[LINK] U.S. Department of Defence switching to Microsoft P2

[Stephen Loosley]

(cont’d)

The half-billion security upsell

The DOD's decision to upgrade its Microsoft licenses to include the Defender security tools will cost $543 million over two years, said John Weiler, CEO of the IT Acquisition Advisory Council, a non-profit that works to improve the way the federal government buys computer goods and services. The DOD itself did not provide a figure, but Weiler's number was confirmed by other sources with knowledge of the transaction.

It's not clear how much money the government hopes to save by winding down ESS, and potentially other DOD cybersecurity programs that duplicate Microsoft Defender tools, Weiler said, but added: "They just eliminated an entire market for competition and for innovation in DOD." He noted that about a dozen cybersecurity vendors competed to supply tools to ESS and the other cybersecurity programs likely to be wound down. "These companies will no longer innovate to the needs of DOD down the road because there's no revenue coming in to support that. 

And we all know that monopolists don't innovate, they put all their energy and money into maintaining their monopoly."

Weiler was an expert witness in the Justice Department's Microsoft antitrust proceeding almost a quarter century ago, which found the company had violated anti-trust laws by bundling its web browser, Internet Explorer, with its Windows operating system, to freeze out competing browsers such as Netscape. 

Weiler said Microsoft's current bundling of security tools with business software was "the same playbook" the company had used in the 1990s.

Microsoft's statement did not address accusations that its practices with security software could be seen as anti-competitive.

The Defense Department move highlights some other difficult questions for Microsoft about the $20 billion annual security business the company has built over the past five years.

The $2 trillion-plus company, the second most highly valued global company behind Apple, earns almost 10 percent of its $200 billion-plus annual revenue from selling security products and services, and that revenue stream is in double-digit growth even as other areas of the company's business are growing slowly if at all.

Critics charge they are making that money selling customers who've already bought Microsoft business software additional security tools—which they only need because the business software is so insecure.

"This is like a water company, who, when their customers complain: 'This water you're selling us is contaminated,' they reply, 'Well, we have some filters and other equipment we can sell you that will get rid of most of that,'" said John Pescatore, director of emerging security trends at the prestigious SANS Institute, a cybersecurity training organization. "Why aren't they selling clean water in the first place? Why isn't their software secure in the first place?"

Privately, Microsoft executives say that they entered the security market in response to customer demand. There was already a thriving marketplace for other companies' security tools to protect Microsoft products from hackers, they say. Why shouldn't the company bring its software expertise, and all the data it gets about attacks from the billions of computers its software is installed on, to that market?

A vulnerable architecture

But critics say the greater preponderance of vulnerabilities in Microsoft is no accident. It's the result of design decisions taken over decades, said Ryan Kalember, executive vice president at cybersecurity company Proofpoint, which competes with Microsoft in the security tools market.

Above all, Kalember told Newsweek, Microsoft has focused on backwards compatibility, a design principle that means updated versions of the software must still work with all the programs the previous, un-updated versions worked with. The concept is very popular with consumer and business users, but comes at a high price for security.

"They end up creating more and more risk because they're just building layers on top of layers," Kalember said, retaining code for features that had been buggy and insecure a generation ago.

A vulnerability in Outlook revealed last month illustrates the issue, Kalember said. A hacker could, just by sending a specially crafted email, obtain a copy of the target user's digital signature that they could then employ to impersonate that user on their corporate network. Read their email. Steal data they had access to. Worse, it was a so-called "zero-click" attack. The target didn't need to click a link or an attachment, or even open the email.


The Outlook vulnerability lives in a 30 year-old mechanism for verifying identity called NTLM. It has been obsolete for 25 years, but it remains embedded in Microsoft code because removing it would break backwards compatibility.

"All of a sudden you're back in 2002," Kalember said, "It's crazy how thin the veneer is."

The company's defenders say Microsoft customers rely on backwards compatibility, because not all of them can afford to upgrade to the latest products.

In its statement to Newsweek, the company said, "Security is woven into the digital fabric of our applications and services, and has been since day one."

When Microsoft revealed and patched the NTLM vulnerability on March 14, hackers suspected to be from the Russian military intelligence agency GRU had been exploiting it for almost a year. 

But it attracted little attention outside of the cyber trade press: Just another vulnerability announced, as is now traditional, on Patch Tuesday, the second Tuesday of every month, when Microsoft and other vendors release security updates and improvements to their software.

In that same March update, Microsoft included patches for 80 different software vulnerabilities, nine of them rated "critical" and 60 "important."

And it's likely that a significant proportion of Microsoft customers, especially in government, may not yet have applied those patches, according to Roger Cressey, a veteran cybersecurity executive who worked on some of the federal government's first cyber efforts more than two decades ago, and has continued to consult and work in the federal space since.

Microsoft has for 20 years been able to force its government and commercial clients to absorb the costs of the constant security updates needed to protect its products, Cressey said.

