Is Microsoft putting US national security at risk? One senator has made that claim and asked for regulators to investigate the tech giant for "gross cybersecurity negligence".
Ron Wyden, a Democratic senator from Oregon, has written to the chair of the Federal Trade Commission (FTC) calling for an investigation into Microsoft's cyber practices, in particular over attacks that target critical infrastructure.
Wyden said it was time to "hold Microsoft responsible for its gross cybersecurity negligence," specifically referencing the 2024 ransomware infection of non-profit health care provider Ascension as well as the recent SharePoint flaw.
"I urge the FTC to investigate Microsoft and hold the company responsible for the serious harm it has caused by delivering dangerous, insecure software to the US government and to critical infrastructure entities, such as those in the US healthcare sector," Wyden wrote in his letter to FTC Chair Andrew Ferguson.
Wyden has previously called for the FTC and other US regulators to "take action" against Microsoft over a cyber attack linked to China.
Time for Microsoft to end RC4?
Wyden noted that the hackers that targeted Ascension used a technique called Kerberoasting to access privileged accounts on Microsoft Active Directory. A report in 2023 saw a 583% jump in attacks using the technique.
"This hacking technique leverages Microsoft’s continued support by default for an insecure encryption technology from the 1980s called RC4 that federal agencies and cybersecurity experts, including experts working for Microsoft, have for more than a decade warned is dangerous," Wyden wrote.
RC4 refers to Rivest Cipher 4 — also known as ARC4 or ARCFOUR — a type of stream cipher that became widely used thanks to its speed and simplicity.
But since its introduction in the mid 1990s, serious flaws have been found and the use of the outdated encryption standard is now actively discouraged – including by Microsoft itself.
Microsoft hits back
The tech giant still technically allows its use, however. A spokesperson for Microsoft told ITPro the outdated encryption standard Wyden is referring to isn't widely used.
"RC4 is an old standard and we discourage its use both in how we engineer our software and in our documentation to customers – which is why it makes up less than .1% of our traffic," the spokesperson said.
"However, disabling its use completely would break many customer systems," a spokesperson said. "For this reason, we’re on a path to gradually reduce the extent to which customers can use it, while providing strong warnings against it and advice for using it in the safest ways possible."
Microsoft is disabling RC4 by default in some products as of the beginning of next year, with "additional mitigations" for those still using it, the spokesperson added.
Regardless, Wyden criticized Microsoft for not making the Advanced Encryption Standard required by default in Windows.
"According to Microsoft, this threat can be mitigated by setting long passwords that are at least 14 characters long, but Microsoft’s software does not require such a password length for privileged accounts," he added.
Further criticism
The senator raised the issue with Microsoft in a meeting at the end of July 2024 about the Kerberoasting technique and the problematic default settings. The following October, Microsoft published a blog post about the hacking technique and said it was working on an update to disable RC4 — but so far that's yet to happen.
"While my staff specifically requested that Microsoft publish and publicize clear guidance in plain English so that senior executives would understand this serious, avoidable cyber risk, Microsoft instead published a highly technical blog post on an obscure area of the company’s website on a Friday afternoon," Wyden continued, adding that Microsoft failed to publicise the post or to warn about default settings.
"As such, it is highly likely that most companies, government agencies, and nonprofits that are Microsoft customers remain vulnerable to Kerberoasting," he added.
Beyond the Ascension attack, Wyden also pointed the finger at Microsoft over attacks against US government agencies by Chinese actors in July 2023 and the SharePoint flaw.
"Without timely action, Microsoft’s culture of negligent cybersecurity, combined with its de facto monopolization of the enterprise operating system market, poses a serious national security threat and makes additional hacks inevitable,” he said.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Enterprise AI adoption is about to get the Big Brother treatmentOpinion Worried your staff aren’t using those shiny AI tools you petitioned for? Big tech has you covered
-
Dreamforce 2025: What's an agentic OS?ITPro Podcast NPUs, e-ink, and immersive headsets are the latest hardware innovations for business devices
-
AI-generated code is now the cause of one-in-five breaches – but developers and security leaders alike are convinced the technology will come good eventuallyNews AI coding tools now write 24% of production code globally, but it's risky and causing issues for developers and security practitioners alike.
-
Microsoft issues fix for Windows 11 update that bricked mouse and keyboard controls in recovery environment – here's what you need to knowNews Yet another Windows 11 update has caused chaos for users
-
Windows 10 end of life could create a major e-waste problemNews The study marks the latest Windows 10 end of life e-waste warning
-
Microsoft Office 2016 and 2019 are heading for the scrapheap next month – but there could be a lifeline for those unable to upgradeNews The tech giant has urged Office 2016 and Office 2019 users to upgrade before the deadline passes
-
UK government programmers trialed AI coding assistants from Microsoft, GitHub, and Google – here's what they foundNews Developers participating in a trial of AI coding tools from Google, Microsoft, and GitHub reported big time savings, with 58% saying they now couldn't work without them.
-
Salesforce says ‘Microsoft’s anticompetitive tying of Teams' harmed business in triumphant response to EU concessions agreementNews Microsoft has agreed to make versions of its Office solutions suite available without Teams – and at a reduced price
-
Microsoft touts new Copilot features in Excel, but says you shouldn’t use them if you want accurate resultsNews Microsoft has warned against using new AI features in Excel for “tasks with legal, regulatory, or compliance implications” – so when can you use it?
-
A senior Microsoft exec says future Windows versions will offer more interactive, ‘multimodal’ experiencesNews With speculation over a Windows 12 reveal mounting, a senior company figure claims the new operating system will mark a step change for users
