ProPublica is a nonprofit news company that investigates abuses of power. Sign up to receive the biggest stories as soon as they’re published.
President Joe Biden on Thursday, in his final week in office, issued an executive order aimed at strengthening the nation’s cyber defenses, part of which will require software providers such as Microsoft to sell products to the United States. It requires companies to submit proof that they meet certain security standards. federal government.
The move follows an onslaught of cyberattacks in recent years in which hackers with ties to Russia, China and other adversaries have exploited software vulnerabilities to steal classified documents from federal agencies.
In calling for more accountability from software makers, Biden said contractors “despite their efforts to follow cybersecurity practices, fail to fix known exploitable vulnerabilities in their software.” He pointed to examples where the government is not complying with the law, putting the government at risk of infringement.
In June, ProPublica reported on one such incident involving Microsoft, the federal government’s largest IT vendor. In the so-called SolarWinds attack, discovered just before Biden took office, Russian state-backed hackers exploited weaknesses in Microsoft products to steal sensitive data from the National Nuclear Security Administration and other agencies. ProPublica reports that Microsoft leaders ignored warnings about the flaw from one of their own engineers, fearing that publicly admitting the flaw would alienate the federal government and put the company at a disadvantage to its competitors. He revealed that he had been ignoring him for years.
The culture of prioritizing profits over security was largely driven by the company’s rush to gain ground in the multibillion-dollar cloud computing market, the news outlet reported. One former Microsoft supervisor described that attitude as, “We have to win, so we’ll do whatever it takes to win.”
Microsoft has defended its decision not to address the flaw, telling ProPublica in June that its ratings at the time included “multiple reviews” and that it considered “potential It said it considered several factors, including “disruption to customers, potential for exploitation, and available mitigations.” But in the months and years after the SolarWinds hack, Microsoft’s security flaws were a factor in other attacks against the government, including hackers with ties to the Chinese government accessing the emails of senior U.S. officials in 2023. It became. The federal Cyber Safety Review Board subsequently found that the company deprioritized security investments and risk management, resulting in a “cascade of avoidable errors.”
Good journalism makes a difference.
Our nonprofit, independent newsroom has one job: to hold those in power accountable. Here’s how our research is driving real-world change.
We are trying something new. Was it helpful?
Microsoft is committed to putting security “first and foremost.”
To be sure, Microsoft isn’t the only company offering products that provide entry points for hackers into government networks. The Russian hackers involved in the SolarWinds attack gained access to victims’ networks through a contaminated software update provided by Texas-based SolarWinds before exploiting a flawed Microsoft product.
According to the order, to prevent future hacks, the government will require IT companies to submit evidence that they employ “secure software development practices to reduce the number and severity of vulnerabilities” in their products. It is said that they are asking them to do so. Additionally, the government “must adopt more rigorous third-party risk management practices” to verify the use of such practices, Biden said. He called for changes to the Federal Acquisition Regulations, the rules for government contracting, to implement his recommendations. Once fully enacted, violators of the new requirements could be referred to the Attorney General for legal action.
Biden also said it was important to strengthen the security of the federal identity management system.
It is “particularly important” to improving the nation’s cybersecurity. In fact, the Microsoft product that ProPublica’s June article focused on was a so-called “identity” product that allows users to log on once to access nearly all the programs they use at work. By exploiting weaknesses in ID products during the SolarWinds attack, Russian hackers were able to quickly siphon email from victims’ networks.
In November, ProPublica reported that Microsoft used SolarWinds to offer free trials of its cybersecurity products to federal agencies following the attack. The move effectively locks these agencies into more expensive software licenses and significantly expands Microsoft’s footprint across the federal government. The company told ProPublica that the proposal is a direct response to “an urgent request from the government to strengthen the security posture of federal agencies.” Biden addressed the fallout from the 2021 request in his executive order, directing the federal government to reduce risks posed by “concentration of IT vendors and services.” This hints at the Washington government’s increasing dependence on Microsoft, which some lawmakers have mentioned. As a “cyber security monoculture.”
The order takes a firmer stance on technology companies supplying the government, but leaves enforcement to the Trump administration. It is unclear whether the next president will follow through with changes to the executive order. President-elect Donald Trump has emphasized deregulation even as he has signaled his administration will take a tough stance on China, one of the country’s biggest cyber adversaries.
Neither Microsoft nor the Trump transition team responded to requests for comment on the order.
Thursday’s executive order was the latest in a series of regulatory efforts to impact Microsoft during the waning days of the Biden administration. Last month, ProPublica reported that the Federal Trade Commission was investigating the company in an investigation into whether its business practices violated antitrust laws. FTC lawyers are meeting and arranging meetings with Microsoft’s competitors, and one key area of interest is how the company packages its popular Office products with cybersecurity and cloud computing services. That is the point.
Microsoft’s bundling practices are the focus of federal antitrust investigation
This so-called bundling was the subject of a November investigation by ProPublica, which detailed how Microsoft is using the practice to exclude competitors from lucrative federal contracts starting in 2021. Ta. The Federal Trade Commission says Microsoft won more federal business even as it left the government vulnerable to hacking, people familiar with the investigation told ProPublica. The company views this fact as an example of a problem with the company’s influence on the market.
Microsoft has declined to comment on the details of its investigation, but told news outlets last month that the FTC’s recent requests for information were “broad and far-reaching, asking for more than is even logically possible.” I’m doing it,” he said.
The commission’s new leadership, selected by President Trump, will decide the future of that investigation.
