Google Urges Feds to Ditch Microsoft Over Security Concerns – Source: www.databreachtoday.com

Governance & Risk Management
,
Government
,
Industry Specific

Technology Giants Vie for Public Sector Customers Amid Microsoft’s Recent Breaches

Chris Riotta (@chrisriotta) •
May 21, 2024    

Google is aiming to poach Microsoft’s public sector customers by attacking its competitor over recent high-profile breaches and offering new incentives for federal agencies to reduce the U.S. government’s “overreliance on a single technology vendor.”

See Also: Zero Trust Unleashed: Keeping Government Secrets Safer Than the Crown Jewels

The company on Monday published a white paper titled “A More Secure Alternative,” which argues that “Google Workspace offers a safer choice” to Microsoft amid ongoing security challenges affecting the technology giant. The paper echoes a report by the Department of Homeland Security’s Cyber Safety Review Board on the 2023 compromise of Microsoft by the Chinese cyberespionage threat actor known as Storm-0558.

“The repeated security challenges with Microsoft call for a better alternative for enterprises and public-sector organizations alike,” the paper states. It describes Google’s set of integrated work and collaboration apps as a safer alternative.

Any shift away from Microsoft throughout the public sector would be a significant undertaking, considering how heavily federal agencies rely on its wide range of software and services, from Windows and Office to Azure and specialized government solutions. Google argued that Microsoft is only now starting to learn from security incidents involving the same threat actor that targeted Google 14 years ago, prompting the company to restructure its internal infrastructure and security approaches.

Google is calling on the public sector to adopt multi-vendor strategies and promote open standards to help ensure interoperability, while including security as a key procurement consideration in exclusively buying “secure by design” systems. The company signed a “secure by design” pledge with the Cybersecurity and Infrastructure Security Agency at RSA Conference earlier this month – as did Microsoft.

The CSRB report concluded that the Storm-0558 compromise “was preventable and should never have occurred.” It described Microsoft’s security culture as “inadequate” and in need of an overhaul, “particularly in light of the company’s centrality in the technology ecosystem.” (see: Report Slams Microsoft for Security Blunders in Chinese Hack).

The DHS review board found that Chinese hackers penetrated Microsoft Exchange Online after the company committed a cascade of “avoidable errors,” allowing the group to successfully target top U.S. government officials’ email accounts. The targeted senior officials included Commerce Secretary Gina Raimondo, the U.S. ambassador to China, and Rep. Don Bacon, a Nebraska Republican critical of Beijing.

Microsoft announced major updates to its security operations in May as concerns exploded over the global corporation’s cyber posture, including linking executive compensation to achieving certain security milestones (see: Microsoft Overhauls Security Practices After Major Breaches). The announcement said Microsoft would adopt “more fine-grained partitioning of identity signing keys and platform keys” and develop systems equipped “for a post-quantum cryptography world.”

“Microsoft plays a central role in the world’s digital ecosystem, and this comes with a critical responsibility to earn and maintain trust,” Charlie Bell, executive vice president for Microsoft Security, said in a blog post at the time. “We must and will do more.”

Microsoft received at least one-quarter of its U.S. contracts without undergoing any meaningful competition, according to a 2023 report published by IT consultant Michael Garland and sponsored by the digital trade association NetChoice.

The report includes an example in which the government spent over $100 million more to buy Microsoft Office in order to avoid perceived costs to switch products.

Sen. Ron Wyden, D-Ore., released draft legislation in April that would prohibit federal agencies from purchasing collaboration technology such as Microsoft’s products that fail to comply with standards set by the National Institute of Standards and Technology. The bill would also require agencies to use end-to-end encryption and other measures to further protect U.S. government communications from foreign surveillance.

Wyden introduced the Secure and Interoperable Government Collaboration Technology Act while describing the federal government’s reliance on Microsoft technologies as a national security risk.

“Vendor lock-in, bundling, and other anticompetitive practices result in the government spending vast sums of money on insecure software,” Wyden said in a statement. “It’s time to break the chokehold of big tech companies like Microsoft on government software.”