The U.S. Department of Defense is quietly abandoning one of its longest running cybersecurity programs protecting its vast global IT network, and replacing it with off-the-shelf tools from Microsoft, despite internal opposition and criticism from experts who say it will make the nation more vulnerable to foreign hackers, enemy cyberwarriors and online spies, Newsweek has learned.
At a series of meetings with DOD Chief Information Officer John Sherman last fall, as the department’s fiscal year 2024 budget request was being finalized, a clear majority of senior IT leaders from the military services opposed the move, a former senior defense official directly involved told Newsweek. They were concerned about the department’s growing reliance on a single software vendor: “I was completely against it. A lot of us were, for the same reason: It felt like we were further embedding ourselves into this monopolistic (Microsoft) monoculture.”
The potential risks were laid bare in March, when it was revealed that hackers suspected to be from Russian military intelligence had been stealthily exploiting a vulnerability in Outlook, Microsoft’s email program, for almost a year. The incident, unreported except by the cybersecurity trade press, illustrates what experts say are the dangers of relying exclusively on Microsoft IT.
DOD’s decision to push ahead with the move to Microsoft security tools, based on an assessment from the National Security Agency, has cast a new light on long-standing questions about the security of the software produced by the Redmond, Wash.-based technology giant, and the impact of its dominance in government technology markets. It could also run counter to the White House’s new cybersecurity strategy, which calls on software companies to offer secure products in the first place rather than selling additional security measures on top.
The NSA declined to provide Newsweek with a copy of the assessment or to comment. The former official said the assessment was a decisive factor behind the decision because everyone understood it could have been informed by undisclosed secret intelligence. “You don’t really get to argue that,” said the former official, speaking on condition of anonymity because he was not authorized to speak to the media.
The Defense Department’s IT network, one of the largest in the world, was already a poster child for what cyber experts call the Microsoft monoculture—an IT environment in which everyone uses the same software, meaning they are all potentially vulnerable to the same cyberattacks.
Since 2017, DOD has exclusively used the Microsoft Windows operating system on all its four million-plus desktop computers and is increasingly employing Microsoft’s Azure cloud computing services. And most of its 2.1 million active duty and reserve military personnel and 750,000 civilian employees use Microsoft programs such as Outlook or Office for email, calendar, word processing and other administrative tasks.
Now, the department will use Microsoft Defender—a set of cybersecurity tools bundled with the company’s higher-end software licenses—as well, Deputy CIO David McKeown, one of the Defense Department’s top cyber officials, confirmed to Newsweek. “Microsoft Defender will provide DOD an integrated cybersecurity solution that promises to satisfy most, if not all, of the capabilities we require” to secure the military’s networks, he said via email. He disputed the suggestion that using Microsoft security tools to protect Microsoft software would make the DOD more vulnerable, saying tools that were built from the ground up to integrate with the software they were protecting would be more secure.
In a statement to Newsweek, Microsoft said it was best placed to defend its own products because of the huge amount of data it can draw on from its billions of users all over the world.
“Our teams process and share up to 65 trillion cyber signals a day in order to enhance the security baseline for government and commercial entities. We … will continue to invest in both integrated and standalone security products to help our government customers combat an increasingly complex threat environment.”
But the DOD’s move goes too far for some former career defense officials—even those who have led past roll-outs of Microsoft products in DOD. Three of them told Newsweek that over-reliance on the tech giant risks making the U.S. military’s computer networks more vulnerable just as America is pivoting from fighting the war on terror to confront peer adversaries such as Russia and China with the technical capabilities to take advantage of those vulnerabilities.
And although there’s continuing debate among cyber experts about how best to quantify the security of software, by some measures, Microsoft products do appear more vulnerable to hackers, although the company vigorously contests that analysis.
The U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) keeps a running tally of all vulnerable code found to be weaponized by hackers or cyber criminals. Of 919 vulnerabilities exploited and catalogued up until April 2023, 258 of them, just over 28 percent, have been in Microsoft products. That 258 is more than the total number of exploited vulnerabilities in the products of the next five vendors combined: Cisco, Adobe, Apple, Google and Oracle.
When it comes to the 15 most commonly exploited vulnerabilities across the world in 2021, nine were in Microsoft products, according to data compiled by CISA and its international partners.
In other contexts, the company and its defenders have argued they are a victim of their own success: More vulnerabilities are found in their products because more security researchers are looking for them, they say, owing to their dominant position in so many marketplaces. And when vulnerabilities are found and responsibly disclosed, they are more likely to be exploited by hackers because of the ubiquity of Microsoft products. Just as Willie Sutton robbed banks because that was where the money was, goes the argument, hackers attack Microsoft products because they are used by most large companies and governments.
