Published by The Lawfare Institute
in Cooperation With
On Feb. 1, Microsoft announced a new cybersecurity offering for federal government customers called the Modern Log Management Program. The program includes a suite of Microsoft’s visibility and remediation tools, which pull diagnostic data from various Microsoft products so that customers gain more insight into what’s happening on their networks. The goal of the program, according to Microsoft, is to help executive branch agencies meet new cybersecurity event logging requirements issued by the Office of Management and Budget (OMB) in August 2021 in a memorandum known as M-21-31. Microsoft has pledged to offer the program at a discounted price to help agencies “mitigate budget challenges from an increase in log source and log storage requirements required by M-21-31.”
This offer sounds almost charitable on Microsoft’s part, but a closer look at the circumstances that gave rise to M-21-31—and Microsoft’s unique place in federal information technology (IT)—highlights how Microsoft simultaneously combats, profits from and contributes to cybersecurity problems.
OMB introduces the requirements laid out in M-21-31 by observing that “[r]ecent events, including the SolarWinds incident, underscore the importance of increased government visibility before, during, and after a cybersecurity incident.” The SolarWinds incident came to light in December 2020 when the cybersecurity company formerly known as FireEye announced its discovery of a Russian cyber-espionage campaign that would become popularly (though misleadingly) known as SolarWinds, which is the name of the software vendor behind a popular network monitoring product called Orion. Russian government hackers had infiltrated the vendor’s software development environment at some point in 2019 and installed malicious code in a software update—a type of attack known as a supply chain operation. When SolarWinds’s customers installed the update, the malicious code hidden within gave the Russian hackers a foothold for burrowing deeper inside SolarWind’s customers’ networks to steal secrets.
The campaign—which is known less popularly by the company-neutral monikers Nobelium and SUNBURST—is viewed by many observers as one of the most significant cyber incidents to date because it involved a supply chain operation and required significant planning and patience on the adversary’s part. And it impacted a range of victims: federal agencies, state and local governments, universities, and a large swath of the Fortune 500, including Cisco, Intel and Microsoft.
SUNBURST—the term I’ll use here for the campaign—must have produced an intelligence bonanza for the Russian government. And the threat actors have not let up: They continue to adapt their tradecraft to evade detection and carry out further attacks.
Despite the focus on SolarWinds as the main door the attackers entered, Microsoft is a common thread across many victims of the SUNBURST campaign. Once inside a victim’s network courtesy of Orion, the SUNBURST attackers often exploited known loopholes in how Microsoft’s cloud product, Microsoft 365, was configured. This allowed the attackers to expand their access to a victim’s IT environment, including the victim’s cloud accounts, and to hide their tracks.
For the roughly one-third of SUNBURST victims who did not use Orion but still got hacked, the attackers found different ways in, but once inside, they abused the same configuration loopholes in Microsoft 365 to burrow deeper and move laterally within the victim’s networks. Researchers from the Atlantic Council performed a comprehensive review of the SUNBURST campaign and concluded that “[i]t is this lateral movement into the cloud, and the effective abuse of Microsoft’s identity services, that distinguishes an otherwise large software supply chain attack from a widespread intelligence coup” for Russia.
Since the news of SUNBURST broke one year ago, the two companies have fared differently: SolarWinds has suffered while Microsoft has thrived. SolarWinds—whose internal cybersecurity practices have understandably come under fire and are the subject of litigation—has paid a heavy price for its role in the incident. Its product, Orion, was the attacker’s way in for an estimated 70 percent of the campaign’s victims. The company’s name has become synonymous with a Russian hacking campaign, and its competitors have seized the opportunity to market their products as a safe, easy-to-switch-to alternative. “Organizations can now get up and running today with no delay, no [capital expenditures], and no new expertise,” boasts one competitor about its alternative offering. SolarWinds has disclosed a running tally of nearly $40 million in expenses from the incident and continues to warn investors that the incident “is expected to negatively impact revenue, profitability and cash flows in 2021 and beyond.” Its stock price is down more than 40 percent since this time last year, notwithstanding a two-to-one reverse stock split and a special dividend in July.
Microsoft, by contrast, has fared much better. Its stock price is the mirror image of SolarWinds’s stock price, up well over 40 percent this year. And it experienced 22 percent year-over-year revenue growth, its fastest since 2018.
Despite these financial gains, 2021 was overall a very tough year in security for Microsoft.
