Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Google Cites ‘Monoculture’ Risks in Response to CSRB Report on Microsoft

Google is invoking the ‘monoculture’ word in response to a scathing U.S. government report on Microsoft’s inadequate cybersecurity practices.

Google Cloud AI Features

Google is invoking the ‘monoculture’ word in response to a scathing U.S. government report on Microsoft’s inadequate cybersecurity practices.

The tech giant published a sharp statement Monday warning of “long-standing risk to public-sector organizations using the same vendor for operating systems, email, office software, and security tooling” and called on the government to mitigate risks from a Microsoft-centric monoculture.

“This approach raises the risk of a single breach undermining an entire ecosystem,” Google said of Microsoft’s dominant market share in government, enterprise and consumer ecosystems.

“Governments should adopt a multi-vendor strategy and develop and promote open standards to ensure interoperability, making it easier for organizations to replace insecure products with those that are more resilient to attack,” Google declared.

Even more, Google called on regulators to investigate restrictive licensing practices that impede a diverse supplier ecosystem and disincentivize innovation.

Google’s use of monoculture to describe the risk from Microsoft’s dominance echoes calls from an infamous 2003 report for society to become less dependent on a single operating system from a single vendor.

Google, which competes directly with Microsoft in the lucrative cloud business, noted that the Cyber Safety Review Board (CSRB) report documented “significant security failures and systematic weaknesses” at Microsoft and landed while Redmond was still struggling to contain a different breach by nation state-sponsored threat actor.

“It’s clear these problems are not going away,” Google said, calling on the US government to be more strict about purchasing technology systems and products that are secure-by-design.

Advertisement. Scroll to continue reading.

“Digital security cannot be an afterthought add-on to existing products,” Google said, adding that governments should give security a seat at the procurement table.

“Security assessments of technology products shouldn’t end when a product meets public sector accreditation standards. The technology management lifecycle should include the ability to trigger security recertifications for products suffering major security incidents, and take into account past performance when making buying decisions,” Google said.

In its review of the Microsoft Exchange Online hack, the Department of Homeland Security’s CSRB called out “a cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed” and warned that a second nation state-backed hacking team (Russia) has also been rummaging through highly-sensitive Microsoft corporate email accounts, source code repositories, and internal systems. 

“The Board finds that this intrusion was preventable and should never have occurred,” the CSRB said. “Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.” 

The CSRB, which styles itself as an independent investigative agency similar to the NTSB, said it found “a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management.”

Since the release of the report, Microsoft has overhauled its cybersecurity strategy with a CEO-issued pledge to prioritize security above all other product features. The software giant has also hired a new CISO and rolled out a Secure Future Initiative promising faster cloud patches and better management of identity signing keys. 

Related: Microsoft Overhauls Cybersecurity Strategy After Scathing CSRB Report

Related: Microsoft’s Security Chickens Have Come Home to Roost

Related: Russian Hackers Stole Microsoft Source Code After Spying on Exec Emails

Related: Microsoft Hires New CISO in Major Security Shakeup

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

Jill Passalacqua has been appointed Chief Legal Officer at autonomous security solutions provider Horizon3.ai.

Cisco has appointed Sean Duca as CISO and Practice Leader for the APJC region.

More People On The Move

Expert Insights