Microsoft’s defenders also argue that counting vulnerabilities per vendor is a very crude measure, and that Microsoft suffers by it because of the high number of products it offers. If you look at vulnerabilities per product, they say, a different picture emerges, in which the most vulnerable products are not Microsoft ones—although many remain high on the list.
A single point of failure
Even setting aside the vulnerabilities question, many cybersecurity experts believe that over-reliance on any single vendor is bad for security. That’s why three former Defense Department senior officials who led Microsoft roll-outs at DOD said they questioned the decision to scrap the Endpoint Security Solutions (ESS) program, which has since 2007 bought and customized commercial cybersecurity tools from different vendors, and replace it with Microsoft Defender tools.
“It scares the heck out of me that we’re vertically integrating the endpoints, the software, the cloud, and now the security stack with a single vendor. To me, that’s an unacceptable level of risk,” said a second former senior DOD IT official who was involved in many deployments of Microsoft products.
“It could create a single point of failure,” said a third former defense official who was involved in the early discussions that led to the decision last year. “If a single company is providing not just the software you use, but the cloud infrastructure you run it on as well and now the security stack too, that could be a problem” if hackers breach that single provider.
It’s not just the Defense Department. Across the federal government, 85 percent of employees use Microsoft business software for tasks such as email and word processing. And former officials say the company is seeking to duplicate the Defense Department’s move to Microsoft security products across civilian federal agencies as well.
By relying on Microsoft security tools to protect Microsoft software, the DOD is “putting all the nation’s eggs in one basket, and a badly flawed basket at that,” former career White House official Andrew Grotto told Newsweek. Now a fellow at Stanford University and a program director at its Cyber Policy Center, Grotto previously served as senior director for cybersecurity policy in the White House National Security Council staffs of Presidents Obama and Trump. Grotto currently consults for technology companies, including some that compete directly with Microsoft.
The DOD move has stoked concerns well beyond the circle of Microsoft’s established critics.
John Zangardi, a former longtime government IT executive who was acting chief information officer of DOD in 2017 when the department enforced the roll-out of Windows across all of its desktops and other endpoints, declined to comment directly on the ESS decision. But he told Newsweek that in his tenure, he emphasized “removing single points of failure” and “the importance of security tool diversity and redundancy”—having more than one set of tools, even if that meant duplication.
“Today’s digital infrastructures are incredibly complex, a bit like a modern commercial or military aircraft,” said Zangardi, a former U.S. Navy pilot who is now CEO of Redhorse Corp, a data science consultancy. “Those aircraft are built with multiple backup systems. If one part of a system fails, the entire aircraft can still function safely with the backup systems. Redundancy is an added guarantee of safety and lets complex systems be more reliable than the sum of their parts. In the same way, security tool diversity can provide backup and redundancy for digital infrastructure.”
Asked whether the change created a single point of failure, McKeown, the Defense Department’s Deputy CIO, said he believed that an integrated system was a source of security strength, not weakness.
“When DOD buys an aircraft, it doesn’t buy a box of parts that our mechanics have to put together, it buys the integrated aircraft,” he said. “We need to start thinking about our networks as weapon systems by investing in integrated solutions rather than individual components that our IT and cyber personnel try to make work together.”
He did not directly address detailed questions about technical evaluations that have compared ESS with Microsoft Defender, or about whether the newly purchased products are properly certified to run on DOD networks.
Microsoft says it is a great believer in diversity in security, using, for example, multiple sources of threat intelligence, including those licensed from its competitors, and developing partnerships with more than 15,000 security companies.
The half-billion security upsell
The DOD’s decision to upgrade its Microsoft licenses to include the Defender security tools will cost $543 million over two years, said John Weiler, CEO of the IT Acquisition Advisory Council, a non-profit that works to improve the way the federal government buys computer goods and services. The DOD itself did not provide a figure, but Weiler’s number was confirmed by other sources with knowledge of the transaction.
It’s not clear how much money the government hopes to save by winding down ESS, and potentially other DOD cybersecurity programs that duplicate Microsoft Defender tools, Weiler said, but added: “They just eliminated an entire market for competition and for innovation in DOD.” He noted that about a dozen cybersecurity vendors competed to supply tools to ESS and the other cybersecurity programs likely to be wound down. “These companies will no longer innovate to the needs of DOD down the road because there’s no revenue coming in to support that. And we all know that monopolists don’t innovate, they put all their energy and money into maintaining their monopoly.”