First, there was the disclosure in March 2021 of what cybersecurity analyst Brian Krebs dubbed the “mass-hack” of zero-day vulnerabilities (that is, vulnerabilities that were previously unknown) in Microsoft Exchange Servers that adversaries could exploit remotely, with no user action. China and apparently other governments discovered and exploited the vulnerability months before Microsoft’s public disclosure and subsequent issuance of a patch. Within days of Microsoft’s disclosure, the victim count exceeded 60,000. A week later, Microsoft issued an update to fix 82 security problems in Windows, 10 of which the company deemed “critical” (including a particularly dangerous one involving Internet Explorer).
In June 2021, the company issued patches for six more zero-days that adversaries had already discovered and exploited. In July, it issued emergency updates to fix PrintNightmare, a vulnerability in the Windows Print Spooler service that could enable an adversary to take full control of a vulnerable system. The streak continued into August when one team of researchers announced the discovery of a design flaw in Microsoft Exchange Autodiscover that attackers could exploit to harvest Windows domain credentials and another team of researchers discovered a vulnerability that they exploited to achieve “complete unrestricted access to the accounts and databases of several thousand Microsoft Azure customers.”
September 2021 was especially tough. It began with Microsoft announcing the discovery of another remote code execution vulnerability, this time affecting MSHTML, a software component in Internet Explorer and Microsoft Office. The following week, it issued patches for three more zero-day vulnerabilities with the dreaded “critical” rating, meaning that adversaries could exploit them to compromise vulnerable systems. Later in the month, researchers discovered malware called FoggyWeb that the SUNBURST threat actors were installing on systems they had already compromised to steal configuration databases and security token certificates.
In October 2021, Microsoft said that it had informed more than 140 third-party resellers and service providers of Microsoft products that SUNBURST threat actors had targeted them. It also disclosed that 14 of them had been compromised as of October 2021.
To be sure, 2021 was a rough year for cybersecurity generally. Data compromises were way up, having already surpassed 2020 levels by September, according to one study. So were ransomware attacks. And 2021 also shattered the record for zero-day vulnerabilities, discovered only after being exploited in actual attacks “in the wild”—58 so far, which is double the number discovered in 2020. Microsoft products account for 21 of the zero-days—the most—but the list is peppered with entries involving products from Apple, Google and others too.
Indeed, a sizable chunk of SolarWinds’s customers appear willing to give the company a second chance—its customers have not defected en masse to providers of comparable services, according to data from the company’s 10-Q filing. In February 2021, months after discovering the SUNBURST campaign, SolarWinds CEO Sudhakar Ramakrishna told investors that “[t]he vast majority of the customers that I have spoken to understand that the cyber incident that affected us and others could have happened to any vendor, and especially a broadly deployed vendor like SolarWinds.”
If SolarWinds suffered a second incident, however, customers might not be so quick to forgive. Most digital products could disappear tomorrow, and the world would move on. When Facebook and its family of apps suffered an outage in October, for example, more than 3 billion people lost a means of communication. It inconvenienced many, but it was hardly Armageddon—other means of communication were unaffected. Similarly, organizations could disable Orion and then choose to either cancel their service (which some did after December 2020) or resume use after installing the security patch (which others, including the federal government, opted to do).
SolarWinds’s customers have a meaningful choice: forgive or cancel.
Microsoft is in a much different—and arguably, far stronger—competitive position vis-a-vis its customers. For organizations whose IT infrastructure is built on Microsoft products, switching to a different vendor for all or even part of this infrastructure can be an enormously complex, potentially disruptive and ultimately expensive endeavor. If customers face barriers to canceling a product—because switching is too costly or there aren’t practical alternatives—the vendor has leverage to transfer more risk to them. The customers are partially “locked-in.”
There is no question that Microsoft security personnel worked especially hard in 2021—nobody should question their commitment to protecting users from malicious activities. And in August 2021, the company announced additional support for federal cybersecurity at a White House summit with other tech giants—a welcome development as well.
But as John Pescatore, director of emerging security trends at the SANS Institute, put it in response to Microsoft’s security initiatives, “It is kind of like if Tesla formed a Digital Crimes Unit to shut down thieves that were stealing Tesla cars because the Tesla door locks didn’t work.” To extend the analogy further, imagine if canceling Tesla for a different automaker was formidable because the very act of switching was costly: Some customers may have little choice but to accept the heightened risk of theft, even if cost-effective alternatives are available. Customer lock-in is the dark side of the “winner take all” network effects that characterize parts of the marketplace for software. And it is bad for cybersecurity.