"Software is the only industry where government and consumers are asked to absorb the costs of unsafe, flawed vendor products as the cost of doing business," said Cressey, now a partner with Mountain Wave Ventures, a cybersecurity and risk management consulting firm, where he occasionally consults for Microsoft competitors.

And the result is that many software patches are applied weeks or months after they are issued, or sometimes not at all. In April 2021, the FBI had to get a court order to allow it to remotely remove malware that was present on the IT networks of more than 60,000 Microsoft customers worldwide, more than six weeks after the company issued a patch.

The company says it works with CISA, other government agencies and its private sector partners to publicize the importance of applying security updates that patch vulnerabilities being actively exploited by hackers.

Microsoft's unique role

The widespread concerns in the cybersecurity community about Microsoft's role are reflected in the Biden administration's National Cybersecurity Strategy, released in March. Pillar three, one of five the high-level document lays out, aims to push the responsibility for cybersecurity back onto software companies, especially the dominant ones such as Microsoft.

Launching the strategy, officials said software manufacturers needed to build security into the original design of their products, rather than leaving it to the end users, their customers, to buy additional software to try and secure it.

The White House declined to address questions about whether the DOD decision was pulling in a different direction.

"The whole point of pillar three [of the strategy] is to move to a place where you have security built-in to software from the get-go, not bolted on afterwards through additional tools," Grotto said.

Microsoft's multiple roles in the IT marketplace, he added, means it can use security as what sales executives call an "upsell"—getting the customer to spend more for extra features.

All vendors try to upsell, Grotto acknowledged, but Microsoft is in a unique position because of its massive dominance of the business software segment—think email, calendar and word processing—in the federal government.

"When you've got one vendor supplying 85 percent of the productivity tools for the federal government, they are in an extraordinarily powerful position," Grotto said, especially if that makes agencies think it would be expensive and difficult to change vendors.

In the course of a 2021 contract dispute, the U.S. Department of Agriculture (USDA) spelled out in rare detail what it would mean for the department to transition away from Microsoft products.

The agency justification, cited in a decision by government auditors, states that "96 percent of USDA systems run Windows operating systems." And that USDA provides Microsoft software tools to 7,500 field offices supporting more than 120,000 users.

Even though the cost of Microsoft Office licenses for the USDA workforce was $170 million while the cost of licenses for competitor Google Workspace would have been as low as $58 million, the agency wanted to stay with Microsoft.

Switching to other products would take at least three years, USDA said, adding, "An undertaking of this magnitude would be a ... multi-million-dollar effort during which time there would likely be an impact to the IT workforce and customer satisfaction across the board."

The USDA's situation is only remarkable in that it became public, Michael Garland, a government procurement attorney specializing in IT, told Newsweek. "The USDA protest provides a rare window into the reality of how entrenched and locked-in some of these software giants, including Microsoft, are all across the U.S. government's software estate," he said.

Fixing the problem: The car analogy for software

With its new strategy, the Biden administration wants to flip the script on cybersecurity, CISA Executive Assistant Director for Cybersecurity Eric Goldstein told Newsweek, pushing security responsibility "upstream," back to the companies shipping insecure products.

"If we keep blaming only the victims, we know that's not a recipe for scalable improvements, because so many victims, school districts, small hospitals, local water utilities, are never going to be able to defend themselves standing alone against the threats that they're facing," he said.

But absent congressional action to impose security requirements by regulation, officials plan to rely on market forces to incentivize Microsoft and other tech vendors to improve security. "We know that most customers want to install, run and rely upon products that are safe and secure by design and default," Goldstein said. But buyers do not know what to ask for, he said.

To help educate the market, CISA has produced a set of design principles for secure products, and a key requirement is ending the practice of security upsell.

Charging extra for basic security measures "is not OK," Goldstein said, using the example of seatbelts in a car.

"If one of us rented a car, got it, and there were no seatbelts because they were charging extra for that, we would not accept that ... We need to get to the same model with technology, where there's a basic (security) threshold that technology is expected to meet," he said.

An upcoming White House deadline for federal agencies to have new security capabilities—such as the ability to preserve logs of computer activity that can help in the response to a cyberattack—will be an important test case for large government vendors like Microsoft, Goldstein said.

Historically, agencies have had to pay as much as 40 percent extra for such capabilities, but Goldstein said it was time for vendors to step up and do the right thing—by providing their federal customers with products that didn't require expensive add-ons to be secure.

Microsoft executives say the company has a right to charge extra for high-end security measures—whether to the Department of Defense or to anyone else.

"We are a for-profit company," Microsoft Vice President Brad Smith told a congressional committee in 2021, when asked whether security should be treated as an upsell. "Everything that we do is designed to generate a return other than our philanthropic work."


Shaun Waterman can be reached at s.waterman at newsweek.com. Follow him on Twitter @WatermanReports.