On Thursday, in his final week in office, President Joe Biden released executive order designed to strengthen the nation’s cyber defenses, specifically by requiring software vendors like Microsoft to provide proof that they meet certain security standards before they can sell their products to the federal government.
The move follows an onslaught of cyberattacks in recent years in which hackers linked to Russia, China and other adversaries have used software vulnerabilities to steal confidential documents from federal agencies.
Demanding greater accountability from software makers, Biden pointed to cases where contractors “commit to cybersecurity practices but fail to fix well-known vulnerabilities in their software, putting the government at risk of compromise.”
In June, ProPublica reported on such a case involving Microsoft, the largest IT supplier to the federal government. In the so-called SolarWinds attack, which was discovered shortly before Biden took office, state-sponsored Russian hackers exploited a weakness in a Microsoft product for stealing sensitive data from the National Nuclear Security Administration and other agencies. ProPublica found that for years, Microsoft executives ignored warnings from one of its engineers about the flaw because they feared that publicly admitting it would alienate the federal government and cause the company to lose ground to competitors.
This culture of profit over security was largely driven by the rush to conquer the multibillion-dollar cloud computing market, the news organization reported. One former Microsoft executive described this attitude this way: “Do whatever it takes to win because you have to win.”
Microsoft defended its decision not to address the flaw, telling ProPublica in June that the company’s assessment at the time included “multiple reviews” and that it considers several factors when making security decisions, including “potential customer disruption, exploitability, and available mitigations consequences”. » But in the months and years since the SolarWinds hack, Microsoft’s security gaps have fueled other government attacks, including one in 2023 when hackers linked to the Chinese government gained access to the emails of top US officials. The Federal Cybersecurity Review Board later found that the company deprioritized investments in security and risk management, leading to a “cascade of … mistakes that could have been avoided.”
Good journalism matters:
Our nonprofit, independent newsroom has one mission: to hold powerful people accountable. This is how our investigations are progressing driving real-world change:
We are trying something new. Was it helpful?
Microsoft has promised to put security “above all else.”
Of course, Microsoft is not the only company whose products have given hackers access to government networks. The Russian hackers in the SolarWinds attack gained access to victim networks through tainted software updates provided by Texas-based SolarWinds before using a flawed Microsoft product.
To help prevent future breaches, the government wants IT companies to provide evidence that they use “secure software development practices to reduce the number and severity of vulnerabilities” in their products, according to the order. In addition, the government “needs to adopt more rigorous third-party risk management practices” to verify the use of such practices, Biden said. He requested changes to the Federal Procurement Regulations, government contracting rules, to implement his recommendations. If fully effective, violators of the new requirements will be able to be brought to court for prosecution by the Attorney General.
Biden also said that the security of federal “identity management systems” was strengthened
“particularly important” to improve the country’s cyber security. Indeed, the Microsoft product that was the focus of ProPublica’s June article was a so-called “identity” product that allowed users to access virtually every program used at work with a single sign-on. By exploiting a weakness in the identification product during the SolarWinds attack, Russian hackers were able to quickly scrub email from victim networks.
This was reported by ProPublica in November Microsoft used SolarWinds in the wake of the attack, offering federal agencies free trials of its cybersecurity products. The move effectively tied those agencies to more expensive software licenses and greatly expanded Microsoft’s presence throughout the federal government. The company told ProPublica that its proposal was a direct response to “the administration’s urgent request to increase the security of federal agencies.” In his executive order, Biden addressed the implications of that request in 2021, ordering the federal government to reduce the risks associated with “concentration of IT providers and services,” a veiled reference to Washington’s increased reliance on Microsoft, which some lawmakers described as a “cybersecurity monoculture.”
While the order represents a tougher stance on tech companies that supply the government, it will be up to the Trump administration to enforce it. It is not yet clear whether the new president will be able to amend the executive order. President-elect Donald Trump has emphasized deregulation, even as he indicated his administration would take a tough stance on China, one of the country’s top cyber adversaries.
Neither Microsoft nor Trump’s transition team responded to requests for comment on the order.
Thursday’s order was the latest in a series of regulatory actions affecting Microsoft in the final days of the Biden administration. This was reported by ProPublica last month The Federal Trade Commission is investigating the company in an investigation that will examine whether the company’s business practices violate antitrust laws. FTC lawyers have conducted interviews and set up meetings with Microsoft’s competitors, and one of the key areas of interest is how the company integrates its popular Office products with its cybersecurity and cloud computing services.
This so-called package was an item A November investigation by ProPublicawhich detailed how, beginning in 2021, Microsoft used this practice to exclude competitors from lucrative federal contracts. The FTC views the fact that Microsoft won more federal business even as the government became vulnerable to hacking attacks as an example of the company’s problematic power over the market, a person familiar with the investigation told ProPublica.
Microsoft declined to comment on the specifics of the investigation, but told the news organization last month that the FTC’s recent demand for information was “broad, sweeping and asking for things that may not even be logical.”
The new leadership of the commission, chosen by Trump, will decide the future of this investigation.
