When Microsoft revealed in January that foreign government hackers had once again breached its systems, the news prompted another round of recriminations about the security posture of the world’s largest tech company.
Despite the angst among policymakers, security experts, and competitors, Microsoft faced no consequences for its latest embarrassing failure. The United States government kept buying and using Microsoft products, and senior officials refused to publicly rebuke the tech giant. It was another reminder of how insulated Microsoft has become from virtually any government accountability, even as the Biden administration vows to make powerful tech firms take more responsibility for America’s cyber defense.
That state of affairs is unlikely to change even in the wake of a new report by the Cyber Safety Review Board (CSRB), a group of government and industry experts, which lambasts Microsoft for failing to prevent one of the worst hacking incidents in the company’s recent history. The report says Microsoft’s “security culture was inadequate and requires an overhaul.”
Microsoft’s almost untouchable position is the result of several intermingling factors. It is by far the US government’s most important technology supplier, powering computers, document drafting, and email conversations everywhere from the Pentagon to the State Department to the FBI. It is a critical partner in the government’s cyber defense initiatives, with almost unparalleled insights about hackers’ activities and sweeping capabilities to disrupt their operations. And its executives and lobbyists have relentlessly marketed the company as a leading force for a digitally safer world.
These enviable advantages help explain why senior government officials have refused to criticize Microsoft even as Russian and Chinese government-linked hackers have repeatedly breached the company’s computer systems, according to cybersecurity experts, lawmakers, former government officials, and employees of Microsoft’s competitors.
These people—some of whom requested anonymity to candidly discuss the US government and their industry’s undisputed behemoth—argue that the government’s relationship with Microsoft is crippling Washington’s ability to fend off major cyber attacks that jeopardize sensitive data and threaten vital services. To hear them tell it, Microsoft is overdue for oversight.