options to delete keys were placed next to the options for basic enable/disable purely to confuse users more.

        All this and attacks that completely bypass secure continue to be found.

        • by AmiMoJo ( 196126 )

          Secure Boot ensures that the OS boot files have not been modified. One popular technique malware used was to replace ntfs.sys (the NTFS filesystem driver) or the SATA driver with one that hid the malware's own files. Virus scanners could tell you were infected, but couldn't remove the infection. The only way to get rid of it was to boot a Linux CD with anti-virus software from someone like Kaspersky, which used its own NTFS and SATA drivers. Or move the HDD to another machine for scanning etc.

          That became im

        • Microsoft certainly counts on incompetence being a benefit for secure boot keeping out Linux but it wasn't the purpose. Linux can benefit just as much from securely signing boot code. What's needed is getting OEMs on board with a simpler process for adding new keys. It's basically all a manual process for non-Microsoft keys. I don't think there's anyone to blame but Linux distros if there isn't even an organized push at this point.

    • At the same time, MS still makes beginner's mistakes with critical and very critical functions, see, for example, their catastrophic Azure compromise in 2023, were they did _everything_ wrong they could do wrong where that would not be immediately obvious.

      Experience is not worth paying for. These new people will get it right. They were trained for many years and there is no excuse for 'not knowing', so everything should be fine and if it isn't, we will discipline them until they do get it right... but, once they get too much experience, they become too expensive, so, freshly trained people again. They were trained for a long time. They have no excuse for getting it wrong. Everything will be fine. Who needs experienced people when experience is so expensive?

      • by gweihir ( 88907 )

        Probably. That is a business mind-set though and those universally lead to crappy engineering. Just look at Boeing for a second example.

  • Make security as a requirement and twist the arm on product liability.
    • by gweihir ( 88907 )

      Do you know how much money MS has? And who all does not have an exit strategy for their crap?

      Yes, product liability would mean MS is dead in 10 years and that would be a very good thing. But it is not going to happen.

  • Windows is malware (Score:5, Insightful)

    by VeryFluffyBunny ( 5037285 ) on Monday April 22, 2024 @04:30AM (#64413572)
    I completely remove it from all my hardware. I get my work done with fewer problems & fewer workarounds with a straightforward, mainstream, vanilla Linux distro. The nice thing about most FOSS is that they're not run by marketing departments who are constantly trying to re-invent them for their next ad campaign. I just want it to work & keep working for the foreseeable future. e.g. Office Software is pretty much mature. It does everything the vast majority of people need. It only needs to be maintained & occasionally tweaked but when a marketing department is competing for customers, they've got to make it "new & improved" (Ribbons? Really?!) LibreOffice has been pretty consistent since I switched to it more than a decade & a half ago.
    • by gweihir ( 88907 )

      That is nice and sensible, but what about your local supermarket that cannot order new food anymore after the next big attack on the insecure MS crap? All it takes is for one of the more competent bad actors to really want to do damage.

      • They'd have to go "old school" until they can get a more secure system up & running. You know, those things like phones & calculators.
        • by gweihir ( 88907 )

          All the while you and them are starving...
          Unless the have "old school" as a tested (!) BCM measure in place, it is _not_ going to work.

  • Option 1:
    Maybe it's a feature... Didn't you think about it?
    You can leak misinformation to the enemy knowing that they will think it was a mistake based on shitty software rather than counter-intelligent maneuvers.

    Option 2:
    It's not us! It's god damn Ritchie, Kernighan and Bjarne! The White House says so!

    Option 3:
    Well, we didn't have AI back then but now, we're putting every single bit of it in every single bit of software we make and made. Things should be better now.
  • by Rosco P. Coltrane ( 209368 ) on Monday April 22, 2024 @06:08AM (#64413724)

    Microsoft makes 85% of U.S. government productivity software

    Government... productivity?

  • should burn in Hell.

    • Gates is long gone from Microsoft. He set the corporate culture of "let the users debug our software", but the current security problems at Microsoft can't be blamed on Gates (or Ballmer.)

      Me, I blame Congress for not passing legislation to make -all software vendors- legally liable for flaws in their products, including security holes. If you want secure software, you'll have to pay for it, and make the companies pay for the consequences of their failures.

  • I have many 365 tenants and Microsoft was charging so much to access to security features (logs and granular MFA control) it felt like extortion. On July 19 2023 they made these free because of these attacks. So for me, these attacks were a good thing because it shed sunlight on what Microsoft was doing to its customers. It even states in the summary: "[Microsoft] was essentially up-selling logging capability". I now have free access to security tools that I should have had for free all along.
    https://www.c [cisa.gov]
  • "He'd like to see the government encourage more competition"

    I think we all would like that, but let's be clear that is an ECONOMIC preference and (in essence) an ideological preference, not a security one.

    I do NOT believe that the security environment of the US government - a government were a lot of sites (esp internal) look more like myspace pages - would be materially IMPROVED by having a vast array of churning alternative vendors of uncertain provenance being managed by IT depts that can barely keep up

  • If only there was a way to have the source code of the software you use. You would be able to modify it to your liking, free of charge. If only such a magical world existed.
  • by The Cat ( 19816 )

    Sergeant I hope you like chow mein.

  • When profits matter most, everything else suffers eventually.

  • "He'd like to see the government encourage more competition — to the point where public scrutiny prompts software customers to change their behavior, and creates a true market incentive for better performance..."
    He'd like for capitalism to work that way, but that's not how late-stage capitalism works.

  • You should never have a single locked in vendor that is closed, walled, and locked off. Microsoft isn't just a security threat, they're a monopoly that forces lacked and unacceptable security standards as the default. Microsoft is a shining example of what is wrong with the pay now, shut up and deal with it later, mentality we've come to respect. From the bottom of my heart, FUCK YOU MICROSOFT.

There has been a little distress selling on the stock exchange. -- Thomas W. Lamont, October 29, 1929 (Black Tuesday)

Working...