US Senator calls for Microsoft FTC probe over ‘gross cybersecurity negligence’ – Ron Wyden claims the tech giant has provided ‘dangerous, insecure software’ to the US government
Microsoft should face an FTC probe over alleged failings, one US lawmaker claims
Is Microsoft putting US national security at risk? One senator has made that claim and asked for regulators to investigate the tech giant for "gross cybersecurity negligence".
Ron Wyden, a Democratic senator from Oregon, has written to the chair of the Federal Trade Commission (FTC) calling for an investigation into Microsoft's cyber practices, in particular over attacks that target critical infrastructure.
Wyden said it was time to "hold Microsoft responsible for its gross cybersecurity negligence," specifically referencing the 2024 ransomware infection of non-profit health care provider Ascension as well as the recent SharePoint flaw.
"I urge the FTC to investigate Microsoft and hold the company responsible for the serious harm it has caused by delivering dangerous, insecure software to the US government and to critical infrastructure entities, such as those in the US healthcare sector," Wyden wrote in his letter to FTC Chair Andrew Ferguson.
Wyden has previously called for the FTC and other US regulators to "take action" against Microsoft over a cyber attack linked to China.
Time for Microsoft to end RC4?
Wyden noted that the hackers that targeted Ascension used a technique called Kerberoasting to access privileged accounts on Microsoft Active Directory. A report in 2023 saw a 583% jump in attacks using the technique.
"This hacking technique leverages Microsoft’s continued support by default for an insecure encryption technology from the 1980s called RC4 that federal agencies and cybersecurity experts, including experts working for Microsoft, have for more than a decade warned is dangerous," Wyden wrote.
RC4 refers to Rivest Cipher 4 — also known as ARC4 or ARCFOUR — a type of stream cipher that became widely used thanks to its speed and simplicity.
But since its introduction in the mid 1990s, serious flaws have been found and the use of the outdated encryption standard is now actively discouraged – including by Microsoft itself.
Microsoft hits back
The tech giant still technically allows its use, however. A spokesperson for Microsoft told ITPro the outdated encryption standard Wyden is referring to isn't widely used.
"RC4 is an old standard and we discourage its use both in how we engineer our software and in our documentation to customers – which is why it makes up less than .1% of our traffic," the spokesperson said.
"However, disabling its use completely would break many customer systems," a spokesperson said. "For this reason, we’re on a path to gradually reduce the extent to which customers can use it, while providing strong warnings against it and advice for using it in the safest ways possible."
Microsoft is disabling RC4 by default in some products as of the beginning of next year, with "additional mitigations" for those still using it, the spokesperson added.
Regardless, Wyden criticized Microsoft for not making the Advanced Encryption Standard required by default in Windows.
"According to Microsoft, this threat can be mitigated by setting long passwords that are at least 14 characters long, but Microsoft’s software does not require such a password length for privileged accounts," he added.
Further criticism
The senator raised the issue with Microsoft in a meeting at the end of July 2024 about the Kerberoasting technique and the problematic default settings. The following October, Microsoft published a blog post about the hacking technique and said it was working on an update to disable RC4 — but so far that's yet to happen.
"While my staff specifically requested that Microsoft publish and publicize clear guidance in plain English so that senior executives would understand this serious, avoidable cyber risk, Microsoft instead published a highly technical blog post on an obscure area of the company’s website on a Friday afternoon," Wyden continued, adding that Microsoft failed to publicise the post or to warn about default settings.
"As such, it is highly likely that most companies, government agencies, and nonprofits that are Microsoft customers remain vulnerable to Kerberoasting," he added.
Beyond the Ascension attack, Wyden also pointed the finger at Microsoft over attacks against US government agencies by Chinese actors in July 2023 and the SharePoint flaw.
"Without timely action, Microsoft’s culture of negligent cybersecurity, combined with its de facto monopolization of the enterprise operating system market, poses a serious national security threat and makes additional hacks inevitable,” he said.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
What is Microsoft Maia?Explainer Microsoft's in-house chip is planned to a core aspect of Microsoft Copilot and future Azure AI offerings
-
If Satya Nadella wants us to take AI seriously, let’s forget about mass adoption and start with a return on investment for those already using itOpinion If Satya Nadella wants us to take AI seriously, let's start with ROI for businesses
-
UK government launches industry 'ambassadors' scheme to champion software security improvementsNews The Software Security Ambassadors scheme aims to boost software supply chains by helping organizations implement the Software Security Code of Practice.
-
Not keen on Microsoft Copilot? Don’t worry, your admins can now uninstall it – but only if you've not used it within 28 daysNews The latest Windows 11 Insider Preview will include a policy for removing the app entirely — but only in certain conditions
-
Microsoft is shaking up GitHub in preparation for a battle with AI coding rivalsNews The tech giant is bracing itself for a looming battle in the AI coding space
-
‘1 engineer, 1 month, 1 million lines of code’: Microsoft wants to replace C and C++ code with Rust by 2030 – but a senior engineer insists the company has no plans on using AI to rewrite Windows source codeNews Windows won’t be rewritten in Rust using AI, according to a senior Microsoft engineer, but the company still has bold plans for embracing the popular programming language
-
Microsoft Excel is still alive and kicking at 40 – and it's surging in popularity as 82% of finance professionals report ‘emotional attachment’ to the spreadsheet softwareNews A recent survey found Gen Z and Millennial finance professionals have a strong “emotional attachment” to Microsoft Excel
-
Microsoft’s Windows chief wants to turn the operating system into an ‘agentic OS' – users just want reliability and better performanceNews While Microsoft touts an AI-powered future for Windows, users want the tech giant to get back to basics
-
Microsoft 365 price hikes have landed the tech giant in hot waterNews Australian regulators have filed a lawsuit against Microsoft for allegedly misleading users over Microsoft 365 pricing changes.
-
AI-generated code is now the cause of one-in-five breaches – but developers and security leaders alike are convinced the technology will come good eventuallyNews AI coding tools now write 24% of production code globally, but it's risky and causing issues for developers and security practitioners alike.
