Microsoft could reap more than US$150m in new cyber spending

Draft plan angers some US lawmakers who say firm is profiting from its faulty software

San Francisco

MICROSOFT stands to receive nearly a quarter of Covid relief funds destined for US cybersecurity defenders, sources told Reuters, angering some lawmakers who don't want to increase funding for a company whose software was recently at the heart of two big hacks.

Congress allocated the funds at issue in the Covid relief bill signed on Thursday after two enormous cyber attacks leveraged weaknesses in Microsoft products to reach into computer networks at federal and local agencies and tens of thousands of companies.

One breach attributed to Russia in December grabbed e-mails from the Justice Department, Commerce Department and Treasury Department. The hacks pose a significant national security threat, frustrating lawmakers who say Microsoft's faulty software is making it more profitable.

"If the only solution to a major breach in which hackers exploited a design flaw long ignored by Microsoft is to give Microsoft more money, the government needs to re-evaluate its dependence on Microsoft," said Oregon Senator Ron Wyden, a leading Democrat on the intelligence committee.

"The government should not be rewarding a company that sold it insecure software with even bigger government contracts."

Microsoft previously said it prioritises fixing attacks that it sees in wide use. A draft spending plan by the Cybersecurity Infrastructure Security Agency (CISA) allocates more than US$150 million of their new US$650 million funding for a "secure cloud platform", according to documents seen by Reuters and sources.

More precisely, the money has been budgeted for Microsoft, according to four people briefed on the choice, largely to help other federal agencies upgrade their existing Microsoft deals to improve security of their cloud systems. A CISA spokesman declined to comment.

A key service Microsoft provides, known as activity logging, allows its clients to keep watch on data traffic within their part of the cloud and spot inconsistencies that could reveal hackers at work.

Officials have sought access to Microsoft's premium tracking capability after discovering the lack of logs made it much harder to investigate recent hacks tied to nation states.

Microsoft said on Sunday that while all its cloud products have security features, "larger organisations may require more advanced capabilities such as a greater depth of security logs and the ability to investigate those logs and take action". It did not address the fairness issues raised by lawmakers.

While some senior US cyber officials feel they have no choice but to pay up, Senator Wyden and three other lawmakers have publicly raised concerns about the plan.

Most major software has been penetrated by well-financed teams of hackers at one time or another, but the ubiquity of Microsoft's products makes it a prime target. REUTERS


BT is now on Telegram!

For daily updates on weekdays and specially selected content for the weekend. Subscribe to