Microsoft is the world’s largest company. But the $3 trillion tech giant’s market dominance masks its vulnerability to cyberattacks, which pose a growing danger to businesses and governments that rely on its software.
A series of recent cybersecurity breaches have laid bare the weaknesses of Microsoft’s defenses. The attacks should raise alarms inside the company and among policymakers responsible for safeguarding the global computing networks that Microsoft products undergird.
Instead, the response has too often failed to embrace the security challenge, reflecting an apparent consensus that the company is too big to fail. Just as Wall Street banks emerged relatively unscathed from the global financial crisis they helped precipitate as consumers and small businesses suffered the fallout, Microsoft may pass the bill for a catastrophic security failure on to the rest of us.
We won’t be able to say we weren’t warned. The Cyber Safety Review Board, an independent panel mandated by President Biden, recently issued a scathing report on the company’s culpability for a Chinese breach of U.S. government email systems running on its software last year.
The board found the security failure was “preventable and should never have occurred.” For months afterward, Microsoft failed to correct its own misleading statements about the nature of the incident. Ultimately, the board concluded that Microsoft’s “security culture was inadequate and required an overhaul.”
It was hardly the first successful attack on Microsoft’s systems by hostile foreign actors. In January, Russian spies hacked Microsoft executives’ emails, part of what the company acknowledged is an escalating campaign to find areas of weakness.
The company suffered a severe breach in 2021 when Chinese intelligence accessed Microsoft Exchange email servers and installed malware. The incident may have affected up to 125,000 organizations worldwide, many in the United States.
Spies focused their intelligence gathering on military and government organizations and set their sights on manufacturing, financial services and software vendors. The Chinese attackers likely sought to compromise organizations that are suppliers to others, using an attack on one supply chain to enable dozens or hundreds of further breaches and a goldmine of intelligence.
Despite these most recent security collapses, government, consumer and commercial entities feel compelled to continue using Microsoft’s ubiquitous software, as viable alternatives remain limited. However, the sheer scale of the company’s operations and its interconnectedness with other entities should raise more pressing concerns about the systemic risks posed by its potential failure.
Windows, Microsoft’s operating system, has become so embedded in the infrastructure of global commerce that it can be easy to overlook just how critical it is. Governments, educational institutions, healthcare organizations and nonprofits worldwide rely on Windows for computing needs. Windows powers servers for hosting websites, enterprise applications and managing databases in on-premises and cloud environments. The software powers ATMs and point-of-sale terminals, IoT devices, and industrial automation and control systems.
Yet, the company has not prioritized a much-needed security revamp. Microsoft last took such a step in 2002, when viruses struck computers running Windows. At the time, co-founder Bill Gates released his “trustworthy computing” memo, pushing the company to focus on security over new features. However, Microsoft’s chief cybersecurity adviser, Bret Arsenault, recently stated that Microsoft can no longer do so. “It’s just a different company,” Arsenault said.
Indeed, what has prevailed too often in recent years is a cycle of high-profile data breaches, government scrutiny and ineffective security remediation. The company’s significant influence, evidenced by its active policy team and strategic lobbying efforts in Washington, allows it to maintain its operations even amid security breaches that would cripple other companies. As calls for a federal investigation intensify, Microsoft’s ability to navigate these challenges hinges on a comprehensive overhaul of its culture and business strategy. To restore trust and safeguard national security, Microsoft must put security first.
And if the company won’t fix itself, regulators must insist on it.
Like the Wall Street giants before the 2008-2009 financial crisis, Microsoft is so deeply enmeshed in the global economy that its collapse could trigger a cascade of adverse effects, disrupting supply chains, stifling innovation and causing widespread economic turmoil. Unlike those financial giants, it cannot be allowed to be too big to fail.
