Microsoft Security Takes Another Beating as Google Cloud Showcases Microsoft’s Vulnerabilities

Called “A more secure alternative,” the 14-page PDF document from Google Cloud opens with this sledgehammer perspective:

“Microsoft’s ongoing security struggles recently came to a head with a series of high-profile incidents that put its customers at risk. One such incident in the summer of 2023 by the group known as Storm-0558 resulted in the compromise of senior US and U.K. government official accounts, including 22 organizations, over 500 individuals, and tens of thousands of emails.”

That bare-knuckles tone is maintained throughout the document, and while some people at Microsoft might think this approach is overly harsh, a low blow and unfair, I would offer two responses to those objections:

1. Who’s to blame? Microsoft has no one but itself to blame. As I’ve chronicled in great detail over the past several weeks, the real trouble with Microsoft’s cybersecurity business is not that some cybercriminals were able to successfully execute the Storm-0558 attack — although that’s certainly an extremely serious problem — but rather the underlying corporate-culture failings within Microsoft that precipitated this disaster. (More on that below.)
2. Who might gain? Google’s not airing Microsoft’s soiled laundry just for kicks — the very title of the document, “A more secure alternative,” represents a direct outreach to customers for whom cybersecurity has become an existential issue. If Google Cloud can indeed make the case that it truly does offer “a more secure alternative” to Microsoft, then it would be a grave disservice to business customers for Google Cloud not to tell the world about what it can do.

The Google Cloud document specifically touts the superior security capabilities of its Workspace productivity and collaboration applications, and does so from a high-level approach. From the opening page of the document, here’s an example of how Google Cloud frames its argument:

“We believe Google Workspace is a safer alternative, with a proven track record of engineering excellence, deep investment in cutting-edge defenses, and a transparent culture that treats providing security for our customers as a profound responsibility. This belief is rooted in battle-tested experience. We know that no organization is immune from highly sophisticated adversaries. In fact, these same nation state actors attacked Google in 2009, and those attacks led us to make far-reaching security improvements that were recognized in the CSRB report: “Google also undertook a comprehensive overhaul of its infrastructure security.”

The key point in this excerpt, I believe, is Google’s very precise reference to having “a transparent culture that treats providing security for our customers as a profound responsibility.” That’s because, as I’ve mentioned in my previous analyses of what must be regarded as a deeply troubling issue for Microsoft, the federal cybersecurity watchdog group — part of the US Department of Homeland Security — whose report enumerated the long list of Microsoft’s security shortcomings was particularly critical of the company’s cultural inadequacies.

In a May 9 analysis headlined “Can Satya Nadella Repair Microsoft’s Badly Broken Security Culture,” I offered this perspective on why the cultural challenge facing Microsoft is every bit as dangerous as the company’s technological shortcomings.

“But now Nadella must confront the enemy within: A massive and wildly successful global corporation that has lost its way so badly in the existential battle against cybercriminals that not only Nadella but also the worldwide head of Microsoft’s security business felt the need late last week to publish long, detailed, and bluntly worded statements designed to showcase Microsoft’s unconditional and unwavering commitment to cybersecurity.

“In a vacuum, those commentaries could be seen as commendable, and as a reaffirmation of an essential mission to ensure the safety and security Microsoft has promised, and of the trust on which Microsoft’s relationships with its largest customers has been built.

“But this most certainly did not happen in a vacuum: The May 3 memo to employees from Nadella and the contemporaneous public blog post from executive vice-president Charlie Bell were both triggered by coverage of a damning report issued by a cybersecurity watchdog team within the United States Department of Homeland Security.”

Ask AI Ecosystem Copilot about this analysis

Now, I’m sure a company as successful as Microsoft is constantly working to improve its processes and outcomes. But that clearly was not the case for its cybersecurity business, and the proof of that assertion can be found in the extensive overhauls outlined by both CEO Nadella and EVP Bell. Both executives outlined sweeping, dramatic, and fairly transformational changes that would result in a security operation and — more importantly — mindset that profoundly different from what they’d been in the past.

The steps each executive touched on are designed to break down internal politics and organizational silos, to establish security as the unconditional #1 priority for development resources and investments, to spread the responsibility to everyone across the vast Microsoft organization, and to directly tie some executive compensation to the enforcement and execution of these new security initiatives.

You can see the Nadella memo here and the Bell document here.

So when Google Cloud, in its “A more secure alternative” whitepaper, runs a headline across the top of page 4 blaring “Microsoft’s pattern of security issues” and then digs into those in detail, Google Cloud clearly has a lot of material with which to work.

Here’s a perfect example from the Google Cloud document, which appeared under a disturbing subhead that says, “Failure to correct inaccurate public statements”:

“The CSRB also noted significant concerns with Microsoft’s handling of the incident, including a ‘decision not to correct, in a timely manner, its inaccurate public statements about this incident’ until ‘the Board was concluding its review and only after the Board’s repeated questioning about Microsoft’s plans to issue a correction.’ As a result, ‘Microsoft’s customers did not have essential facts needed to make their own risk assessments about the security of Microsoft cloud environments in the wake of this intrusion.’ “

Final Thought

If it is indeed true that, as the Google Cloud document states, “Microsoft’s customers did not have essential facts needed to make their own risk assessments about the security of Microsoft cloud environments in the wake of” the China intrusion, then this problem is about as bad as it can possibly get for Microsoft.

Because while Microsoft has, over the past several months, been making lots of noise about its broad “Secure Future Initiative”, I believe many customers will sweep all that talk off the table and demand that before describing how Microsoft plans to secure the future, it had damn well better fix the present.

The AI Ecosystem Q1 2024 Report compiles the innovations, funding, and products highlighted in AI Ecosystem Reports from the first quarter of 2024. Download now for perspectives on the companies, investments, innovations, and solutions shaping the future of AI.