Feds to Microsoft: Clean up your security act — or else

The US government, worried about the continuing growth of cybercrime, ransomware, and countries including Russia, Iran, and North Korea hacking into government and private networks, is in the middle of drastically changing its cybersecurity strategy. No longer will it rely largely on prodding businesses and tech companies to voluntarily take basic security measures such as patching vulnerable systems to keep them updated.

Instead, it now wants to establish baseline security requirements for businesses and tech companies and to fine those that don’t comply.

It’s not just companies that use the systems who might eventually need to abide by the regulations. Companies that make and sell them, such as Microsoft, Apple, and others could be held accountable as well. Early indications are that the feds already have Microsoft in their crosshairs — they’ve warned the company that, at the moment, it doesn’t appear to be up to the task.

First, let’s delve into the government’s emerging strategy.

In early March, the Biden Administration released a new National Cybersecurity Strategy; it puts more responsibility on private industry and tech firms to follow best security practices such as patching systems to fight newly found vulnerabilities and using multifactor authentication whenever possible.

US regulators have long recommended that tech companies do this. The difference now, according to the New York Times, is that “the new National Cybersecurity Strategy concludes that such good-faith efforts are helpful but insufficient in a world of constant attempts by sophisticated hackers, often backed by Russia, China, Iran or North Korea, to get into critical government and private networks. Instead, companies must be required to meet minimum cybersecurity standards.”

In theory, if those standards aren’t met, fines would eventually be imposed. Glenn S. Gerstell, former general counsel of the National Security Agency, explained it this way to the Times: “In the cyberworld, we’re finally saying that Ford is responsible for Pintos that burst into flames, because they didn’t spend money on safety.” That’s a reference to the Ford Pinto frequently bursting into flames when rear-ended in the 1970s. That led to a spate of lawsuits and a ramp-up in federal auto safety regulations.

But cybersecurity requirements backed by fines aren’t here yet. Dig into the new document and you’ll find that because the new strategy is only a policy document, it doesn’t have the bite of law behind it. For it to go fully into effect, two things need to happen. President Biden has to issue an executive order to enforce some of the requirements. And Congress needs to pass laws for the rest.

It’s not clear when lawmakers might get around to moving on the issue, if ever, although Biden could issue an executive order for parts of it.

All that may sound as if the new strategy is toothless. But that’s not quite the case. The US government is the world’s biggest bully pulpit. It can put a tremendous amount of pressure on businesses and tech companies to follow the strategy by publicly criticizing them. That, in turn, could lead customers to shy away from some businesses’ products and services. And, of course, the government can require that companies meet basic cybersecurity practices if they want government contracts.

So, what does all this have to do with Microsoft? Plenty. The feds have made clear they believe Microsoft has a long way to go before it meets basic cybersecurity recommendations. At least one top government security official has already publicly called out Microsoft for poor security practices.

Cybersecurity and Infrastructure Security Agency Director Jen Easterly recently criticized the Microsoft during a speech at Carnegie Mellon University. She said that only about one-quarter of Microsoft enterprise customers use multifactor authentication, a number she called “disappointing.” That might not sound like much of a condemnation, but remember, this is the federal government we’re talking about. It parses its words very carefully. “Disappointing” to them is the equivalent of “terrible job” anywhere else.

Easterly also stung Microsoft by praising Apple, pointing out that 95% of iCloud users have multifactor authentication turned on because it’s enabled by default. “Apple is taking ownership for the security outcomes of their users,” she said. The implicit criticism is that Microsoft isn’t.

Eventually, the government’s new cybersecurity strategy could be a serious issue for Microsoft unless it follows the recommended standards. If executive orders are issued and laws passed, the company could eventually be held liable if it doesn’t do more to make sure its customers’ software is regularly patched, or that its customers use multifactor authentication. The onus will be on Microsoft to design systems that can be more easily patched, are perhaps even self-patching, or that use multifactor authentication by default.

Even without laws and executive orders, the company could be in trouble. The US government spends billions of dollars on Microsoft systems and services every year, a revenue stream that could be endangered if Microsoft doesn’t adhere to the standards.

Some in Congress already view the company with a gimlet eye because of past cybersecurity shortcomings. Two years ago, the Cybersecurity Infrastructure Security Agency included $150 million in its budget to pay Microsoft to improve cloud security. That spending came after “two enormous cyberattacks leveraged weaknesses in Microsoft products to reach into computer networks at federal and local agencies and tens of thousands of companies,” according to Reuters.

The irony of giving Microsoft $150 million because its software is insecure was not lost on Congress. Sen. Ron Wyden (D-OR), who is on the intelligence committee, warned, “If the only solution to a major breach in which hackers exploited a design flaw long ignored by Microsoft is to give Microsoft more money, the government needs to reevaluate its dependence on Microsoft. The government should not be rewarding a company that sold it insecure software with even bigger government contracts.”

Two years ago, Microsoft got the extra money. But if the government’s new National Cybersecurity Strategy has any force at all, that won’t happen again.

http://www.computerworld.com/category/security/index.rss

Leave a Reply