Government , Industry Specific
Lawmakers Urge Pentagon to Diversify Cybersecurity Vendors
Concerns Grow Over Department of Defense Plans to Invest More in Microsoft ProductsU.S. lawmakers are sounding the alarm over Department of Defense plans to further invest in Microsoft products despite a series of high-profile cybersecurity incidents that affected the technology giant.
See Also: The CIS Security Operations Center (SOC)
A bipartisan pair of senators wrote a letter to Defense CIO John Sherman expressing "serious concern" that the department is "doubling down on a failed strategy of increasing its dependence on Microsoft" as Washington reassesses its reliance on the company's 365 cloud-based products. The letter comes after a memo first reported by Axios said that all department components must upgrade to and implement Microsoft 365 E5 licenses, which include security provisions such as identity protection and insider risk management, within 12 months.
"We are deeply concerned that DoD is choosing not to pursue a multi-vendor approach that would result in greater competition, lower long-term costs, and better outcomes related to cybersecurity," Sens. Ron Wyden, D-Ore., and Eric Schmitt, R-Miss., said in the letter. The Defense Department is one of the largest purchasers of cybersecurity products in the United States.
The letter follows a recent federal report that examines Microsoft's security failures after a Chinese hacking campaign successfully targeted top U.S. government officials' email accounts last summer (see: Report Slams Microsoft for Security Blunders in Chinese Hack). Microsoft also faced criticism after Russian state hackers used unsophisticated techniques to gain access to email accounts belonging to the company's senior executives in January.
Experts have long called on the federal government and the Pentagon to move away from overreliance on a single software provider, saying the approach can lead to avoidable vulnerabilities and risk national security. In the letter sent to DOD on Wednesday, Wyden and Schmitt requested information on plans for the Pentagon to ensure "a multi-vendor approach that encourages innovation and competition."
"When the DoD demands sophisticated cybersecurity products, there are not only positive effects across the U.S. government, but also beneficial consequences across the public and private sector," the letter says, calling it "imperative" for Congress and the DOD to "work together to ensure robust cybersecurity practices."
Microsoft has become a main focus of scrutiny in recent months, said Roger Koehler, CISO of security platform Huntress and former deputy director of the DOD's joint artificial intelligence center.
"Microsoft is a large enterprise player, so it doesn't leave the DOD and federal government many options," Koehler told Information Security Media Group. The company is "publicly acknowledging the need to improve" and taking steps to bolster security measures for customers, he added (see: Microsoft Overhauls Security Practices After Major Breaches).
Charlie Bell, Microsoft's executive vice president of security, compliance, identity and management, said in a May blog post that the company was planning to link executive compensation to achieving certain security milestones and expand its Secure Future Initiative, which aims to combat escalating cyberattacks.
The announcement says Microsoft will enforce continuous least privilege access to all of its applications and users going forward and eliminate the entirety of identity lateral movement between tenants, environments and cloud networks. Microsoft enabled default logging for its users following recent cyberattacks, which allowed organizations that don't have enough resources - such as small, minority-owned businesses - to review basic logging information needed to understand if they had been compromised by the incident.
"None of these are a silver bullet solution," Koehler said about Microsoft's security upgrades, adding: "But there is no such thing as perfect security."
The Pentagon did not respond to a request for comment.