US Senators Ron Wyden and Eric Schmitt have sounded alarm bells about the growing concern in the Pentagon dependence on Microsoft technologies following several cybersecurity incidents. The lawmakers conveyed their apprehensions in a letter to John Sherman, the Department of Defense's Chief Information Officer, criticizing the current strategy for failing to diversify and mitigate security risks adequately.
Questions Over Cybersecurity Approach
The communication, sent on May 29 and published in a report by The Register, questions the Pentagon's directive to adopt Microsoft's E5 license across its various branches. The senators argue that while aiming to boost security and compliance, this decision inadvertently hikes costs and centralizes the DoD's cybersecurity defenses, making them more susceptible to breaches. The basis for this concern is a draft memo from the DoD, reported by Axios, which supports the E5 mandate.
Cybersecurity Incidents and Fallout
One of the major points in the letter is a cybersecurity breach linked to a Chinese group identified as Storm-0558. Exploiting weaknesses in Microsoft's systems, this group managed to infiltrate the communications of senior US officials, including those from the State Department and Department of Commerce. The Cyber Safety Review Board described the event as a significant failure on Microsoft's part.
Wyden and Schmitt are pressing the DoD to veer away from a single-vendor model and adopt a multiple-vendor framework. This, they believe, would not only distribute the cybersecurity risks but also drive innovation in the field. Furthermore, they emphasize the integration of open-source software to diversify the cybersecurity tools.
Despite the security breaches, the senators highlighted that the US government continues to invest millions annually in Microsoft. They suggest that the DoD could leverage its purchasing power to foster better cybersecurity standards across the industry by demanding more advanced and secure solutions from a range of providers.
Congressional Inquiry Ahead
Microsoft President Brad Smith is slated to provide testimony before Congress next week to address these issues, especially the errors unearthed by the Homeland Security's Cyber Safety Review Board which contributed to last summer's substantial cybersecurity breach.
The senators have posed several technical and strategic inquiries to the DoD regarding the mandate for Microsoft's E5 solutions. They are seeking clarifications on the interoperability plans with other cybersecurity vendors and the roadmap for integrating more secure open-source software.
Microsoft's Alleged Commitment
In the aftermath of the Storm-0558 hack, and under the encouragement of the US Cybersecurity and Infrastructure Agency (CISA), Microsoft had pledged to offer free enhanced security logs to its clients. The senators are now probing whether this promise has been realized, especially concerning the DoD.
The concerns raised by the senators hint at a larger issue concerning the DoD's cybersecurity policies, which can significantly influence corporate behaviors and affect both public and private sectors. They argue that fostering a competitive and diverse approach could yield better outcomes for national security and cybersecurity advancements.