Does the US Government Have a Cybersecurity Monoculture Problem?

The way Microsoft provided the US government with cybersecurity upgrades is under scrutiny. ProPublica published a report that delves into the “White House Offer”: a deal in which Microsoft sent consultants to install cybersecurity upgrades for free. But those free product upgrades were only covered for up to one year.  

Did this deal give Microsoft an unfair advantage, and what could it take to shift the federal government’s reliance on the tech giant’s services?  

The White House Offer 

ProPublica spoke to eight former Microsoft employees that played a part in the White House Offer. With their insight, the ProPublica’s report details how this deal makes it difficult for users in the federal government to shift away from Microsoft’s products and how it helped to squeeze out competition.  

While the cybersecurity upgrades were initially free, government agencies need to pay come renewal time. After the installation of the products and employee training, switching to alternatives would be costly.  

ProPublica also reports that Microsoft salespeople recommended that federal agencies drop products from competitors to save costs.  

Critics raise concerns that Microsoft’s deal skirted antitrust laws and federal procurement laws.  

“Why didn't you allow a Deloitte or an Accenture or somebody else to say we want free services to help us do it? Why couldn't they come in and do the same thing? If a company is willing to do something for free like that, why should it be a bias to Microsoft and not someone else that's capable as well?” asks Morey Haber, chief security advisor at BeyondTrust, an identity and access security company.  

Related:Secure By Demand: Key Principles for Vendor Assessments

ProPublica noted Microsoft’s defense of its deal and the way it worked with the federal government. Microsoft declined to comment when InformationWeek reached out.  

Josh Bartolomie, vice president of global threat services at email security company Cofense, points out that the scale of the federal government makes Microsoft a logical choice.  

“The reality of it is … there are no other viable platforms that offer the extensibility, scalability, manageability other than Microsoft,” he tells InformationWeek. 

The Argument for Diversification 

Overreliance on a single security vendor has its pitfalls. “Generally speaking, you don't want to do a sole provider for any type of security services. You want to have checks and balances. You want to have risk mitigations. You want to have fail safes, backup plans,” says Bartolomie.   

And there are arguments being made that Microsoft created a cybersecurity monoculture within the federal government. 

Related:The Importance of Empowering CFOs Against Cyber Threats

Sen. Eric Schmitt (R-Mo.) and Sen. Ron Wyden (D-Ore.) raised concerns and called for a multi-vendor approach.  

“DoD should embrace an alternate approach, expanding its use of open-source software and software from other vendors, that reduces risk-concentration to limit the blast area when our adversaries discover an exploitable security flaw in Microsoft’s, or another company’s software,” they wrote in a letter to John Sherman, former CIO of the Department of Defense.  

The government has experienced the fallout that follows exploited vulnerabilities. A Microsoft vulnerability played a role in the SolarWinds hack.   

Earlier this year it was disclosed that Midnight Blizzard, a Russian state-sponsored threat group, executed a password spray attack against Microsoft. Federal agency credentials were stolen in the attack, according to Cybersecurity Dive.  

“There is proof out there that the monoculture is a problem,” says Haber.  

Pushback 

Microsoft’s dominance in the government space has not gone unchallenged over the years. For example, the Department of Defense pulled out of a $10 billion cloud deal with Microsoft. The contract, the Joint Enterprise Defense Infrastructure (JEDI), faced legal challenges from competitor AWS.  

Related:5 Questions Your Data Protection Vendor Hopes You Don’t Ask

Competitors could continue to challenge Microsoft’s dominance in the government, but there are still questions about the cost associated with replacing those services.  

“I think the government has provided pathways for other vendors to approach, but I think it would be difficult … to displace them,” says Haber.  

A New Administration  

Could the incoming Trump administration herald changes in the way the government works with Microsoft and other technology vendors?  

Each time a new administration steps in, Bartolomie points out that there is a thirst for change. “Do I think that there's a potential that he [Trump] will go to Microsoft and say, ‘Give us better deals. Give us this, give us that’? That's a high possibility because other administrations have,” he says. “The government being one of the largest customers of the Microsoft ecosystem also gives them leverage.” 

Trump has been vocal about his “America First” policy, but how that could be applied to cybersecurity services used by the government remains to be seen. “Do you allow software being used from a cybersecurity or other perspective to be developed overseas?” asks Haber. 

Haber points out that outsourced development is typical for cybersecurity companies. “I'm not aware of any cybersecurity company that does exclusive US or even North America … builds,” he says.  

Any sort of government mandate requiring cybersecurity services developed solely in the US would raise challenges for Microsoft and the cybersecurity industry as a whole.  

While the administration’s approach to cybersecurity and IT vendor relationships is not yet known, it is noteworthy that Trump’s view of tech companies could be influential. Amazon pursued legal action over the $10 billion JEDI contract, claiming that Trump’s dislike of company founder Jeff Bezos impacted its ability to secure the deal, The New York Times reports.