Microsoft needs to get serious about secure software, or we’ll find a new IT partner  

COMMENTARY: Microsoft turned 50 this year, a remarkable milestone for a company that has so greatly influenced the way we live and work.

Nearly everyone has interacted in some way with Microsoft products, from Windows to Office 365. Approximately 70% of Fortune 500 companies have used Microsoft’s AI-powered productivity tool, and the company has an 85% market share in the U.S. government’s office productivity software market.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

Yet, for all of Microsoft’s benefits, the company’s products are also riddled with security flaws, and there are constant reminders of how dangerous it’s become for one tech company to have so much influence.

According to BeyondTrust’s 12th annual report on Microsoft vulnerabilities, 2024 was a record-breaking year for the company once dubbed “tech’s good guy” and “Washington’s favorite tech giant,” with 1,360 vulnerabilities across Microsoft’s systems.

That’s 11% higher than its previous record of 1,292 in 2022. With 404 vulnerabilities already reported this year, Microsoft is on pace to smash that undesirable record. The reality: Microsoft’s vulnerabilities comprise a quarter of the Cybersecurity and Infrastructure Security Agency’s (CISA’s) known exploited vulnerabilities list, 304% more than its next-closest technology vendor.

While no company can build perfectly secure products, U.S. lawmakers and regulators should hold Microsoft to the highest standard possible and closely examine the government’s dependence on its leading productivity software provider. 

In response to these security cracks, Microsoft launched its Secure Future Initiative (SFI), assuring investors, customers and decision makers in Washington that security is its top priority. The company even boasted in its latest update last month that it has dedicated the equivalent of 34,000 engineers working full-time for 11 months to mitigate risks created by itself.

However, this update starkly contrasts from the BeyondTrust report which found that the number of vulnerabilities across Microsoft’s systems have steadily increased since SFI was announced last month. And now, instead of simply improving the systems that its customers have already paid for, the company recently announced it’s charging extra for its actual security fixes, including a new monthly subscription for no-reboot security “hotpatch” updates to fix Microsoft’s own vulnerabilities: continuing its cycle of contributing to cyber threats and monetizing the cure.

A tough year for Microsoft

In January 2024, Microsoft disclosed that Russian hackers had infiltrated its corporate networks and, among other things, obtained correspondence with its government customers. In April, the Department of Homeland Security’s Cyber Safety Review Board found that Chinese hackers had compromised Microsoft’s email platform the year prior because of “a cascade of security failures at Microsoft.” In June, a ProPublica report revealed that Microsoft had ignored the security flaw that led to SolarWinds, one of the largest cyberattacks in U.S. history.

By July, Microsoft’s “blue screen of death” had appeared on millions of Windows screens during the CrowdStrike outage and brought down operations across the federal government and major industries. At the time, security experts noted that Microsoft “hasn’t taken the vulnerability of its software seriously enough.”

Despite promising to do better after each high-profile stumble, Microsoft’s woes continued. A cyberattack took its cloud platform offline; the company lost security log data across multiple platforms; and one of its own security engineers published a “how-to” guide on accessing Microsoft’s sensitive data and employee emails through an exposed credential.

Microsoft has made and broken promises to do better before. In September 2018, Microsoft president Brad Smith said: “Cybersecurity is almost ‘job one’ these days for every consumer, for every government, for every business on the planet. That’s why we make it such a priority.” There are many such instances over the past several years, especially after the SolarWinds hack five years ago.

At the RSA Conference last month, Secretary of Homeland Security Kristi Noem pledged support for Secure by Design principles, stating that DHS would stop paying to patch vulnerabilities in software that should have been secure from the start. “The time is now,” Noem said. “We will not continue to use taxpayer dollars to pay for security that should have been baked into products in the first place.”

She’s absolutely correct. The Trump administration needs to move beyond pledges and take concrete action to compel all software providers to fix their defective software practices or lose the privilege of selling to the federal government.  

Microsoft has been given many chances, but the company continues to make empty promises. As someone who has served in counterterrorism and cybersecurity policy roles for Presidents Bill Clinton and George W. Bush, the time has come for Microsoft to either get serious about security, or the public sector should find a new IT partner.

Our nation’s digital and national security requires nothing less.

Roger Cressey, partner, Mountain Wave Ventures

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.