Google is invoking the ‘monoculture’ word in response to a scathing U.S. government report on Microsoft’s inadequate cybersecurity practices.
The tech giant published a sharp statement Monday warning of “long-standing risk to public-sector organizations using the same vendor for operating systems, email, office software, and security tooling” and called on the government to mitigate risks from a Microsoft-centric monoculture.
“This approach raises the risk of a single breach undermining an entire ecosystem,” Google said of Microsoft’s dominant market share in government, enterprise and consumer ecosystems.
“Governments should adopt a multi-vendor strategy and develop and promote open standards to ensure interoperability, making it easier for organizations to replace insecure products with those that are more resilient to attack,” Google declared.
Even more, Google called on regulators to investigate restrictive licensing practices that impede a diverse supplier ecosystem and disincentivize innovation.
Google’s use of monoculture to describe the risk from Microsoft’s dominance echoes calls from an infamous 2003 report for society to become less dependent on a single operating system from a single vendor.
Google, which competes directly with Microsoft in the lucrative cloud business, noted that the Cyber Safety Review Board (CSRB) report documented “significant security failures and systematic weaknesses” at Microsoft and landed while Redmond was still struggling to contain a different breach by nation state-sponsored threat actor.
“It’s clear these problems are not going away,” Google said, calling on the US government to be more strict about purchasing technology systems and products that are secure-by-design.
“Digital security cannot be an afterthought add-on to existing products,” Google said, adding that governments should give security a seat at the procurement table.
“Security assessments of technology products shouldn’t end when a product meets public sector accreditation standards. The technology management lifecycle should include the ability to trigger security recertifications for products suffering major security incidents, and take into account past performance when making buying decisions,” Google said.
In its review of the Microsoft Exchange Online hack, the Department of Homeland Security’s CSRB called out “a cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed” and warned that a second nation state-backed hacking team (Russia) has also been rummaging through highly-sensitive Microsoft corporate email accounts, source code repositories, and internal systems.
“The Board finds that this intrusion was preventable and should never have occurred,” the CSRB said. “Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.”
The CSRB, which styles itself as an independent investigative agency similar to the NTSB, said it found “a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management.”
Since the release of the report, Microsoft has overhauled its cybersecurity strategy with a CEO-issued pledge to prioritize security above all other product features. The software giant has also hired a new CISO and rolled out a Secure Future Initiative promising faster cloud patches and better management of identity signing keys.
Related: Microsoft Overhauls Cybersecurity Strategy After Scathing CSRB Report
Related: Microsoft’s Security Chickens Have Come Home to Roost
Related: Russian Hackers Stole Microsoft Source Code After Spying on Exec Emails
