Pentagon 'doubling down' on Microsoft despite 'massive hack,' senators complain

The Pentagon is "doubling down" on its investment in Microsoft products despite the serious failings at the IT giant that put America's national security at risk, say two US senators.

In a May 29 letter to Department of Defense CIO John Sherman, US Senators Ron Wyden (D-OR) and Eric Schmitt (R-MO) noted their "serious concern."

The DoD, according to the two lawmakers, continues its "failed strategy of increasing its dependence on Microsoft at a time when Congress and the administration are reviewing concerning cybersecurity lapses that led to a massive hack of senior US officials' communications." [PDF]

Microsoft President Brad Smith will testify before Congress next week about his corporation's security shortcomings that led to this "massive hack" last summer, during which Chinese government spies broke into Microsoft-hosted email accounts belonging to US government officials.

In their letter, the lawmakers noted that Homeland Security's subsequent Cyber Safety Review Board investigation into the security snafu found that "avoidable errors" by Microsoft allowed Beijing's Storm-0558 spy crew to steal tens of thousands of sensitive emails from the cloud-based inboxes of US Secretary of Commerce and high-ranking officials at the Department of State, among others.

Despite what the review board described as a "cascade of failures" by Microsoft, however, the US government keeps throwing millions of dollars at Redmond year after year, much to some lawmakers' chagrin. 

"The Department of Defense is one of the largest purchasers of cybersecurity services," Wyden and Schmitt wrote. "Through its buying power, DoD's strategies and standards have the power to shape corporate strategies that result in more resilient cybersecurity services."

The senators also referenced a draft DoD memo, first reported by Axios, that would require all department offices to upgrade to Microsoft's most expensive E5 software license by next summer. 

We are deeply concerned that DoD is choosing not to pursue a multi-vendor approach

According to the memo, this would "accelerate and enhance the department's cybersecurity posture" and zero-trust strategy.

"Although we welcome the Department's decision to invest in greater cybersecurity, we are deeply concerned that DoD is choosing not to pursue a multi-vendor approach that would result in greater competition, lower long-term costs, and better outcomes related to cybersecurity," the two senators wrote.

They want Sherman to answer a series of questions about the Microsoft E5 proposal, including a rationale for the timeline, a technical justification for deploying all Microsoft products, and the Pentagon's plan for ensuring a multi-vendor approach.

• Microsoft's Brad Smith summoned by Homeland Security committee over 'cascade' of infosec failures
• US government excoriates Microsoft for 'avoidable errors' but keeps paying for its products
• What Microsoft's latest email breach says about this IT security heavyweight
• Shouldn't Teams, Zoom, Slack all interoperate securely for the Feds? Wyden is asking

The Dept of Defense's 2018 Cyber Strategy directed it to increase the use of secure open source software, and the two senators want to hear about the DoD's efforts to meet this directive, and how much financial support has been provided to support the maintenance of open source projects. 

Additionally, after the Storm-0558 intrusion, Microsoft — with some strong encouragement from the US Cybersecurity and Infrastructure Agency — promised to provide free cloud security logs to its customers, rather than restricting those logs to organizations paying for E5 licenses. 

The senators want to know if Redmond has made good on its promise to provide these enhanced security logs, free of charge, to the Pentagon.

Microsoft did not respond to The Register's request for comment. We will update this story if and when we hear back. ®