The US government, concerned about the continued rise of cybercrime, ransomware and the hacking of government and private networks by countries including Russia, Iran and North Korea, is in the midst of a dramatic overhaul of its cyber security strategy. It will no longer rely heavily on businesses and technology companies to voluntarily take basic security measures, such as patching vulnerable systems, to keep them up to date.
Instead, it now wants to set baseline security requirements for enterprises and technology companies and fine those who don’t comply.
It’s not just the companies using the systems that may ultimately be required to comply with regulations. The companies that make and sell them, such as Microsoft, Apple, and others, can also be held liable. Early indications are that federated companies already have Microsoft in their crosshairs; they’ve warned the company that it doesn’t seem up to the task at this point.
First, let’s delve into the government’s emerging strategy.
New National Cyber Security Strategy
In early March, the Biden administration released a new national cyber security strategy. it places greater responsibility on private industry and technology companies to follow security best practices, such as patching systems to combat newly discovered vulnerabilities and using multi-factor authentication whenever possible.
US regulators have long advised tech companies to do so. The difference now, according to New York Times“The National Cybersecurity Strategy concludes that such good-faith efforts are useful but insufficient in a world of constant attempts by sophisticated hackers, often supported by Russia, China, Iran or North Korea, to penetrate critical public and private networks. . Instead, companies should be required to meet minimum cybersecurity standards.”
In theory, if these standards are not met, fines will eventually be imposed. Glenn S. Gerstel, a former top adviser at the National Security Agency, explained it this way Times“In the cyber world, we’re finally saying Ford is responsible for Pintos catching fire because they didn’t spend money on safety.” That’s evidence that the Ford Pinto often caught fire in the 1970s when rear-ended. That led to lawsuits and tougher federal vehicle safety regulations.
But cyber security requirements backed by fines aren’t here yet. Dig into the new document and you’ll see that since the new strategy is only a policy document, there’s no bite of law behind it. For it to take full effect, two things must happen. President Biden would have to issue an executive order to enforce some of the demands. And Congress must legislate for the rest.
It’s unclear when lawmakers might move forward on the issue, if ever, although Biden could issue an executive order on parts of it.
All that may sound like the new strategy is toothless. But that’s not quite the case. The US government is the world’s biggest bully pulpit. It can put enormous pressure on businesses and tech companies to follow the strategy by publicly criticizing them. This, in turn, may cause customers to avoid certain businesses’ products and services. And of course, the government can require companies to implement basic cybersecurity practices if they want government contracts.
What does this mean for Microsoft?
So what does all this have to do with Microsoft? A lot. The feds have made it clear they believe Microsoft has a long way to go before it meets key cybersecurity recommendations. At least one senior government security official has already publicly called out Microsoft for poor security practices.
Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, recently criticized Microsoft during a speech at Carnegie Mellon University. He said only a quarter of Microsoft’s enterprise customers use multi-factor authentication, a number he called “disappointing.” That may not sound too damning, but remember, this is the federal government we’re talking about. It analyzes its words very carefully. For them, “disappointment” is equivalent to “terrible work” anywhere else.
Easterly also took a jab at Microsoft while praising Apple, noting that 95% of iCloud users have multi-factor authentication enabled because it’s enabled by default. “Apple takes responsibility for the security results of their users,” he said. An implicit criticism is that Microsoft isn’t.
After all, the government’s new cybersecurity strategy could become a serious problem for Microsoft if it doesn’t follow the recommended standards. If executive orders are issued and laws are passed, the company could ultimately be held liable if it doesn’t do more to ensure that its customers’ software is regularly patched or that its customers use multi-factor authentication. It will be up to Microsoft to design systems that can be patched more easily, perhaps even patching themselves or using multi-factor authentication by default.
Even without laws and executive orders, a company can have problems. The US government spends billions of dollars each year on Microsoft systems and services, a revenue stream that could be at risk if Microsoft doesn’t meet the standards.
Some in Congress are already looking down on the company because of past cybersecurity lapses. Two years ago, the Cybersecurity Infrastructure Security Agency included $150 million in its budget to pay Microsoft to improve cloud security. The spending comes after “two massive cyberattacks exposed vulnerabilities in Microsoft products to the computer networks of federal and state agencies and tens of thousands of companies,” Reuters reported.
The irony of giving Microsoft $150 million because its software is insecure was not lost on Congress. Senator Ron Wyden (D-OR), who sits on the Intelligence Committee, warned: “If the only solution to a major breach in which hackers exploited a design flaw long ignored by Microsoft is to give Microsoft more money, the government should: reassess its dependence on Microsoft. The government should not reward a company that sold it insecure software with larger government contracts.”
Two years ago, Microsoft received additional money. But if the government’s new national cyber security strategy has any force at all, it won’t happen again.
Copyright © 2023 IDG Communications, Inc.