Cybersecurity

The Software Licensing Disease Infecting Our Nation’s Cybersecurity


COMMENTARY

Last month, Microsoft president Brad Smith was confronted by the US House Committee on Homeland Security, in a hearing over the cybersecurity woes that have plagued the government as a direct result of the company’s security shortcomings. These issues, however, don’t just come down to insecure products. They’re symptoms of a larger disease — a lapse in market and competition policy that has allowed Microsoft to dominate virtually all of the public sector technology market. And the US government’s failure to properly diagnose the deeper cause puts us all at risk. 

Microsoft, by its own admission, is ground zero for state-sponsored hacking groups, and flaws in the company’s software have been responsible for a huge proportion of cyber breaches affecting the US government in recent memory. Our country’s cyber watchdogs — the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and Cyber Safety Review Board (CSRB) — have spent considerable resources assessing these incidents and trying to assess and address Microsoft’s vulnerabilities.

There’s a fundamental problem with this process. The government is confusing symptoms — persistent hacks, breaches, and vulnerabilities — with an underlying disease: the lack of competition around cybersecurity. Microsoft has systematically exploited weaknesses in procurement processes to stifle competition and lock government customers into its insecure technology. That confusion ultimately leaves the government’s tools to enhance competition on the sidelines, when those tools are the best remedy for cyber insecurity.

The Problem With Microsoft’s Market Share

Microsoft holds an 85% market share of government collaboration and communications technology and now is awarded at least a quarter of its contracts without any meaningful competition. It’s reached this position through a series of deliberate, anticompetitive moves the government has largely neglected. Stretched government procurement officers and chief information security officers (CISOs) are taking the path of least resistance. That’s not their fault; it’s a difficult consequence of their job. But Microsoft exploits this by making it expensive and difficult to run its software on a competitor’s cloud, including charging a five-times premium just to use Word on Amazon’s cloud instead of its own Azure cloud service. Microsoft bundles dozens of ancillary applications with its Office productivity apps in its licenses (including Access, Delve, Viva, and others), which stifles competition by linking basic, widely used services with less popular ones and pricing them as free.

The result? A software monoculture with a simple attack surface for the United States’ adversaries with nearly a single point of failure: Microsoft. This is a major threat to national security. The potential harm is real and expensive. The US government spent more than $11.1 billion on cybersecurity in 2023, in large part trying to compensate for and respond to the Microsoft incidents that left it vulnerable to intrusion. 

Some lawmakers are ready to take action. Senator Ron Wyden recently drafted legislation





Source

Related Articles

Back to top button