In America, the Washington D.C., uniparty types like to make you think they are all for reining in big corporations in favor of the “little guy.” But in practice, it seems that across many industries, the practice of squeezing out competition via government subsidy or legislative or bureaucratic intervention is often carried out by legislators with a vested interest in the long-term success of their “donating constituency.”
In one of the more potentially damaging examples of this type of monopolistic cronyism, during the 2023 Fiscal Year, the U.S. government gifted Microsoft nearly $500 million, despite the fact that more than 50% of government workers believe that the reliance on Microsoft’s productivity technology makes them more vulnerable to ransomware, trojans, and other cyber intrusions.
The whopping 50% figure shouldn’t really come as a surprise to anyone paying attention, as hackers have exploited more than 280 Microsoft software vulnerabilities over the past two decades.
After one of the more recent major examples of this pattern of consistent futility, the massive summer 2023 Microsoft Exchange Online intrusion, the U.S. Department of Homeland Security (DHS) was compelled to finally conduct a full investigation. The official reporting on the hack found that Microsoft’s negligence was directly responsible for the Chinese government-affiliated breach last summer, which, according to the DHS Cyber Safety Review Board, “never should have happened.”
Flaws in Microsoft’s authentication system allowed these Chinese hackers to sign into “essentially any Exchange Online account anywhere in the world.” This unfettered access to nearly every Microsoft account in the world allowed them to breach the e-mails of multiple U.S. and Canadian agencies and individuals.
This Chinese Communist Party (CCP) attack wasn’t the first significant hacking of Microsoft by an adversarial nation, as recent news has demonstrated with a March 2024 report noting that Russia’s SCR foreign intelligence service used data from hacking core Microsoft software to penetrate several of the company’s internal systems in January.
As if that weren’t terrifying enough, government agencies have endured a rash of recent attacks that call into question the ability of Canada’s and the United States’ respective federal cyber agencies in North America.
America’s Cybersecurity and Infrastructure Security Agency (CISA) saw two critical systems hacked: the Infrastructure Protection (IP) Gateway, which maintains data related to the interdependency of U.S. infrastructure, and the Chemical Security Assessment Tool (CSAT), which maintains private sector chemical security plans. The potential fallout from an attack targeting either system could be devastating and costly.
In Canada, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), a watchdog agency responsible for monitoring and investigating terrorist and organized crime financial activities, was recently stifled by a major cybersecurity breach. Additionally, Global Affairs Canada (GAC) initiated an unplanned IT outage on Jan. 24 to “address the discovery of malicious cyber activity.” It was reported that internal systems were vulnerable between Dec. 20 and Jan. 24.
Interestingly enough, Canada’s investment in Microsoft rivals America’s when you consider the $299.8 million investment that the Canadian government made in it during 2021-2022. That’s an alarmingly large number, considering that the Canadian federal government is substantially smaller than that of the United States.
In light of international security failings and the growth of aggressive, weaponized, and state-sponsored malicious actors and other hackers around the world, why wouldn’t our respective governments add more approved contractors to their vendor lists or, minimally, “call in” on their investment thus far with Microsoft by making them hit higher performance benchmarks before giving another red cent or Canadian nickel—especially as predatory threats operating under the name of perfectly legitimate processes like Alrucs Service and other fake security alerts continue to not only hinder government systems but also cost individuals and small businesses millions of dollars in damages.
Is it because of the typical government inefficiency we have seen for generations, or is it garden-variety cronyism? Either way, it isn’t solely Microsoft’s failure, as the governments signing off on these payouts aren’t strongly calling for Microsoft to improve. Recent changes at Microsoft may hopefully prove to be a positive factor in the future.
As innovation continues to evolve on a daily basis in the tech world among both legitimate users and criminal actors, the time is now for governments internationally to put more responsibility on themselves to secure the digital borders that protect some of our most important industries, political and business secrets, and critical infrastructure, while issuing a mandate to Microsoft to develop their next hardened security solutions at a pace that stays ahead of nefarious actors globally. Because when it comes to tech, the governments of the US, Canada, and others, all have money and options outside of Microsoft to do business with.