Senator Calls for FTC Investigation into Microsoft’s Cybersecurity Practices
Microsoft finds itself under scrutiny once again as U.S. Senator Ron Wyden has raised concerns regarding the company’s cybersecurity practices. In a letter addressed to FTC Chair Andrew Ferguson on September 10, Wyden accused the tech giant of distributing “dangerous, insecure software” that has allegedly facilitated cybercriminal activities, notably impacting one of the largest hospital networks in the United States.
Wyden’s correspondence paints a stark picture of Microsoft, suggesting that the company’s negligence in cybersecurity could pose a significant threat to national security. He urged the FTC to investigate and hold Microsoft accountable for the repercussions of delivering insecure software to both the U.S. government and critical infrastructure sectors, particularly healthcare.
At the heart of this issue is a ransomware attack that targeted Ascension, a Catholic nonprofit operating over 140 hospitals nationwide. Recent disclosures from Wyden’s office reveal that the breach originated when a contractor, using a company laptop, inadvertently clicked on a malicious link during a Bing search. This action triggered a series of events that exploited known vulnerabilities in Microsoft’s default configurations, allowing attackers to escalate privileges and deploy ransomware across thousands of devices.
The fallout from this attack was severe, disrupting surgical procedures and forcing healthcare professionals to revert to manual processes. Furthermore, it resulted in the theft of personal and medical information belonging to approximately 5.6 million patients.
Wyden highlighted a long-standing vulnerability known as “Kerberoasting” as a critical factor in the breach. This vulnerability is exacerbated by Microsoft’s continued use of RC4 as its default encryption algorithm, a choice that has drawn criticism from security experts for years. Despite the availability of more secure alternatives like AES, Microsoft has yet to implement a change, a decision that Wyden argues unnecessarily endangers its customers.
In his letter, Wyden pointed out that Microsoft has been aware of these issues for an extended period but has not taken decisive action. He noted that a promised patch to disable RC4 by default remains unfulfilled nearly a year after its announcement. Additionally, he criticized the company for relegating essential security guidance to an obscure blog post rather than proactively informing its customers.
Wyden further contended that Microsoft’s default settings are not user-friendly, with password policies failing to enforce the complexity needed to thwart Kerberoasting attacks. Many users remain oblivious to these risks until it is too late. He accused Microsoft of prioritizing profit over security, likening the company to “an arsonist selling firefighting services to their victims” through its multibillion-dollar cybersecurity add-on services.
The senator also referenced a pattern of concerning behavior, recalling the 2023 hack of U.S. government email accounts attributed to suspected Chinese spies, which a federal review board linked to Microsoft’s inadequate security culture. Given Microsoft’s dominant position in the enterprise operating system market, Wyden warned that its decisions significantly influence security standards across government and critical infrastructure, thereby endangering the broader public.
Wyden’s call for an FTC investigation aims to instigate accountability within Microsoft. He seeks regulatory action to compel the company to implement secure defaults, expedite the long-awaited RC4 update, and provide clear guidance to customers regarding their security risks. Should the FTC choose to pursue this case, it could signify a pivotal moment in how federal regulators oversee vendors whose software is integral to critical services, especially in light of their repeated missteps.
For Microsoft, which has been advocating for a new “secure by design” approach under its Secure Future Initiative, Wyden’s letter serves as a potent reminder that skepticism remains regarding the company’s commitment to genuine change. The FTC’s response may ultimately shape whether this situation becomes merely another instance of public criticism or the beginning of a profound reassessment of one of the tech industry’s most influential players.
