Microsoft stands to obtain almost 1 / 4 of Covid aid funds destined for US cybersecurity defenders, sources instructed Reuters, angering some lawmakers who do not need to enhance funding for a corporation whose software program was not too long ago on the coronary heart of two massive hacks. Congress allotted the funds at problem in the COVID aid invoice signed on Thursday after two monumental cyberattacks leveraged weaknesses in Microsoft merchandise to achieve into laptop networks at federal and native companies and tens of hundreds of corporations. One breach attributed to Russia in December grabbed emails from the Justice Department, Commerce Department, and Treasury Department.
The hacks pose a major nationwide safety menace, irritating lawmakers who say Microsoft’s defective software program is making it extra worthwhile.
“If the only solution to a major breach in which hackers exploited a design flaw long ignored by Microsoft is to give Microsoft more money, the government needs to re-evaluate its dependence on Microsoft,” said Oregon Senator Ron Wyden, a leading Democrat on the intelligence committee.
“The authorities shouldn’t be rewarding an organization that bought it insecure software program with even larger authorities contracts.”
Microsoft previously said it prioritises fixing attacks that it sees in wide use.
A draft spending plan by the Cybersecurity Infrastructure Security Agency allocates more than $150 million of their new $650 million funding for a “safe cloud platform,” according to documents seen by Reuters and people familiar with the matter.
More precisely, the money has been budgeted for Microsoft, according to four people briefed on the choice, largely to help other federal agencies upgrade their existing Microsoft deals to improve the security of their cloud systems.
A CISA spokesman declined to comment.
A key service Microsoft provides, known as activity logging, allows its clients to keep watch on data traffic within their part of the cloud and spot inconsistencies that could reveal hackers at work.
Officials have sought access to Microsoft’s premium tracking capability after discovering the lack of logs made it much harder to investigate recent hacks tied to nation-states.
Microsoft said Sunday that while all its cloud products have security features, “bigger organizations could require extra superior capabilities reminiscent of a better depth of safety logs and the power to research these logs and take motion.” It did not address the fairness issues raised by lawmakers.
While some senior US cyber officials feel they have no choice but to pay up, Wyden and three other lawmakers have publicly raised concerns about the plan.
‘Raw deal’
Most major software has been penetrated by well-financed teams of hackers at one time or another, but the ubiquity of Microsoft’s products makes it a prime target.
The alleged Russian spying, known for exploiting software from SolarWinds, hit nine government agencies and 100 private companies, many of whom were exploited through manipulation of a Microsoft system.
More recent sprawling hacks into tens of thousands of servers around the world running Microsoft Exchange by a handful of attackers, including some tied to the Chinese government, relied on four previously unknown flaws in the way those servers handled web versions of Outlook email. China has denied backing the attacks.
In a hearing on the SolarWinds breach on February 26, Rhode Island Congressman Jim Langevin challenged Microsoft President Brad Smith about charging extra for logging, asking: “Is this a profit center for Microsoft, or is it a service being provided at cost to the customers?”
“We are a for-profit company,” Smith responded. “Everything we do is designed to generate a return, other than our philanthropic work.”
Microsoft has turned security offerings into a significant source of revenue, with the business generating $10 billion annually, up 40 percent from the previous year.
Representative Dutch Ruppersberger of the House appropriations committee said Congress must look into “why safety is an afterthought in the procurement course of” and move away from approving only the lowest bidders.
The government could impose new regulations, said Curtis Dukes, a former head of the defensive mission at the National Security Agency now at the nonprofit Center for Internet Security, which works closely with CISA. “Maybe with additional size, vendors should have to do more.”
PS5 vs Xbox Series X: Which is the best “next-gen” console in India? We discussed this on Orbital, our weekly expertise podcast, which you’ll subscribe to through Apple Podcasts, Google Podcasts, or RSS, obtain the episode, or simply hit the play button beneath.