Weiler was an expert witness in the Justice Department’s Microsoft antitrust proceeding almost a quarter century ago, which found the company had violated anti-trust laws by bundling its web browser, Internet Explorer, with its Windows operating system, to freeze out competing browsers such as Netscape. Weiler said Microsoft’s current bundling of security tools with business software was “the same playbook” the company had used in the 1990s.
Microsoft’s statement did not address accusations that its practices with security software could be seen as anti-competitive.
The Defense Department move highlights some other difficult questions for Microsoft about the $20 billion annual security business the company has built over the past five years.
The $2 trillion-plus company, the second most highly valued global company behind Apple, earns almost 10 percent of its $200 billion-plus annual revenue from selling security products and services, and that revenue stream is in double-digit growth even as other areas of the company’s business are growing slowly if at all.
Critics charge they are making that money selling customers who’ve already bought Microsoft business software additional security tools—which they only need because the business software is so insecure.
“This is like a water company, who, when their customers complain: ‘This water you’re selling us is contaminated,’ they reply, ‘Well, we have some filters and other equipment we can sell you that will get rid of most of that,'” said John Pescatore, director of emerging security trends at the prestigious SANS Institute, a cybersecurity training organization. “Why aren’t they selling clean water in the first place? Why isn’t their software secure in the first place?”
Privately, Microsoft executives say that they entered the security market in response to customer demand. There was already a thriving marketplace for other companies’ security tools to protect Microsoft products from hackers, they say. Why shouldn’t the company bring its software expertise, and all the data it gets about attacks from the billions of computers its software is installed on, to that market?
A vulnerable architecture
But critics say the greater preponderance of vulnerabilities in Microsoft is no accident. It’s the result of design decisions taken over decades, said Ryan Kalember, executive vice president at cybersecurity company Proofpoint, which competes with Microsoft in the security tools market.
Above all, Kalember told Newsweek, Microsoft has focused on backwards compatibility, a design principle that means updated versions of the software must still work with all the programs the previous, un-updated versions worked with. The concept is very popular with consumer and business users, but comes at a high price for security.
“They end up creating more and more risk because they’re just building layers on top of layers,” Kalember said, retaining code for features that had been buggy and insecure a generation ago.
A vulnerability in Outlook revealed last month illustrates the issue, Kalember said. A hacker could, just by sending a specially crafted email, obtain a copy of the target user’s digital signature that they could then employ to impersonate that user on their corporate network. Read their email. Steal data they had access to. Worse, it was a so-called “zero-click” attack. The target didn’t need to click a link or an attachment, or even open the email.
The Outlook vulnerability lives in a 30 year-old mechanism for verifying identity called NTLM. It has been obsolete for 25 years, but it remains embedded in Microsoft code because removing it would break backwards compatibility.
“All of a sudden you’re back in 2002,” Kalember said, “It’s crazy how thin the veneer is.”
The company’s defenders say Microsoft customers rely on backwards compatibility, because not all of them can afford to upgrade to the latest products.
In its statement to Newsweek, the company said, “Security is woven into the digital fabric of our applications and services, and has been since day one.”
When Microsoft revealed and patched the NTLM vulnerability on March 14, hackers suspected to be from the Russian military intelligence agency GRU had been exploiting it for almost a year. But it attracted little attention outside of the cyber trade press: Just another vulnerability announced, as is now traditional, on Patch Tuesday, the second Tuesday of every month, when Microsoft and other vendors release security updates and improvements to their software.
In that same March update, Microsoft included patches for 80 different software vulnerabilities, nine of them rated “critical” and 60 “important.”
And it’s likely that a significant proportion of Microsoft customers, especially in government, may not yet have applied those patches, according to Roger Cressey, a veteran cybersecurity executive who worked on some of the federal government’s first cyber efforts more than two decades ago, and has continued to consult and work in the federal space since.
Microsoft has for 20 years been able to force its government and commercial clients to absorb the costs of the constant security updates needed to protect its products, Cressey said.
“Software is the only industry where government and consumers are asked to absorb the costs of unsafe, flawed vendor products as the cost of doing business,” said Cressey, now a partner with Mountain Wave Ventures, a cybersecurity and risk management consulting firm, where he occasionally consults for Microsoft competitors.
