WWW.INFORMATIONWEEK.COM
Does the US Government Have a Cybersecurity Monoculture Problem?
Carrie Pallardy, Contributing ReporterNovember 21, 20244 Min ReadSOPA Images Limited via Alamy Stock PhotoThe way Microsoft provided the US government with cybersecurity upgrades is under scrutiny. ProPublica published a report that delves into the White House Offer: a deal in which Microsoft sent consultants to install cybersecurity upgrades for free. But those free product upgrades were only covered for up to one year.Did this deal give Microsoft an unfair advantage, and what could it take to shift the federal governments reliance on the tech giants services?The White House OfferProPublica spoke to eight former Microsoft employees that played a part in the White House Offer. With their insight, the ProPublicas report details how this deal makes it difficult for users in the federal government to shift away from Microsofts products and how it helped to squeeze out competition.While the cybersecurity upgrades were initially free, government agencies need to pay come renewal time. After the installation of the products and employee training, switching to alternatives would be costly.ProPublica also reports that Microsoft salespeople recommended that federal agencies drop products from competitors to save costs.Critics raise concerns that Microsofts deal skirted antitrust laws and federal procurement laws.Why didn't you allow a Deloitte or an Accenture or somebody else to say we want free services to help us do it? Why couldn't they come in and do the same thing? If a company is willing to do something for free like that, why should it be a bias to Microsoft and not someone else that's capable as well? asks Morey Haber, chief security advisor at BeyondTrust, an identity and access security company. Related:ProPublica noted Microsofts defense of its deal and the way it worked with the federal government. Microsoft declined to comment when InformationWeek reached out.Josh Bartolomie, vice president of global threat services at email security company Cofense, points out that the scale of the federal government makes Microsoft a logical choice.The reality of it is there are no other viable platforms that offer the extensibility, scalability, manageability other than Microsoft, he tells InformationWeek.The Argument for DiversificationOverreliance on a single security vendor has its pitfalls. Generally speaking, you don't want to do a sole provider for any type of security services. You want to have checks and balances. You want to have risk mitigations. You want to have fail safes, backup plans, says Bartolomie.And there are arguments being made that Microsoft created a cybersecurity monoculture within the federal government.Related:Sen. Eric Schmitt (R-Mo.) and Sen. Ron Wyden (D-Ore.) raised concerns and called for a multi-vendor approach.DoD should embrace an alternate approach, expanding its use of open-source software and software from other vendors, that reduces risk-concentration to limit the blast area when our adversaries discover an exploitable security flaw in Microsofts, or another companys software, they wrote in a letter to John Sherman, former CIO of the Department of Defense.The government has experienced the fallout that follows exploited vulnerabilities. A Microsoft vulnerability played a role in the SolarWinds hack.Earlier this year it was disclosed that Midnight Blizzard, a Russian state-sponsored threat group,executed a password spray attack against Microsoft. Federal agency credentials were stolen in the attack, according to Cybersecurity Dive.There is proof out there that the monoculture is a problem, says Haber.PushbackMicrosofts dominance in the government space has not gone unchallenged over the years. For example, the Department of Defense pulled out of a $10 billion cloud deal with Microsoft. The contract, the Joint Enterprise Defense Infrastructure (JEDI), faced legal challenges from competitor AWS.Related:Competitors could continue to challenge Microsofts dominance in the government, but there are still questions about the cost associated with replacing those services.I think the government has provided pathways for other vendors to approach, but I think it would be difficult to displace them, says Haber.A New AdministrationCould the incoming Trump administration herald changes in the way the government works with Microsoft and other technology vendors?Each time a new administration steps in, Bartolomie points out that there is a thirst for change. Do I think that there's a potential that he [Trump] will go to Microsoft and say, Give us better deals. Give us this, give us that? That's a high possibility because other administrations have, he says. The government being one of the largest customers of the Microsoft ecosystem also gives them leverage.Trump has been vocal about his America First policy, but how that could be applied to cybersecurity services used by the government remains to be seen. Do you allow software being used from a cybersecurity or other perspective to be developed overseas? asks Haber.Haber points out that outsourced development is typical for cybersecurity companies. I'm not aware of any cybersecurity company that does exclusive US or even North America builds, he says.Any sort of government mandate requiring cybersecurity services developed solely in the US would raise challenges for Microsoft and the cybersecurity industry as a whole.While the administrations approach to cybersecurity and IT vendor relationships is not yet known, it is noteworthy that Trumps view of tech companies could be influential. Amazon pursued legal action over the $10 billion JEDI contract, claiming that Trumps dislike of company founder Jeff Bezos impacted its ability to secure the deal, The New York Times reports.About the AuthorCarrie PallardyContributing ReporterCarrie Pallardy is a freelance writer and editor living in Chicago. She writes and edits in a variety of industries including cybersecurity, healthcare, and personal finance.See more from Carrie PallardyNever Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.SIGN-UPYou May Also LikeReportsMore Reports
0 Comments
0 Shares
36 Views