News: Exclusive: Microsoft could reap more than $150 million in new U.S. cyber spending, upsetting some lawmakers.
SAN FRANCISCO / WASHINGTON (Reuters) – Microsoft is expected to receive nearly a quarter of Covid bailout funds for U.S. cybersecurity defenders, sources told Reuters, angering some lawmakers who have cut the funds for a company whose software has been at the fore recently don’t want to increase by two big hacks.
Congress allocated the funds in question in the COVID Relief Act signed Thursday after two massive cyberattacks exploited vulnerabilities in Microsoft products to infiltrate computer networks of federal and local authorities and tens of thousands of businesses. A violation attributed to Russia in December resulted in emails from the Ministry of Justice, the Ministry of Commerce and the Ministry of Finance.
The hacks pose a significant national security threat and frustrate lawmakers who say Microsoft’s buggy software increases profitability.
“If the only solution to a major breach where hackers took advantage of a design flaw that Microsoft has long ignored is to give Microsoft more money, the government must reassess its reliance on Microsoft,” said Oregon Senator Ron Wyden, a leading Democrat of the Intelligence Committee.
“The government shouldn’t reward a company that sells insecure software with bigger government contracts.”
Microsoft previously said it was prioritizing fixing attacks that it sees on a large scale.
A draft spending plan from the Cybersecurity Infrastructure Security Agency provides more than $ 150 million of its new $ 650 million for a “secure cloud platform,” according to Reuters and people familiar with the matter.
More specifically, the money was budgeted for Microsoft, according to four people informed of the election, primarily to help other federal agencies update their existing Microsoft deals to improve the security of their cloud systems.
A CISA spokesman declined to comment.
A key service Microsoft provides, known as activity logging, enables its customers to monitor traffic on their part of the cloud and spot any inconsistencies that hackers at work could uncover.
Officials have been looking for access to Microsoft’s premium tracking feature after discovering that the lack of logs made investigating recent nation-state-related hacks significantly difficult.
Microsoft said Sunday that while all cloud products have security features, “larger organizations may need more advanced features, such as greater depth of security logs and the ability to examine those logs and take action.” The issues of fairness raised by the legislature were not addressed.
While some senior U.S. cyber officials feel they have no choice but to pay, Wyden and three other lawmakers have publicly voiced concerns about the plan.
Most major software products have been infiltrated by well-funded teams of hackers at one time or another, but the ubiquity of Microsoft products makes them a primary target.
The alleged Russian espionage, known for using software from SolarWinds, hit nine government agencies and 100 private companies, many of which were exploited by tampering with a Microsoft system.
Recent hacks on tens of thousands of servers around the world running Microsoft Exchange by a handful of attackers, including some tied to the Chinese government, relied on four previously unknown errors in processing web versions of Outlook E- Mails through these servers. China has refused to support the attacks.
In a Feb. 26 SolarWinds violation hearing, Rhode Island Congressman Jim Langevin asked Microsoft President Brad Smith to charge additional logging fees? “
“We are a for-profit company,” replied Smith. “Everything we do is geared towards generating a return aside from our philanthropic work.”
Microsoft has made security offerings a significant source of income. The company generates $ 10 billion annually, up 40% over the previous year.
Dutch MP Ruppersberger from the Budget Committee said Congress needs to investigate “why security is an afterthought in the procurement process” and not just approve the lowest bidders.
The government could enact new regulations, said Curtis Dukes, former head of the defense mission at the National Security Agency, now at the nonprofit Internet Security Center, which works closely with CISA. “Perhaps the extra size vendors should have to do more.”
Reporting by Joseph Menn in San Francisco and Christopher Bing and Raphael Satter in Washington; Adaptation by Chris Sanders and Edward Tobin
Original Source © Reuters