Former White House specialist in cybersecurity and counter-terrorism expresses the view that Microsoft regards security as an inconvenience instead of a crucial requirement.

Former White House specialist in cybersecurity and counter-terrorism expresses the view that Microsoft regards security as an inconvenience instead of a crucial requirement.

Microsoft's poor security record, particularly vulnerabilities exploited by Chinese cyber espionage groups, has raised significant national security concerns due to the widespread use of Microsoft products in federal agencies and critical infrastructure.

Key national security concerns include:

1. Exploitation by Chinese Spies: Chinese cyber espionage groups, such as Storm-0558 and Volt Typhoon, have exploited vulnerabilities in Microsoft cloud services and software to gain unauthorized access to sensitive U.S. government and critical infrastructure networks.
2. Use of Chinese Engineering for Sensitive U.S. Systems: Microsoft employed China-based engineers to work on sensitive U.S. military cloud projects and Defense Department systems, supervised only by underqualified subcontractors. This exposure raises concerns about insider threats or inadvertent vulnerabilities introduced by personnel potentially under foreign influence or coercion.
3. Security Culture and Dependence Risks: The Cyber Safety Review Board criticized Microsoft’s security culture as “inadequate,” warning it requires fundamental overhaul given the company’s central role in U.S. infrastructure. Moreover, Microsoft’s licensing model has entrenched U.S. federal dependence on its ecosystem, making it costly and complex to switch vendors, thereby potentially prolonging exposure to security failures.
4. Ongoing Vulnerabilities and Federal Responses: Recently, CISA issued emergency directives instructing federal agencies to urgently patch Microsoft Exchange vulnerabilities that could allow attackers administrative control and lateral movement across cloud-connected environments. These directives underscore how Microsoft vulnerabilities translate directly into threats to federal cybersecurity and, by extension, national security.

Roger Cressey, a former senior cybersecurity and counter-terrorism advisor to two U.S. presidents, is among those voicing concerns. Cressey suggests that the federal government should pause any new awards to Microsoft and demand a comprehensive security audit before they are eligible for future procurement. He believes Microsoft is either incapable or unwilling to take the actions that could significantly improve its security.

Microsoft's recent disclosure of two major security vulnerabilities, one of which was exploited as a zero-day in SharePoint, has further fueled these concerns. In the last few weeks, the US Energy Department, including its National Nuclear Security Administration (NNSA), was among the victims in a recent mass exploitation of a Microsoft product.

Senator Wyden has criticized Microsoft for its negligence, stating that government agencies have become dependent on a company that doesn't prioritize security and makes billions from selling cybersecurity services to address its own flaws. Senate Intelligence Committee Chair Tom Cotton sent a letter to Defense Secretary Pete Hegseth urging him to ban non-US citizens from accessing Department of Defense systems and requested a briefing about any security vulnerabilities in the DOD's contracts and software related to "Microsoft's business dealings in China."

Cressey compares Microsoft's presence in China and its security issues to Pakistan's role as a sanctuary for al Qaeda in counter-terrorism. He believes that in the event of hostilities, Chinese actors will target critical infrastructure through Microsoft products due to their ubiquity and vulnerability. Chinese familiarity with Microsoft products makes them a potential threat in such a scenario.

In summary, Microsoft’s security vulnerabilities exploited by Chinese actors, combined with Microsoft’s operational ties to China and its embedded role in U.S. government infrastructure, create a complex and serious national security risk. This encompasses direct cyber espionage threats, potential insider risks from Chinese personnel, and systemic dependency risks that impede resilience and remediation. The U.S. government is taking emergency steps to mitigate these vulnerabilities, but experts warn Microsoft’s security culture and business practices contribute to a persistent threat environment.

[1] CNN [2] The Washington Post [3] The Hill [4] CyberScoop [5] The New York Times

1. concerns about Microsoft's security record have been raised in the general-news circles, with experts suggesting that the federal government should demand a comprehensive security audit before considering new awards to the company.
2. a large number of national security vulnerabilities have been found in Microsoft's cloud services and software, allowing Chinese cyber espionage groups to gain unauthorized access to sensitive U.S. networks.
3. Microsoft's extensive use in federal agencies and critical infrastructure, coupled with its ties to China, has created a complex national security risk, including direct cyber espionage threats and potential insider risks from Chinese personnel.
4. AI and cybersecurity are key areas where technology and politics intersect, with issues like Microsoft's security vulnerabilities and business practices in China being a major point of concern for national security.

Read also: