In America, the Washington, D.C., uniparty types like to make you think that they are all for reining in big corporations in favor of the “little guy.” But in practice, it seems that across many industries, the practice of squeezing out competition via government subsidy or legislative or bureaucratic intervention is often carried out by legislators with a vested interest in the long-term success of their “donating constituency.”
In one of the more potentially damaging examples of this type of monopolistic cronyism, during the 2023 fiscal year, the US government gifted Microsoft nearly $500 million, despite the fact that more than 50% of government workers believe that the reliance on Microsoft’s productivity technology makes them more vulnerable to ransomware, trojans, and other cyber intrusions.
The whopping 50% figure shouldn’t really come to as a surprise to anyone paying attention. Hackers have exploited more than 280 Microsoft software vulnerabilities over a little more than two decades.
After one of the more recent major example of this pattern of consistent futility, the massive Summer 2023 Microsoft Exchange Online intrusion, the US Department of Homeland Security (DHS) was compelled to finally conduct a full investigation. The official reporting on the hack found that Microsoft’s negligence was directly responsible for the Chinese government-affiliated breach last summer, which, according to the DHS Cyber Safety Review Board, “never should have happened.”
Flaws in Microsoft’s authentication system allowed these Chinese hackers to sign into “essentially any Exchange Online account anywhere in the world.” This unfettered access to nearly every Microsoft account in the world allowed them to breach the e-mails of multiple US and Canadian agencies and individuals.
This Chinese Communist Party (CCP) attack wasn’t the first significant hacking of Microsoft by an adversarial nation, as recent news has demonstrated with a March 2024 report noting that Russia’s SCR foreign intelligence service used data from hacking core Microsoft software to penetrate several of the company’s internal systems in January.
If that wasn’t terrifying enough, government agencies have endured a rash of recent attacks that call into question the ability of both Canada and the United States’ respective federal cyber agencies in North America.
America’s Cybersecurity and Infrastructure Security Agency (CISA) saw 2 critical systems hacked, including the Infrastructure Protection (IP) Gateway, which maintains data related to the interdependency of US infrastructure, as well as the Chemical Security Assessment Tool (CSAT), which maintains private sector chemical security plans. The potential fallout from an attack targeting either system could be devastating and costly.
In Canada, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), a watchdog agency responsible for monitoring and investigating terrorist and organized crime financial activities, was recently stifled by a major cybersecurity breach. Additionally, Global Affairs Canada (GAC) initiated an unplanned IT outage on Jan. 24th to “address the discovery of malicious cyber activity.” It was reported that internal systems were vulnerable between Dec. 20th and Jan. 24th.
Interesting enough, the size of Canada’s investment in Microsoft rivals America’s when you consider the $299.8 million investment that the Canadian government made to it during 2021-2022. That’s an alarmingly large number considering that the size of the Canadian federal government is substantially smaller than that of the United States.
In light of international security failings and the growth of aggressive, weaponized, and state-sponsored malicious actors and other hackers around the world, why wouldn’t our respective governments add more approved contractors to their vendor lists, or, minimally, “call in” on their investment thus far with Microsoft by making them hit higher performance benchmarks before giving another red cent or Canadian nickel? Especially as predatory threats operating under the name of perfectly legitimate processes like Alrucs Service and other fake security alerts continue to not only hinder government systems but also cost individuals and small businesses millions of dollars in damages.
Is it because of the typical government inefficiency we have seen for generations, or is it garden variety cronyism? Either way, it isn’t solely Microsoft’s failure, as the governments signing off on these payouts aren’t strongly calling for Microsoft to improve, and recent changes at Microsoft may hopefully prove to be a positive factor in the future.
As innovation continues to evolve on a daily basis in the tech world among both legitimate users and criminal actors, the time is now for governments internationally to put more responsibility on themselves to secure the digital borders that protect some of our most important industries, political and business secrets, and critical infrastructure, while issuing a mandate to Microsoft to develop their next hardened security solutions at a pace that stays ahead of nefarious actors globally. Because when it comes to tech, the governments of both the US, Canada, and others all have money and options outside of Microsoft to do business with.
Julio Rivera is a business and political strategist, cybersecurity researcher, and a political commentator and columnist. His writing, which is focused on cybersecurity and politics, is regularly published by many of the largest news organizations in the world.