ProPublica is a nonprofit newsroom that investigates abuses of power. Sign up to receive our biggest stories as soon as they’re published.
On Thursday, in his final week in office, President Joe Biden issued an executive order intended to strengthen the nation’s cyber defenses, in part by requiring software providers like Microsoft to provide proof that they meet certain security standards before they can sell their products to the federal government.
The action follows an onslaught of cyberattacks in recent years in which hackers linked to Russia, China and other adversaries have exploited software vulnerabilities to steal sensitive documents from federal agencies.
In demanding more accountability from software makers, Biden pointed to instances in which contractors “commit to following cybersecurity practices, yet do not fix well-known exploitable vulnerabilities in their software, which puts the Government at risk of compromise.”
In June, ProPublica reported on such a case involving Microsoft, the largest IT vendor to the federal government. In the so-called SolarWinds attack, which was discovered shortly before Biden took office, Russian state-sponsored hackers exploited a weakness in a Microsoft product to steal sensitive data from the National Nuclear Security Administration and other agencies. ProPublica found that, for years, Microsoft leaders ignored warnings about the flaw from one of their own engineers because they feared that publicly acknowledging it would alienate the federal government and cause the company to lose ground to competitors.
That profit-over-security culture was driven in large part by the rush to gain ground in the multibillion-dollar cloud computing market, the news organization reported. One former Microsoft supervisor described the attitude as, “Do whatever it frickin’ takes to win because you have to win.”
Microsoft has defended its decision not to address the flaw, telling ProPublica in June that the company’s assessment at the time involved “multiple reviews” and that it considers several factors when making security decisions, including “potential customer disruption, exploitability, and available mitigations.” But in the months and years following the SolarWinds hack, Microsoft’s security lapses contributed to other attacks on the government, including one in 2023 in which hackers connected to the Chinese government gained access to top U.S. officials’ emails. The federal Cyber Safety Review Board later found that the company had deprioritized security investments and risk management, resulting in a “cascade of … avoidable errors.”
Microsoft has pledged to put security “above all else.”
To be sure, Microsoft is not the only company whose products have provided hackers entree to government networks. Russian hackers in the SolarWinds attack gained access to victim networks through tainted software updates provided by the Texas-based SolarWinds company before exploiting the flawed Microsoft product.
To help prevent future hacks, the government wants IT companies to provide proof that they use “secure software development practices to reduce the number and severity of vulnerabilities” in their products, according to the order. In addition, the government “needs to adopt more rigorous third-party risk management practices” to verify the use of such practices, Biden said. He asked for changes to the Federal Acquisition Regulation, the rules for government contracting, to implement his recommendations. If fully enacted, violators of the new requirements could be referred to the attorney general for legal action.
Biden also said that strengthening the security of federal “identity management systems” was
“especially critical” to improving the nation’s cybersecurity. Indeed, the Microsoft product that was the focus of ProPublica’s June article was a so-called “identity” product that allowed users to access nearly every program used at work with a single logon. By exploiting the weakness in the identity product during the SolarWinds attack, the Russian hackers were able to swiftly vacuum up emails from victim networks.
In November, ProPublica reported that Microsoft capitalized on SolarWinds in the wake of the attack, offering federal agencies free trials of its cybersecurity products. The move effectively locked those agencies in to more expensive software licenses and vastly expanded Microsoft’s footprint across the federal government. The company told ProPublica that its offer was a direct response to “an urgent request by the Administration to enhance the security posture of federal agencies.” In his executive order, Biden addressed the fallout of that 2021 request, directing the federal government to mitigate the risks presented by the “concentration of IT vendors and services,” a veiled reference to Washington’s increased dependence on Microsoft, which some lawmakers have referred to as a “cybersecurity monoculture.”
Though the order marks a firmer stance with the technology companies supplying the government, enforcement will fall to the Trump administration. It’s unclear whether the incoming president will see the changes in the executive order through. President-elect Donald Trump has emphasized deregulation even as he has indicated that his administration will take a tough stance on China, one of the nation’s top cyber adversaries.
Neither Microsoft nor the Trump transition team responded to requests for comment on the order.
Thursday’s executive order was the latest in a series of regulatory efforts impacting Microsoft in the waning days of the Biden administration. Last month, ProPublica reported that the Federal Trade Commission is investigating the company in a probe that will examine whether the company’s business practices have run afoul of antitrust laws. FTC attorneys have been conducting interviews and setting up meetings with Microsoft competitors, and one key area of interest is how the company packages popular Office products together with cybersecurity and cloud computing services.
This so-called bundling was the subject of ProPublica’s November investigation, which detailed how, beginning in 2021, Microsoft used the practice to box competitors out of lucrative federal contracts. The FTC views the fact that Microsoft has won more federal business even as it left the government vulnerable to hacks as an example of the company’s problematic power over the market, a person familiar with the probe told ProPublica.
Microsoft has declined to comment on the specifics of the investigation but told the news organization last month that the FTC’s recent demand for information is “broad, wide ranging, and requests things that are out of the realm of possibility to even be logical.”
The commission’s new leadership, chosen by Trump, will decide the future of that investigation.
