{"id":21478,"date":"2023-03-15T02:30:07","date_gmt":"2023-03-15T10:30:07","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2023\/03\/15\/news-15209\/"},"modified":"2023-03-15T02:30:07","modified_gmt":"2023-03-15T10:30:07","slug":"news-15209","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/03\/15\/news-15209\/","title":{"rendered":"Feds to Microsoft: Clean up your security act \u2014 or else"},"content":{"rendered":"

<\/p>\n

The US government, worried about the continuing growth of cybercrime, ransomware, and countries including Russia, Iran, and North Korea hacking into government and private networks, is in the middle of drastically changing its cybersecurity strategy. No longer will it rely largely on prodding businesses and tech companies to voluntarily take basic security measures such as patching vulnerable systems to keep them updated.<\/p>\n

Instead, it now wants to establish baseline security requirements for businesses and tech companies and to fine those that don\u2019t comply.<\/p>\n

It\u2019s not just companies that use the systems who might eventually need to abide by the regulations. Companies that make and sell them, such as Microsoft, Apple, and others could be held accountable as well. Early indications are that the feds already have Microsoft in their crosshairs \u2014 they\u2019ve warned the company that, at the moment, it doesn\u2019t appear to be up to the task.<\/p>\n

First, let\u2019s delve into the government\u2019s emerging strategy.<\/p>\n

In early March, the Biden Administration released a new National Cybersecurity Strategy<\/a>; it puts more responsibility on private industry and tech firms to follow best security practices such as patching systems to fight newly found vulnerabilities and using multifactor authentication whenever possible.<\/p>\n

US regulators have long recommended that tech companies do this. The difference now, according to the New York Times<\/em><\/a>, is that \u201cthe new National Cybersecurity Strategy concludes that such good-faith efforts are helpful but insufficient in a world of constant attempts by sophisticated hackers, often backed by Russia, China, Iran or North Korea, to get into critical government and private networks. Instead, companies must be required to meet minimum cybersecurity standards.\u201d<\/p>\n

In theory, if those standards aren\u2019t met, fines would eventually be imposed. Glenn S. Gerstell, former general counsel of the National Security Agency, explained it this way to the Times<\/em>: \u201cIn the cyberworld, we\u2019re finally saying that Ford is responsible for Pintos that burst into flames, because they didn\u2019t spend money on safety.\u201d That\u2019s a reference to the Ford Pinto frequently bursting into flames when rear-ended in the 1970s. That led to a spate of lawsuits and a ramp-up in federal auto safety regulations.<\/p>\n

But cybersecurity requirements backed by fines aren\u2019t here yet. Dig into the new document and you\u2019ll find that because the new strategy is only a policy document, it doesn\u2019t have the bite of law behind it. For it to go fully into effect, two things need to happen. President Biden has to issue an executive order to enforce some of the requirements. And Congress needs to pass laws for the rest.<\/p>\n

It\u2019s not clear when lawmakers might get around to moving on the issue, if ever, although Biden could issue an executive order for parts of it.<\/p>\n

All that may sound as if the new strategy is toothless. But that\u2019s not quite the case. The US government is the world\u2019s biggest bully pulpit. It can put a tremendous amount of pressure on businesses and tech companies to follow the strategy by publicly criticizing them. That, in turn, could lead customers to shy away from some businesses\u2019 products and services. And, of course, the government can require that companies meet basic cybersecurity practices if they want government contracts.<\/p>\n

So, what does all this have to do with Microsoft? Plenty. The feds have made clear they believe Microsoft has a long way to go before it meets basic cybersecurity recommendations. At least one top government security official has already publicly called out Microsoft for poor security practices.<\/p>\n

Cybersecurity and Infrastructure Security Agency Director Jen Easterly recently criticized the Microsoft during a speech at Carnegie Mellon University<\/a>. She said that only about one-quarter of Microsoft enterprise customers use multifactor authentication, a number she called \u201cdisappointing.\u201d That might not sound like much of a condemnation, but remember, this is the federal government we\u2019re talking about. It parses its words very carefully. \u201cDisappointing\u201d to them is the equivalent of \u201cterrible job\u201d anywhere else.<\/p>\n

Easterly also stung Microsoft by praising Apple, pointing out that 95% of iCloud users have multifactor authentication turned on because it\u2019s enabled by default. \u201cApple is taking ownership for the security outcomes of their users,\u201d she said. The implicit criticism is that Microsoft isn\u2019t.<\/p>\n

Eventually, the government\u2019s new cybersecurity strategy could be a serious issue for Microsoft unless it follows the recommended standards. If executive orders are issued and laws passed, the company could eventually be held liable if it doesn\u2019t do more to make sure its customers\u2019 software is regularly patched, or that its customers use multifactor authentication. The onus will be on Microsoft to design systems that can be more easily patched, are perhaps even self-patching, or that use multifactor authentication by default.<\/p>\n

Even without laws and executive orders, the company could be in trouble. The US government spends billions of dollars on Microsoft systems and services every year, a revenue stream that could be endangered if Microsoft doesn\u2019t adhere to the standards.<\/p>\n

Some in Congress already view the company with a gimlet eye because of past cybersecurity shortcomings. Two years ago, the Cybersecurity Infrastructure Security Agency included $150 million in its budget to pay Microsoft to improve cloud security. That spending came after \u201ctwo enormous cyberattacks leveraged weaknesses in Microsoft products to reach into computer networks at federal and local agencies and tens of thousands of companies,\u201d according to Reuters<\/a>.<\/p>\n

The irony of giving Microsoft $150 million because its software is insecure was not lost on Congress. Sen. Ron Wyden (D-OR), who is on the intelligence committee, warned, \u201cIf the only solution to a major breach in which hackers exploited a design flaw long ignored by Microsoft is to give Microsoft more money, the government needs to reevaluate its dependence on Microsoft. The government should not be rewarding a company that sold it insecure software with even bigger government contracts.\u201d<\/p>\n

Two years ago, Microsoft got the extra money. But if the government\u2019s new National Cybersecurity Strategy has any force at all, that won\u2019t happen again.<\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

\n
\n

The US government, worried about the continuing growth of cybercrime, ransomware, and countries including Russia, Iran, and North Korea hacking into government and private networks, is in the middle of drastically changing its cybersecurity strategy. No longer will it rely largely on prodding businesses and tech companies to voluntarily take basic security measures such as patching vulnerable systems to keep them updated.<\/p>\n

Instead, it now wants to establish baseline security requirements for businesses and tech companies and to fine those that don\u2019t comply.<\/p>\n

It\u2019s not just companies that use the systems who might eventually need to abide by the regulations. Companies that make and sell them, such as Microsoft, Apple, and others could be held accountable as well. Early indications are that the feds already have Microsoft in their crosshairs \u2014 they\u2019ve warned the company that, at the moment, it doesn\u2019t appear to be up to the task.<\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[1328,11067,10516,714],"class_list":["post-21478","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-government","tag-government-it","tag-microsoft","tag-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21478","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=21478"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21478\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=21478"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=21478"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=21478"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}