News of two major Microsoft security events in as many weeks should concern every federal agency, not just because of the breaches themselves, but because of what they reveal about how the company does business.
First, ProPublica uncovered that Microsoft allowed Chinese engineers to work on sensitive U.S. military cloud projects under the supervision of underqualified subcontractors. Then came a global cyberattack exploiting a critical flaw in Microsoft SharePoint, one still without a known fix, breaching U.S. agencies, universities, and energy firms.
These aren’t isolated incidents. They’re symptoms of a business model built around restrictive and anticompetitive software licensing practices.
Time and again, Microsoft’s security failures turn into federal growth opportunities. After cyberattacks in 2021, Microsoft promised the Biden administration $150 million in free cybersecurity upgrades. What wasn’t said upfront? These freebies locked agencies into Microsoft tools, making it costly and complex to switch. Once agencies were locked in, Microsoft raised prices. This wasn’t charity or goodwill on Microsoft’s behalf: It was a calculated move to crowd out competitors, win long-term contracts, and deepen federal dependence on Microsoft’s ecosystem.
Then, in 2023, Chinese hackers known as Storm-0558 exploited a vulnerability in Microsoft’s cloud email service. They breached more than 500 individuals and 22 organizations worldwide, including senior U.S. government officials. A 34-page report by the Cyber Safety Review Board (CSRB) later described Microsoft’s security culture as “inadequate,” warning it “requires an overhaul” given the company’s central role in the tech ecosystem. It said Microsoft’s CEO and board should institute “rapid cultural change,” including publicly sharing “a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products.”
The CSRB also criticized Microsoft’s delayed and opaque communications. The company waited until March 2024 to correct a misleading September 2023 blog post about the cause of the breach, after months of questioning from investigators.
Meanwhile, in early 2024, Russian hackers known as Midnight Blizzard infiltrated Microsoft’s corporate systems. Initially described as a limited incident, Microsoft later admitted that the breach was far more extensive: The hackers accessed sensitive internal emails, and even Microsoft’s source code. According to the company, Midnight Blizzard may now be using information found in customer emails to pursue further attacks.
At a June 2024 House Committee on Homeland Security hearing to address the series of cybersecurity incidents, Brad Smith, Microsoft’s vice chair and president, testified that the “bad news for the folks who want to sell plan B” is that public sector clients “don’t want to switch. They want us to get it right and we have to get it right to deserve their business.”
Smith is half right; customers don’t see a plan B, but that’s because their choice to switch providers has been effectively cut off. At the core of all of this is Microsoft’s software licensing strategy. The company routinely ties its core productivity software to an ever-growing bundle (which at the upper tier includes over 30 products), limits integrations with third-party providers, making it difficult for customers to diversify their system, and restricts how customers can use their previously purchased software on other cloud providers. These practices are not just business tactics that lock-in customers — they are very real security concerns. Every single customer who received an alert from Microsoft over the weekend regarding the SharePoint hack has had to learn that the hard way.
In addition to exposing companies to cybersecurity vulnerabilities, these practices also raise significant antitrust concerns — and are under scrutiny from regulators around the world, including reportedly by the Federal Trade Commission.
Microsoft’s largest customer — the U.S. government — needs to wake up to this threat. When customers license Microsoft software, they aren’t just buying tools — they’re buying into a system where exit is difficult, choice is limited, and security is too often an exposure.
The question isn’t whether Microsoft will respond to its latest failures. The company’s decades-long playbook — blaming the government for not doing more, then offering free upgrades post-breach only to raise prices and deepen lock-in — suggests they will deflect with a “nothing to see here” approach while capitalizing on vulnerabilities.
The real question is whether the government will continue to accept a model that turns licensing restrictions into national dependence and vulnerabilities into profit, and repeatedly exposes our nation’s most critical information to those who wish to harm us.
Ryan Triplette is executive director of the Coalition for Fair Software Licensing.
The post Microsoft’s software licensing playbook is a national security risk appeared first on CyberScoop.