The intuition behind network effects is that the value of something to a user increases the more that others use it. Think about a collaboration platform: It isn’t very useful to a single user. As more and more people use it, however, its value to each user grows, which in turn draws even more users.
This dynamic tends to favor the emergence of a limited number of dominant providers. It also puts pressure on firms to capture market share quickly in the hopes of generating network effects that propel it to dominance. In the software industry, this rush to market gave rise to the quip “ship Monday, patch Tuesday”: better to get an insecure product with attractive features out quickly to capture and protect market share than to delay a launch to add more security, which customers may not value as much.
Network effects can make it hard for users to switch providers. For example, if part of the value that a customer derives from a product is that others use it too, switching to an alternative product could be an all-or-nothing proposition: It may only make sense to switch if the entire organization also takes the plunge. The costs and risks of switching can be substantial, however, and include costs that go well beyond the price of purchasing the alternative product: substantial investments of staff time to implement the switch, drops in productivity as users familiarize themselves with the new product, hits to morale if some users are unhappy about the switch, training for users and IT support staff, business disruptions if the switch doesn’t go as smoothly as planned. It’s a daunting list.
Consider the federal government. Microsoft’s Windows operating system is ubiquitous across the federal government, and its market share for office productivity among federal agencies is 85 percent, according to a recent study prepared by Omdia, a consultancy, for Google and a trade association. In a follow-up study, Omdia reported results from a survey of public-sector technology decision-makers. “The top reason cited by respondents (57%) for selecting a communication and collaboration partner was reducing work for their IT departments.” On the one hand, there is significant value in a product that reduces work for IT departments, even if other factors are relevant too (such as price and product performance).
On the other hand, if an IT department has organized its business processes around certain products—as the federal government has largely done for operating systems and productivity—and changing those processes is costly, the vendor has achieved some degree of lock-in. Inertia favors the incumbent and makes change difficult, even after events reveal risks in the status quo.
Some of Microsoft’s business practices over the past year raise eyebrows along these lines. For example, at first, Microsoft planned to charge the federal government for rather basic security features such as event logging in Microsoft 365 in response to the SUNBURST campaign, which exploited loopholes in Microsoft products. Such behavior is not consistent with how a company facing competitive pressures might be expected to act, especially after a rough year for security, like 2021. It later offered the federal government a free one-year subscription to these services, but only after lawmakers complained about the initial price tag and pointed out the irony of Microsoft charging customers a premium for services that help defend against shortcomings in Microsoft software.
More recently, Microsoft reportedly informed its business partners that the company plans in 2022 to roll out a 20 percent increase in the price of Office, its flagship line of productivity apps, for business customers unless they switch from a monthly subscription to an annual one. CNBC reporter Jordan Novet described the move as an example of Microsoft “using its market dominance in productivity software to force some customers of its Office suite into a big decision: pay more or commit to a longer subscription.” The company had previously announced substantial price increases for Microsoft 365.
There is nothing inappropriate, per se, about Microsoft driving a hard bargain for access to its products. But there is more to driving a hard bargain than just price—it extends to which features, including security features, are included at a given price point, from the default basic configuration to more premium offerings. If a vendor has leverage to charge more for security, it has a strong incentive to establish pricing tiers that allow it to upsell, with lower and less expensive tiers having weaker security attributes than higher, pricier tiers. Microsoft has a $15 billion security business that depends in part on its being able to upsell security services for its own products—which is exactly what Microsoft attempted to do to the federal government after the SUNBURST campaign came to light.
The fundamental question here is whether it is desirable or even possible that certain basic security features should be considered as “standard,” in the sense that a vendor must offer them or face a backlash from customers or regulators. There is obviously a demand (or lack thereof) problem at play: It is baffling that the federal government, or really any enterprise, would not have event-logging capabilities appropriate to its risk environment.
Microsoft’s grip on legacy IT in many organizations—including federal agencies—gives it a degree of negotiating power that complicates an otherwise easy jump to blaming users for not demanding more security from product vendors. From this perspective, Microsoft’s offer last year of free access for federal agencies to logging tools for one year feels a bit like a jam. Agencies are hard-pressed to say no to the offer, and then once they’ve accepted the free services, there’s no going back, even if Microsoft eventually converts the free services to a discounted (as in, no longer free) offering—as it seems to have done with its Modern Log Management Program.