And the result is that many software patches are applied weeks or months after they are issued, or sometimes not at all. In April 2021, the FBI had to get a court order to allow it to remotely remove malware that was present on the IT networks of more than 60,000 Microsoft customers worldwide, more than six weeks after the company issued a patch.
The company says it works with CISA, other government agencies and its private sector partners to publicize the importance of applying security updates that patch vulnerabilities being actively exploited by hackers.
Microsoft’s unique role
The widespread concerns in the cybersecurity community about Microsoft’s role are reflected in the Biden administration’s National Cybersecurity Strategy, released in March. Pillar three, one of five the high-level document lays out, aims to push the responsibility for cybersecurity back onto software companies, especially the dominant ones such as Microsoft.
Launching the strategy, officials said software manufacturers needed to build security into the original design of their products, rather than leaving it to the end users, their customers, to buy additional software to try and secure it.
The White House declined to address questions about whether the DOD decision was pulling in a different direction.
“The whole point of pillar three [of the strategy] is to move to a place where you have security built-in to software from the get-go, not bolted on afterwards through additional tools,” Grotto said.
Microsoft’s multiple roles in the IT marketplace, he added, means it can use security as what sales executives call an “upsell”—getting the customer to spend more for extra features.
All vendors try to upsell, Grotto acknowledged, but Microsoft is in a unique position because of its massive dominance of the business software segment—think email, calendar and word processing—in the federal government.
“When you’ve got one vendor supplying 85 percent of the productivity tools for the federal government, they are in an extraordinarily powerful position,” Grotto said, especially if that makes agencies think it would be expensive and difficult to change vendors.
In the course of a 2021 contract dispute, the U.S. Department of Agriculture (USDA) spelled out in rare detail what it would mean for the department to transition away from Microsoft products.
The agency justification, cited in a decision by government auditors, states that “96 percent of USDA systems run Windows operating systems.” And that USDA provides Microsoft software tools to 7,500 field offices supporting more than 120,000 users.
Even though the cost of Microsoft Office licenses for the USDA workforce was $170 million while the cost of licenses for competitor Google Workspace would have been as low as $58 million, the agency wanted to stay with Microsoft.
Switching to other products would take at least three years, USDA said, adding, “An undertaking of this magnitude would be a … multi-million-dollar effort during which time there would likely be an impact to the IT workforce and customer satisfaction across the board.”
The USDA’s situation is only remarkable in that it became public, Michael Garland, a government procurement attorney specializing in IT, told Newsweek. “The USDA protest provides a rare window into the reality of how entrenched and locked-in some of these software giants, including Microsoft, are all across the U.S. government’s software estate,” he said.
Fixing the problem: The car analogy for software
With its new strategy, the Biden administration wants to flip the script on cybersecurity, CISA Executive Assistant Director for Cybersecurity Eric Goldstein told Newsweek, pushing security responsibility “upstream,” back to the companies shipping insecure products.
“If we keep blaming only the victims, we know that’s not a recipe for scalable improvements, because so many victims, school districts, small hospitals, local water utilities, are never going to be able to defend themselves standing alone against the threats that they’re facing,” he said.
But absent congressional action to impose security requirements by regulation, officials plan to rely on market forces to incentivize Microsoft and other tech vendors to improve security. “We know that most customers want to install, run and rely upon products that are safe and secure by design and default,” Goldstein said. But buyers do not know what to ask for, he said.
To help educate the market, CISA has produced a set of design principles for secure products, and a key requirement is ending the practice of security upsell.
Charging extra for basic security measures “is not OK,” Goldstein said, using the example of seatbelts in a car.
“If one of us rented a car, got it, and there were no seatbelts because they were charging extra for that, we would not accept that … We need to get to the same model with technology, where there’s a basic (security) threshold that technology is expected to meet,” he said.
An upcoming White House deadline for federal agencies to have new security capabilities—such as the ability to preserve logs of computer activity that can help in the response to a cyberattack—will be an important test case for large government vendors like Microsoft, Goldstein said.
Historically, agencies have had to pay as much as 40 percent extra for such capabilities, but Goldstein said it was time for vendors to step up and do the right thing—by providing their federal customers with products that didn’t require expensive add-ons to be secure.
Microsoft executives say the company has a right to charge extra for high-end security measures—whether to the Department of Defense or to anyone else.
“We are a for-profit company,” Microsoft Vice President Brad Smith told a congressional committee in 2021, when asked whether security should be treated as an upsell. “Everything that we do is designed to generate a return other than our philanthropic work.”
Shaun Waterman can be reached at firstname.lastname@example.org. Follow him on Twitter @WatermanReports.