Recently, we learned of an example where Microsoft did not implement a feature in Windows due to compatibility concerns, but it was lambasted for being lazy by critics who didn"t know better. Now, a U.S. senator has taken a similar stance and penned a furious letter to the Federal Trade Commission (FTC) highlighting Microsoft"s weak cybersecurity practices and monopoly over the enterprise IT market.
The letter in question comes from Democratic U.S. Senator Ron Wyden who claims that Microsoft"s "gross cybersecurity negligence" has caused an increase in ransomware attacks, particularly in the healthcare sector where patient lives are at risk too. He noted that since the company has a near-monopoly over the enterprise IT sector, this is a national security risk too. Rather than making its software secure, the senator argues that Microsoft has constructed a multi-billion dollar business that focuses on selling cybersecurity add-ons and services to customers impacted by security incidents. He has likened this to an "arsonist selling firefighting services to their victims".
Wyden says that Windows ships with a set of security configurations, but these are insecure. While customers do have the option to modify them, many don"t. The senator claims that these "dangerous software engineering decisions" are hidden from corporate and government customers, which puts them at risk.
The senator has highlighted the example of the 2024 ransomware attack on non-profit healthcare, Ascension, where a hacker utilized the "Kerberoasting" technique to infect a contractor"s laptop after they opened a malicious link via Bing. The bad actor was then able to move laterally across the network, gaining admin privileges and pushing ransomware on systems, while also managing to steal the data of millions of patients.
.jpg){kind=link}
Wyden solely blames Microsoft for this lapse in security because he claims that the company still uses a very old RC4 encryption technology, and Windows does not require the more superior AES by default. Although Redmond says that this attack surface can be mitigated by setting passwords that are at least 14 characters long, the firm"s own software imposes no such restriction for admin accounts. Although Microsoft assured Wyden almost a year ago that it would disable RC4, it has yet to deliver on this promise.
You can view the full four-page letter to the FTC in detail here (thanks, The Register), but ultimately, Senator Wyden has urged the authority to investigate Microsoft and hold it liable for all the damage its software is causing to critical government and public infrastructure. The senator believes that similar attacks in the future are inevitable unless Microsoft is held accountable for its de facto monopoly on the enterprise IT market and its negligence in building secure software and operating systems.