Microsoft, Beset by Hacks, Grapples With Problem Years in the Making

(Bloomberg News/TNS) —The world’s largest seller of cybersecurity products has a problem with its own cybersecurity.

In recent years, Microsoft Corp. has been hit with a series of embarrassing hacks that have exposed corporate and government customers. Earlier this month, the U.S. Cyber Safety Review Board issued a scathing report documenting the company’s inability to stop hackers tied to the Chinese government from pilfering the email boxes of U.S. officials. The report’s authors called on Microsoft to institute urgent reforms.

Amid the mounting criticism, the company has pledged its most ambitious security overhaul in two decades. Among other steps, Microsoft says it will move faster to address cloud vulnerabilities, make it harder for hackers to steal credentials and automatically enforce multi-factor authentication for employees.

The security reboot is a major commitment, but critics question whether Microsoft has sufficient incentive to make deep and lasting changes. Because customers are so reliant on the company’s software, they can’t easily switch to other providers. Microsoft’s cybersecurity operation, meanwhile, generates more than $20 billion in sales per year and has been among the company’s fastest growing sources of revenue. Many of the anti-hacking tools are sold as a bundle with Microsoft’s software, prompting some critics to accuse the company of anti-competitive business practices.

Citing Microsoft’s “shambolic cybersecurity,” U.S. Sen. Ron Wyden introduced draft legislation on April 8 that would require the government to set mandatory cybersecurity standards for collaboration software. The Oregon Democrat said “vendor lock-in, bundling and other anti-competitive practices” result in the government spending “vast sums” on insecure software.

Noting the cyber review board’s assertion that Microsoft isn’t focused on security, Wyden told Bloomberg: “For a company that is entrusted with as much sensitive government information, particularly one generating tens of billions of dollars in cybersecurity revenue alone, that is unacceptable. Relying on government tech vendors to do the right thing out of the goodness of their own hearts has been a losing strategy for decades.”