The Canadian Government ALSO Has a Microsoft Problem
Microsoft's See no APT, Hear no APT, Speak no APT Comes Home to Roost
On 15 April, Wired published an article by Eric Geller about the many stories about Microsoft’s seemingly endless string of security failures over the last few years. Eric Geller is one of the best cyber security reporters,y and this is a story you will want to read. Here I will contextualize Geller’s arguments and points within a Canadian setting and show just how much this is a Canadian problem as much as it is American.
Micro$oft
The dominance of Microsoft in the marketplace is no secret, and the same goes for how much the United States and Canadian governments use and rely on Microsoft products and services. However, people (including myself) have increasingly been critical of Microsoft’s security posture from its overall policy to the underlying security architectures of Azure. This is not just various analysts saying it now, but is now a view shared by the United States Cyber Safety Review Board (CSRB). The CSRB was created to review and assess significant cyber incidents and make concrete recommendations that would drive improvements within the private and public sectors.
The CSRB’s Review of the Summer 2023 Microsoft Exchange Online Intrusion provides a scathing assessment of Microsoft’s security posture and overall culture of security. The report details a “cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed,” amongst others, which puts a significant amount of the blame for the incident on the organization’s overall approach to security. The report succinctly states, “[Microsoft’s] security culture was inadequate and requires an overhaul.”
In his article written for Wired, Eric Geller accurately states that the United States government and I suggest the Canadian government as well, will not change or reconsider Microsoft products even after the CSRB report and that Microsoft revealed in January that foreign government hackers once again breached their emails.
The problem? Microsoft is so big, integral, and vital to nearly all aspects of modern computing that it is very difficult to reduce government dependence on Microsoft products. Consequently, this is why Microsoft’s failings are so dire. Microsoft is a company that has the resources and internal capacity to make the changes required to improve security but has decided not to.
Security experts interviewed by Geller note that Microsoft has increasingly viewed cyber security as a revenue generator, which has warped their responsibility to their users. One such example was Microsoft charging the government extra for activity logs, which could have prevented or significantly mitigated major security incidents.
How Is Canada Affected?
Due to the overall lack or non-existence of data or information provided by the Government of Canada in the aftermath of its own cyber security incidents, we cannot say if Microsoft products are responsible for security incidents in the government. However, this also means that we cannot say it wasn’t the fault of Microsoft products. It could, or could not, be a coincidence that Global Affairs Canada was hit by a breach the same month that Microsoft announced its emails were breached or could not. Nevertheless, we know that the Government of Canada uses a lot of Microsoft products and services.
The Government of Canada spends approximately $300 million a year for Microsoft-related products and service contracts with the overwhelming majority coming from software licensing ($249 million).
This and other government-Microsoft contracts tell us that the Government of Canada is just as vulnerable as the United States due to its heavy reliance on Microsoft products, which poses a potential threat. I am not saying as States’much; it is United States Senator Ron Wyden who says that the United States dependence on Microsoft is a threat.
The Government of Canada and the Canadian Armed Forces are increasingly adopting cloud-based environments, of which Microsoft/Azure is often a choice. As Geller finds through his interviews with many experts, this is a threat that Canada must seriously contend with and consider whether Microsoft products meet sufficient security standards.
The United States administration is increasingly placing pressing major tech vendors to shift the burden of cyber security away from consumers and onto the vendors themselves. Canada cannot sit idly by but must take similar actions, either independently or alongside the United States, to put sufficient pressure on Microsoft to make the security culture changes it needs.
Many, myself included, worry that the status quo will remain the same without sufficient government pressure.
As Microsoft, and other vendors, are increasingly becoming defence corporations by selling to militaries, their responsibility and moral duty to ensure security becomes existential and a matter of life. Can we afford the status quo to remain?
There are multiple mechanisms that could be used to apply pressure through Shared Services Canada, Public Services and Procurement Canada, Canadian Centre for Cybersecurity/CSE, and even National Defence/CAF. It all comes down to who would make this a concern, as it is unlikely to be cabinet or a minister anytime soon.
This is a serious problem in the Cdn GC. MS continues to add solutions to their contract essentially putting a stranglehold on GC's ability to do anything different. They don't compete their solutions they simply expand their footprint. Tech Vendors selling to the GC need to put their foot down. We need to collectively + publicly complain to CITT and make this illegal procurement activity public. That $300M/yr spend was the original contract but I can almost guarantee that it's now closer to $1B. Their solutions are inferior in the industry but they continue to have C level discussions convincing everyone that MS is the "easy button" when in fact it's the complete opposite.