US Senator calls for Microsoft FTC probe over ‘gross cybersecurity negligence’ – Ron Wyden claims the tech giant has provided ‘dangerous, insecure software’ to the US government
Microsoft should face an FTC probe over alleged failings, one US lawmaker claims
Is Microsoft putting US national security at risk? One senator has made that claim and asked for regulators to investigate the tech giant for "gross cybersecurity negligence".
Ron Wyden, a Democratic senator from Oregon, has written to the chair of the Federal Trade Commission (FTC) calling for an investigation into Microsoft's cyber practices, in particular over attacks that target critical infrastructure.
Wyden said it was time to "hold Microsoft responsible for its gross cybersecurity negligence," specifically referencing the 2024 ransomware infection of non-profit health care provider Ascension as well as the recent SharePoint flaw.
"I urge the FTC to investigate Microsoft and hold the company responsible for the serious harm it has caused by delivering dangerous, insecure software to the US government and to critical infrastructure entities, such as those in the US healthcare sector," Wyden wrote in his letter to FTC Chair Andrew Ferguson.
Wyden has previously called for the FTC and other US regulators to "take action" against Microsoft over a cyber attack linked to China.
Time for Microsoft to end RC4?
Wyden noted that the hackers that targeted Ascension used a technique called Kerberoasting to access privileged accounts on Microsoft Active Directory. A report in 2023 saw a 583% jump in attacks using the technique.
"This hacking technique leverages Microsoft’s continued support by default for an insecure encryption technology from the 1980s called RC4 that federal agencies and cybersecurity experts, including experts working for Microsoft, have for more than a decade warned is dangerous," Wyden wrote.
RC4 refers to Rivest Cipher 4 — also known as ARC4 or ARCFOUR — a type of stream cipher that became widely used thanks to its speed and simplicity.
But since its introduction in the mid 1990s, serious flaws have been found and the use of the outdated encryption standard is now actively discouraged – including by Microsoft itself.
Microsoft hits back
The tech giant still technically allows its use, however. A spokesperson for Microsoft told ITPro the outdated encryption standard Wyden is referring to isn't widely used.
"RC4 is an old standard and we discourage its use both in how we engineer our software and in our documentation to customers – which is why it makes up less than .1% of our traffic," the spokesperson said.
"However, disabling its use completely would break many customer systems," a spokesperson said. "For this reason, we’re on a path to gradually reduce the extent to which customers can use it, while providing strong warnings against it and advice for using it in the safest ways possible."
Microsoft is disabling RC4 by default in some products as of the beginning of next year, with "additional mitigations" for those still using it, the spokesperson added.
Regardless, Wyden criticized Microsoft for not making the Advanced Encryption Standard required by default in Windows.
"According to Microsoft, this threat can be mitigated by setting long passwords that are at least 14 characters long, but Microsoft’s software does not require such a password length for privileged accounts," he added.
Further criticism
The senator raised the issue with Microsoft in a meeting at the end of July 2024 about the Kerberoasting technique and the problematic default settings. The following October, Microsoft published a blog post about the hacking technique and said it was working on an update to disable RC4 — but so far that's yet to happen.
"While my staff specifically requested that Microsoft publish and publicize clear guidance in plain English so that senior executives would understand this serious, avoidable cyber risk, Microsoft instead published a highly technical blog post on an obscure area of the company’s website on a Friday afternoon," Wyden continued, adding that Microsoft failed to publicise the post or to warn about default settings.
"As such, it is highly likely that most companies, government agencies, and nonprofits that are Microsoft customers remain vulnerable to Kerberoasting," he added.
Beyond the Ascension attack, Wyden also pointed the finger at Microsoft over attacks against US government agencies by Chinese actors in July 2023 and the SharePoint flaw.
"Without timely action, Microsoft’s culture of negligent cybersecurity, combined with its de facto monopolization of the enterprise operating system market, poses a serious national security threat and makes additional hacks inevitable,” he said.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Why your best engineers are doing the wrong workIndustry Insights Why MSPs should adopt platform engineering to free engineers for more strategic work.
-
How Tim Cook turned Apple into a 'durable' tech industry powerhouseNews Tim Cook might not boast the same tech visionary status as Steve Jobs, but the company’s growth has been remarkable
-
Microsoft touts “cost effective” cloud PC prices for small businesses as hardware prices spikeNews The tech giant is targeting small business gains with a 20% cut for Windows 365 Cloud PC services
-
IT admins are scrambling for alternatives in the wake of Microsoft’s MDT retirementNews OS deployment is up in the air after Microsoft's MDT retirement – but the time to take action is now
-
CMA launches Microsoft probe amid software licensing concernsNews The regulator hopes to “ensure a level playing field” when it comes to competition in the business software market
-
Microsoft pledged to simplify Windows 11 updates – it just paused a preview over installation errorsNews Two weeks after pledging to improve Windows 11 updates, a preview suffers installation issues
-
Big tech is clamping down on open source ‘AI slop’ reportsNews Firms including Microsoft, OpenAI, and Google have pledged funding to bolster open source security and cut down on slop reports
-
Alert issued over critical vulnerabilities in Linux’s AppArmor security layer – more than 12 million enterprise systems are at risk of root accessNews Researchers have warned Linux flaws allow unprivileged local users to gain root privileges and weaken container isolation
-
Microsoft CEO Satya Nadella says 'anyone can be a software developer' with AI, but skills and experience are still vitalNews AI will cause job losses in software development, Nadella admitted, but claimed many will reskill and adapt to new ways of working
-
Everything you need to know about the new E7 Microsoft 365 tier, including features, pricing, and release date
News The new premium bundle for Microsoft 365 adds AI capabilities to traditional tiers
