Senators Raise Cybersecurity Concerns Over New Pentagon Partnership With Microsoft

Senators Raise Cybersecurity Concerns Over New Pentagon Partnership With Microsoft
A phone is seen in front of a Microsoft logo in this illustration taken on July 26, 2021. (Dado Ruvic/Reuters)

Sens. Eric Schmitt (R-Mo.) and Ron Wyden (R-Ore.) are urging the U.S. Department of Defense to reevaluate its partnerships with Microsoft amid what the senators described as “cybersecurity lapses” impacting the information technology company.

Microsoft systems were targeted last year in an effort dubbed the “Storm-0558 Incident.” Microsoft had said the cybersecurity breach only impacted its and Exchange Online services, but the cybersecurity firm published its own assessment suggesting the breach may have been larger than Microsoft let on.

This April, the U.S. Department of Homeland Security’s Cyber Safety Review Board (CSRB) published a new assessment that the Storm-0558 hacking group is likely affiliated with the Chinese government and that the 2023 breach compromised the Microsoft Exchange Online mailboxes of 22 organizations and over 500 individuals around the world. The CSRB report said the breach “was able to succeed because of a cascade of security failures at Microsoft.”

Mr. Schmitt and Mr. Wyden noted the CSRB assessment on the Storm-0558 breach, along with an alleged DOD draft memo Axios first reported on May 17, indicating the DOD is advising its components to upgrade their Microsoft software licenses to the company’s premium E5 software license.

“We write with serious concern that the Department of Defense (DoD) is doubling down on a failed strategy of increasing its dependence on Microsoft at a time when Congress and the administration are reviewing concerning cybersecurity lapses that led to a massive hack of senior U.S. officials’ communications,” the two senators wrote in a letter to DOD Chief Information Officer John Sherman on Wednesday.

While the two senators said they welcomed the idea of the DOD improving its cybersecurity measures with software upgrades, they questioned the decision to stick with Microsoft after the last security breach.

“We are deeply concerned that DoD is choosing not to pursue a multi-vendor approach that would result in greater competition, lower long-term costs, and better outcomes related to cybersecurity,” the two senators wrote. “Cybersecurity should be a core attribute of software, not a premium feature that companies upsell to deep-pocketed government and corporate customers.”

The senators argued that a cybersecurity approach that sees government offices relying on a mix of different software options “reduces risk-concentration to limit the blast area when our adversaries discover an exploitable security flaw.”

The bipartisan duo asked Mr. Sherman to explain the process by which the DOD decided to go with the Microsoft E5 licensee and, “What consideration was given to the fact our near peer adversaries seemingly need to breach just one company to potentially compromise DoD assets and data?”

The two senators also claimed that after the Storm-0558 breach, Microsoft had “pledged to provide free enhanced security logs to its customers, rather than restricting those logs to organizations paying for E5 licenses.” The senators asked Mr. Sherman whether the company had made good on this promise.

NTD News reached out to the DOD for comment about the letter from Mr. Schmitt and Mr. Wyden but did not receive a response by press time.

NTD News also reached out to Microsoft for its response to letter from the two senators, but again did not receive a timely response.

Microsoft Chief Executive Officer Satya Nadella said in a May 3 company blog post that the informational technology company will continue to prioritize security features. Mr. Nadella said the April CSRB report about the Storm-0558 breach underscored “the severity of the threats facing our company and our customers, as well as our responsibility to defend against these increasingly sophisticated threat actors.”

Microsoft President Brad Smith is set to testify before the House Homeland Security Committee on June 13 about the company’s cybersecurity efforts. The House committee has titled the hearing, “A Cascade of Security Failures: Assessing Microsoft Corporation’s Cybersecurity Shortfalls and the Implications for Homeland Security.”

ntd newsletter icon
Sign up for NTD Daily
What you need to know, summarized in one email.
Stay informed with accurate news you can trust.
By registering for the newsletter, you agree to the Privacy Policy.