Sens. Eric Schmitt, R-Mo., and Ron Wyden, D-Ore., have “serious concerns” with the Department of Defense’s (DoD) plan to invest in Microsoft product upgrades to support zero trust goals, according to a May 29 letter.
In the letter sent to DoD Chief Information Officer John Sherman, the senators wrote that they’re concerned the Pentagon is “doubling down” on increasing its dependence on Microsoft, a plan the lawmakers described as a “failed strategy.”
In a draft memo, Sherman is pushing all department components to start upgrading to Microsoft’s E5 licenses to support the agency’s ongoing zero trust transition. The E5 license would give the components access to Microsoft 365 Defender and other tools that help with insider risk management, identity protection, and more.
If the memo is published as-is, Pentagon offices would have until June 2025 to complete the transition and install these new tools.
The senators acknowledged and praised DoD’s effort to invest in greater cybersecurity but said they are concerned at the department’s decision to “[double] down on a failed strategy of increasing its dependence on Microsoft” at a time when the tech giant has been pinned to “concerning cybersecurity lapses that led to a massive hack of senior U.S. officials’ communications.”
Since last summer’s cyberattacks, Microsoft has faced scrutiny from lawmakers and government officials over its cybersecurity practices.
In the early summer of 2023, Storm-0558, a hacking group associated with the Chinese government, compromised 22 enterprise organizations and over 500 individuals globally due to “a cascade of failures” by Microsoft, according to a report from the Cyber Safety Review Board.
The report explained that the hacking group leveraged a stolen Microsoft signing key to authenticate customers, allowing them to masquerade as Federal users across email systems used by the U.S. State Department, U.S. Department of Commerce, and the U.S. House of Representatives.
“Although we welcome the Department’s decision to invest in greater cybersecurity, we are deeply concerned that DoD is choosing not to pursue a multi-vendor approach that would result in greater competition, lower long-term costs, and better outcomes related to cybersecurity,” the letter states.
Following the attacks, the tech giant announced new security upgrades to better protect its customers against cyber threats, including improved security protections for identity signing keys.
However, these security upgrades have not calmed the senators’ concerns.
Sens. Schmitt and Wyden specifically ask Sherman to answer a set of questions about the proposed plan, including whether the Pentagon has considered working with other cybersecurity vendors.
“DoD’s further push towards software monoculture exposes our national security apparatus to avoidable risks. DoD should embrace an alternate approach, expanding its use of open-source software and software from other vendors, that reduces risk concentration to limit the blast area when our adversaries discover an exploitable security flaw in Microsoft’s, or another company’s software,” the letter states.
Additionally, the senators asked Sherman for an update on when the Pentagon plans to release a congressionally mandated report detailing the “risks and benefits” tied to buying Microsoft’s products.
Microsoft had no official comment, but a spokesperson shared with MeriTalk a blog post that applauded the DoD’s zero trust strategy and laid out guidance for how Microsoft can support the components with implementing the department’s target level zero trust goals.
A Pentagon spokesperson told Meritalk that the Department “provides responses directly to members of Congress in matters of this kind” and at this time had no additional information to provide.
A spokesperson from Sen. Schmitt’s office said they have not received a response from Sherman.
