Ex-White House cyber, counter-terrorism guru: Microsoft considers security an annoyance, not a necessity

Comment Roger Cressey served two US presidents as a senior cybersecurity and counter-terrorism advisor and currently worries he’ll experience a “political aneurysm” due to Microsoft’s many security messes.

In the last few weeks alone, Microsoft disclosed two major security vulnerabilities – along with news that attackers exploited one involving SharePoint as a zero-day. The second flaw, while not yet under exploitation, involves Exchange server – a favorite of both Russian and Chinese spies for years.

Chinese familiarity with Microsoft products makes them a door already open

The Windows giant disclosed the Exchange bug late Wednesday, hours after becoming a $4 trillion company.

Cressey, who served in the Clinton and Bush administrations, prefers to call it “A $4 trillion monster.”

“And from a national security perspective, this really bothers me,” Cressey, now a partner with Liberty Group Ventures, told The Register.

“The Chinese are so well prepared and positioned on Microsoft products that in the event of hostilities, we know for a fact that Chinese actors will target our critical infrastructure through Microsoft products for two reasons,” he said. “One: [Microsoft products] are everywhere within our digital ecosystem. And two: they are so vulnerable that the Chinese familiarity of them makes it a door already open. So that’s what gives me the political aneurysm here.”

Prior to spending several years in the White House, Cressey served in the departments of Defense and State. He’s worked in the private sector as a counterterrorism professor and cybersecurity consultant since 2001.

“This is the latest episode of a decades-long process of Microsoft not taking security seriously. Full stop,” Cressey said, acknowledging that the government continues spending billions on Microsoft products. “Anytime there’s a major announcement of a Microsoft procurement by the government, the happiest people in the world first are in Redmond and second in Beijing.”

Microsoft declined to comment for this story, but did point out that Google Cloud is a client of Cressey’s in his consulting work.

Groundhog Day … but with national security implications

Cressey isn’t the first to point out Microsoft’s poor security record has national security implications. They resurface after every major breach … and then nothing changes.

AJ Grotto, another former senior White House cyber policy director, called Redmond’s security failures a national security issue and said they date at least back to the Solar Winds hack.

CrowdStrike Senior VP of Counter Adversary Operations Adam Meyers told The Register the same thing and likened Microsoft’s stranglehold on government tech to the mafia shortly after Redmond’s January 2024 admission that Russia’s Cozy Bear had, once again, broken into its network.

In June 2024, US lawmakers questioned Microsoft President Brad Smith about his company’s business in China during a Congressional hearing about a Homeland Security report that blasted Microsoft for a series of “avoidable errors.”

These errors, the investigation found, allowed Beijing-backed cyberspies to steal tens of thousands of sensitive emails from the Microsoft-hosted Exchange Online inboxes of high-ranking US government officials.

At the time, however, Smith defended Microsoft, which he claimed to be above the rule of law – in China, at least.

National intelligence laws in China can be used to force companies operating there to provide snooping services for the government, or hand over proprietary code if pressured to do so. But Smith claimed Microsoft doesn’t have to comply with that.

The government will never escape this cycle unless it stops rewarding Microsoft for its negligence with bigger and bigger contracts

More recently, following the SharePoint attacks, frequent Microsoft critic and US Senator Ron Wyden (D-OR) told us that “government agencies have become dependent on a company that not only doesn’t care about security, but is making billions of dollars selling premium cybersecurity services to address the flaws in its products.”

The US Energy Department, including its National Nuclear Security Administration (NNSA), which maintains America’s nuclear weapons, was among the 400-plus victims in this most recent mass exploitation of a Microsoft product.

Why are we allowing this company to have such major touch points within our national security infrastructure?

“Each hack caused by Microsoft’s negligence results in increased government spending on Microsoft cybersecurity services,” Wyden continued. “The government will never escape this cycle unless it stops rewarding Microsoft for its negligence with bigger and bigger contracts.”

There is no indication that Washington, or Microsoft, is changing.

“We are living the definition of insanity when it comes to our expectations of Microsoft,” Cressey said, a reference to the aphorism “Insanity is doing the same thing over and over again and expecting different results.”

China’s deep familiarity with Microsoft products

According to Cressey, security holes in Microsoft products aren’t the only risk Redmond poses: its presence in China hurts, too.

“In what universe does any member of Microsoft security think it makes sense to have Chinese engineers touch anything related to our government and cloud infrastructure,” he said, referring to recent ProPublica reports that revealed Microsoft for years used a China-based engineering team to support SharePoint.

Last month, a similar ProPublica story said Microsoft has for a decade relied on Chinese workers to maintain the Defense Department’s cloud systems with oversight from US-based “digital escorts.”

“When I was doing counter terrorism for a living, we had this major issue with Pakistan as a sanctuary for al Qaeda,” Cressey said. “We used to say the Pakistanis were either incapable or unwilling to do something significant against their al Qaeda presence.”

Microsoft is this equivalent of Pakistan right now in cybersecurity

“I feel like Microsoft is this equivalent of Pakistan right now in cybersecurity: they’re either incapable or unwilling to take the actions that truly could make a difference,” he continued.

“Because, rest assured, if this was another company that was conducting these same types of practices, the furor would be off the charts, and people would be demanding to know why are we allowing this product and this company to have such major touch points within our national security infrastructure?”

The reasons for this, according to Cressey and others, include Microsoft being really good at sales and the government being cost-conscious, making it difficult to pass up the offer of “free” security products and services (for a limited time), despite this deal locking in federal customers.

“When you’re giving away Microsoft Defender for free, that is the gateway drug to becoming chemically dependent on Microsoft infrastructure,” he said.

Will Trump hold Microsoft accountable?

Cressey is hopeful that the Trump administration, with its “unconventional” approach to government contracts, will “hold companies like Microsoft accountable for their security failures.”

On Wednesday, Senate Intelligence Committee Chair Tom Cotton (R-AR) sent a letter [PDF] to Defense Secretary Pete Hegseth urging him to ban non-US citizens from accessing Department of Defense systems.

Cotton also praised Hegseth’s “ongoing actions” to eliminate Chinese engineers’ access to DOD systems and requested a briefing about any security vulnerabilities in the DOD’s contracts and software related to “Microsoft’s business dealings in China.”

“I’m not saying we should just get rid of Microsoft, I’m saying Microsoft has got to be better at what it does,” Cressey said. “At the end of the day, we as a nation are suffering because the number one software company we rely upon continues to treat security as an annoyance and not a necessity.”

“Sure as the Sun rises in the east, there will be another story soon of Microsoft falling short on security,” he told The Register during a Wednesday interview – before Microsoft and CISA sounded the alarm on another high-severity bug in Exchange Server hybrid deployments.

So we reached out again to Cressey on Thursday morning to see what he had to say on the new CVE.

“It just never ends,” he said. “Eighty-five percent of the federal government uses Microsoft 365, and this is the latest example of why Microsoft deficiencies present such a high risk to national security. This should be the tipping point for the Administration to pause any new awards to Microsoft and demand that Microsoft does a comprehensive security audit before they are eligible for future procurement.”

Maybe it’s the tipping point. But we’re not holding our breath. ®

READ MORE HERE