Lawmakers are demanding that Pentagon officials report within six months about how the military's increasing reliance on a single software vendor, Microsoft, will affect the nation's cybersecurity and competition between IT companies for defense contracts.
The Senate version of the annual defense authorization bill instructs Department of Defense (DOD) Chief Information Officer John Sherman to give lawmakers a written report about the "risks and benefits" of buying cybersecurity tools from Microsoft. This follows concerns from some experts that using so much software from a single vendor makes the DOD more vulnerable to enemy hackers and online spies.
Because the Microsoft cyber tools were purchased under a contract that did not allow other companies to bid, lawmakers also want to know how officials plan to ensure competition between vendors in the future. Experts in good government say competition is essential, not just to get the best value for taxpayer dollars, but to ensure the DOD can buy the best and most innovative products.
The bill's provision, authored by newly minted Missouri Republican Sen. Eric Schmitt, follows Newsweek's reporting of concerns from former officials, lawmakers and other experts about a growing Microsoft "monoculture" at the DOD.
A Senate staffer said "concerned constituents and industry stakeholders" had approached Schmitt about the "chilling effect on competition and innovation this market consolidation around Microsoft could have." He added the issue "resonated" with the senator. Schmitt was also concerned that "only meaningfully employing one vendor" might create "a single point of failure" if that company was compromised by an adversary.
The news comes as Microsoft reels from a string of revelations about breaches of their products by Chinese and Russian hackers, and the day after the sudden departure of the president of the company's government-sales subsidiary, Microsoft Federal. Rick Wagner, who has headed Microsoft Federal since it was spun off in 2020, has left "to pursue new opportunities," the company said in a brief statement Tuesday, reported by the government IT trade press. His departure came hours before the company revealed in a blog post that Chinese hackers had gained access to email accounts at two dozen organizations, including government agencies. A detailed technical breakdown revealed the hackers somehow obtained a special master key that let them impersonate users and log on to their email accounts.
That news in turn followed revelations about two other novel hacking campaigns. One, by a Russian group known as RomCom, used a previously unknown "Zero Day" vulnerability in Microsoft Office. RomCom sent specially crafted malicious attachments, disguised as documents about the Ukrainian World Congress, to "defense and government entities in Europe and North America," the company said in a security advisory. The advisory said Microsoft would provide a patch to fix the vulnerability.
Finally, Tuesday also saw Microsoft confirm findings from security researchers at Cisco Talos that a flaw in the company's validation process for software had let hackers into the highly protected kernel -- the under-the-hood part of Windows that users normally aren't able to access.
Despite concerns about its security prompted by such incidents, the Defense Department has, since 2017, exclusively used the Microsoft Windows operating system on all its four million-plus desktop computers and is increasingly employing Microsoft's Azure cloud computing services. And most of its 2.1 million active duty and reserve military personnel and 750,000 civilian employees use Microsoft programs such as Outlook or Office for email, calendar, word processing and other administrative tasks.
But the tipping point for many critics was the DOD's decision last year to abandon a long-running cybersecurity program that was bid among different vendors in favor of buying Microsoft security tools that the Redmond, Wash.-based IT giant bundles with the software it already sells to the DOD.
"It scares the heck out of me that we're vertically integrating the endpoints, the software, the cloud, and now the security stack with a single vendor. To me, that's an unacceptable level of risk," a former senior DOD IT official who was involved in many deployments of Microsoft products told Newsweek earlier this year.
Senior DOD cybersecurity official David McKeown responded that the department's computer networks would be safer with a single solution, saying security tools that come already integrated into the software they are defending offer important advantages over standalone products. "When DOD buys an aircraft, it doesn't buy a box of parts that our mechanics have to put together, it buys the integrated aircraft," he said, adding the Defense Department needed to start thinking of its networks like a weapons system.
Schmitt's language, which was included in the Senate version of the National Defense Authorization Act, approved by the Armed Services Committee June 23, also requires the Defense Department to disclose two internal reports analyzing the "the effectiveness of the cybersecurity capabilities" of the Microsoft Defender tools and comparing them to other commercially available cybersecurity tools.
"I'm pleased that my amendment requiring a report about the security strengths and potential weaknesses of heavy reliance on Microsoft Defender made it into" the bill, Schmitt said in a statement emailed to Newsweek. "This report and further questioning required by my amendment will bring important transparency."
IT acquisition reformers also welcomed the news. "Getting answers about these issues is a great start," said John Weiler, CEO of the IT Acquisition Advisory Council, a non-profit that works to improve the way the federal government buys computer goods and services. "Lawmakers have to help DOD thread the needle of ensuring interoperability and the ability to deploy at the massive scale required for defense networks, while providing opportunities for and investments in smaller businesses and innovators who are already struggling with less than fair and open bidding processes."
The Defense Department and Microsoft declined to comment on the pending legislation.
The defense bill now must be debated on the Senate floor. If it passes, it will be reconciled with the House version, which currently contains no equivalent provision.
The move in the Senate comes amid growing concern about the U.S. military's possible susceptibility to a pre-emptive cyber strike by China, part of a broad sneak attack aimed at forestalling U.S. aid to Taiwan in the event that Beijing decides to use military force to back up its long-running claim to sovereignty over the breakaway island state.
U.S. officials have said that China might use cyber power to cripple vital national infrastructure such as telecoms, transit and pipelines. And in war games staged by the U.S. military, a Chinese adversary typically begins by trying to cut off U.S. forces in the Indo-Pacific theater from their North American headquarters, something experts say is achievable through cyber means.
Shaun Waterman can be reached at s.waterman@newsweek.com. Follow him on Twitter @WatermanReports.
Uncommon Knowledge
Newsweek is committed to challenging conventional wisdom and finding connections in the search for common ground.
Newsweek is committed to challenging conventional wisdom and finding connections in the search for common ground.
