US Senator calls for Microsoft FTC probe over ‘gross cybersecurity negligence’ – Ron Wyden claims the tech giant has provided ‘dangerous, insecure software’ to the US government
Microsoft should face an FTC probe over alleged failings, one US lawmaker claims
Is Microsoft putting US national security at risk? One senator has made that claim and asked for regulators to investigate the tech giant for "gross cybersecurity negligence".
Ron Wyden, a Democratic senator from Oregon, has written to the chair of the Federal Trade Commission (FTC) calling for an investigation into Microsoft's cyber practices, in particular over attacks that target critical infrastructure.
Wyden said it was time to "hold Microsoft responsible for its gross cybersecurity negligence," specifically referencing the 2024 ransomware infection of non-profit health care provider Ascension as well as the recent SharePoint flaw.
"I urge the FTC to investigate Microsoft and hold the company responsible for the serious harm it has caused by delivering dangerous, insecure software to the US government and to critical infrastructure entities, such as those in the US healthcare sector," Wyden wrote in his letter to FTC Chair Andrew Ferguson.
Wyden has previously called for the FTC and other US regulators to "take action" against Microsoft over a cyber attack linked to China.
Time for Microsoft to end RC4?
Wyden noted that the hackers that targeted Ascension used a technique called Kerberoasting to access privileged accounts on Microsoft Active Directory. A report in 2023 saw a 583% jump in attacks using the technique.
"This hacking technique leverages Microsoft’s continued support by default for an insecure encryption technology from the 1980s called RC4 that federal agencies and cybersecurity experts, including experts working for Microsoft, have for more than a decade warned is dangerous," Wyden wrote.
RC4 refers to Rivest Cipher 4 — also known as ARC4 or ARCFOUR — a type of stream cipher that became widely used thanks to its speed and simplicity.
But since its introduction in the mid 1990s, serious flaws have been found and the use of the outdated encryption standard is now actively discouraged – including by Microsoft itself.
Microsoft hits back
The tech giant still technically allows its use, however. A spokesperson for Microsoft told ITPro the outdated encryption standard Wyden is referring to isn't widely used.
"RC4 is an old standard and we discourage its use both in how we engineer our software and in our documentation to customers – which is why it makes up less than .1% of our traffic," the spokesperson said.
"However, disabling its use completely would break many customer systems," a spokesperson said. "For this reason, we’re on a path to gradually reduce the extent to which customers can use it, while providing strong warnings against it and advice for using it in the safest ways possible."
Microsoft is disabling RC4 by default in some products as of the beginning of next year, with "additional mitigations" for those still using it, the spokesperson added.
Regardless, Wyden criticized Microsoft for not making the Advanced Encryption Standard required by default in Windows.
"According to Microsoft, this threat can be mitigated by setting long passwords that are at least 14 characters long, but Microsoft’s software does not require such a password length for privileged accounts," he added.
Further criticism
The senator raised the issue with Microsoft in a meeting at the end of July 2024 about the Kerberoasting technique and the problematic default settings. The following October, Microsoft published a blog post about the hacking technique and said it was working on an update to disable RC4 — but so far that's yet to happen.
"While my staff specifically requested that Microsoft publish and publicize clear guidance in plain English so that senior executives would understand this serious, avoidable cyber risk, Microsoft instead published a highly technical blog post on an obscure area of the company’s website on a Friday afternoon," Wyden continued, adding that Microsoft failed to publicise the post or to warn about default settings.
"As such, it is highly likely that most companies, government agencies, and nonprofits that are Microsoft customers remain vulnerable to Kerberoasting," he added.
Beyond the Ascension attack, Wyden also pointed the finger at Microsoft over attacks against US government agencies by Chinese actors in July 2023 and the SharePoint flaw.
"Without timely action, Microsoft’s culture of negligent cybersecurity, combined with its de facto monopolization of the enterprise operating system market, poses a serious national security threat and makes additional hacks inevitable,” he said.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Salesforce targets telco gains with new agentic AI toolsNews Telecoms operators can draw on an array of pre-built agents to automate and streamline tasks
-
Four national compute resources launched for cutting-edge science and researchNews The new national compute centers will receive a total of £76 million in funding
-
AI-generated code is fast becoming the biggest enterprise security risk as teams struggle with the ‘illusion of correctness’News Security teams are scrambling to catch AI-generated flaws that appear correct before disaster strikes
-
The open source ecosystem is booming thanks to AI, but hackers are taking advantageNews Analysis by Sonatype found that AI is giving attackers new opportunities to target victims
-
UK government launches industry 'ambassadors' scheme to champion software security improvementsNews The Software Security Ambassadors scheme aims to boost software supply chains by helping organizations implement the Software Security Code of Practice.
-
Not keen on Microsoft Copilot? Don’t worry, your admins can now uninstall it – but only if you've not used it within 28 daysNews The latest Windows 11 Insider Preview will include a policy for removing the app entirely — but only in certain conditions
-
Microsoft is shaking up GitHub in preparation for a battle with AI coding rivalsNews The tech giant is bracing itself for a looming battle in the AI coding space
-
‘1 engineer, 1 month, 1 million lines of code’: Microsoft wants to replace C and C++ code with Rust by 2030 – but a senior engineer insists the company has no plans on using AI to rewrite Windows source codeNews Windows won’t be rewritten in Rust using AI, according to a senior Microsoft engineer, but the company still has bold plans for embracing the popular programming language
-
Microsoft Excel is still alive and kicking at 40 – and it's surging in popularity as 82% of finance professionals report ‘emotional attachment’ to the spreadsheet softwareNews A recent survey found Gen Z and Millennial finance professionals have a strong “emotional attachment” to Microsoft Excel
-
Microsoft’s Windows chief wants to turn the operating system into an ‘agentic OS' – users just want reliability and better performanceNews While Microsoft touts an AI-powered future for Windows, users want the tech giant to get back to basics
