Why do tax dollars keep flowing to Microsoft’s flawed security?

In the swampish waters of American politics, politicians love to portray themselves as champions of small businesses, fighting against the dominance of corporate behemoths. In reality, of course, they often act at the behest of large corporate interests seeking to consolidate power through subsidies, rule changes, and legislative trickery.

A glaring example of this monopolistic cronyism is the government’s substantial financial support for tech giants like Microsoft. During the 2023 fiscal year, the U.S. government allocated nearly $500 million in subsidies to Microsoft, despite more than 50% of government workers expressing concerns about the vulnerability of their systems to cyber attacks due to their overreliance on Microsoft’s productivity technology.

What could possibly be the rationale for continuing to pour millions of taxpayer dollars into substandard cybersecurity?

Such a significant subsidy raises questions about the true motivations behind such allocations and underscores just how corporate interests hold sway in government decision-making.

The worry among many government employees that relying too much on Microsoft technology makes them more vulnerable to cyber attacks should prompt change, especially given Microsoft software’s long history of security breaches.

For more than two decades, hackers have exploited more than 280 vulnerabilities in various Microsoft software products, highlighting their inherent weaknesses.

One of the more recent notable events occurred in the summer of 2023, when Microsoft Exchange Online was hit with a massive cyber intrusion. A subsequent investigation by the Department of Homeland Security attributed the breach to Microsoft’s negligence, which enabled a Chinese government-affiliated entity to gain unauthorized access to sensitive data. The breach compromised “22 organizations and over 500 individuals,” including “senior U.S. government officials such as Commerce Secretary Gina Raimondo and American ambassador to China, R. Nicholas Burns” — lax cybersecurity practices and national security risks made possible by a largely unaccountable tech monopoly.

The vulnerabilities within Microsoft's systems have not gone unnoticed by other U.S. adversaries. In March, reports emerged indicating that Russia’s SCR foreign intelligence service had exploited vulnerabilities in Microsoft software to infiltrate the company’s internal systems. All the more reason for heightened vigilance and active measures to address systemic weaknesses inherent in our current technological infrastructure.

Compounding these concerns are the recent cyber attacks targeting government agencies in the United States and Canada, which have raised serious doubts about the adequacy of their cybersecurity measures. In the United States, the Cybersecurity and Infrastructure Security Agency experienced breaches in two critical systems: the Infrastructure Protection Gateway and the Chemical Security Assessment Tool. Similarly, in Canada, government agencies have fallen victim to cyber breaches, further exacerbating concerns about the security of critical infrastructure and national interests.

Despite these alarming developments, both the United States and Canada continue to heavily invest in Microsoft. What could possibly be the rationale for continuing to pour millions of taxpayer dollars into substandard cybersecurity?

In Canada, the government allocated a staggering $299.8 million to Microsoft during the 2021-2022 fiscal year, despite that country’s smaller federal government.

Large investments and serious weaknesses in Microsoft’s systems highlight the critical need to reevaluate how governments buy technology and to use a diversity of suppliers to reduce security threats.

Cybersecurity threats aren’t going away. Governments need to actively improve their defenses and protect vital services. They should use a variety of technology providers, enforce tougher cybersecurity rules, and hold big companies like Microsoft responsible for any security failures.

By focusing on cybersecurity and using various strategies to manage it, governments can more effectively guard against cyber threats and reduce the risk of catastrophic damage from cyber attacks to key infrastructure and national security.