Microsoft views security as an inconvenience rather than a fundamental requirement, according to a former White House cyber and counter-terrorism advisor.
In the realm of technology, Microsoft stands as a $4 trillion behemoth from a national security perspective, according to Roger Cressey, a former senior cybersecurity and counter-terrorism advisor. This designation comes amidst concerns that Chinese actors may target critical infrastructure through Microsoft products in the event of hostilities.
Recent events have underscored these concerns. In the last few weeks, Microsoft disclosed two major security vulnerabilities, one of which involves the Exchange server, a favourite of Russian and Chinese spies for years. The new Exchange server bug can lead to 'total domain compromise', posing a significant threat to sensitive U.S. government agencies and defense infrastructure.
The US Energy Department, including its National Nuclear Security Administration (NNSA), was among the 400-plus victims in a recent mass exploitation of a Microsoft product. This incident highlights the potential for critical breaches, with Chinese state-backed hackers exploiting flaws such as in Microsoft’s cloud email service and SharePoint, leading to breaches of senior officials and critical institutions.
Microsoft’s business practices have deepened federal dependence on its software ecosystem, which critics argue compounds risk by locking agencies into potentially vulnerable systems and making it costly to transition to alternatives. The company's use of Chinese engineers in sensitive roles, including maintaining U.S. Department of Defense cloud systems for a decade, raises further national security concerns.
Partnerships with Chinese entities require data localization in China and may expose American data to the Chinese Communist Party, amplifying risk to sensitive U.S. information. The volume and severity of Microsoft vulnerabilities continue to challenge security efforts, with numerous critical flaws leading to repeated attacks and outages affecting critical services.
Efforts to address these issues include heightened scrutiny and public criticism by government and cybersecurity experts, calling for rapid and cultural changes in Microsoft’s security practices. Microsoft has released security patches, such as the August 2025 update fixing 107 vulnerabilities including a zero-day flaw, aiming to mitigate risks from known exploits. However, concerns about data exposure and reliance on Microsoft technology remain high.
Senator Ron Wyden criticizes the government for rewarding Microsoft with bigger contracts despite its negligence leading to hacks and increased government spending on Microsoft cybersecurity services. Some suggest a pause in any new awards to Microsoft and a comprehensive security audit before they are eligible for future procurement. Senator Tom Cotton sent a letter urging the Defense Secretary to ban non-US citizens from accessing Department of Defense systems.
Other voices join the chorus of concern. AJ Grotto, another former senior White House cyber policy director, called Redmond's security failures a national security issue. The provision of "free" security products and services by Microsoft may create dependency on Microsoft infrastructure, compounding the issue further.
As the national security implications of Microsoft’s security vulnerabilities and its presence in China continue to unfold, it is clear that a comprehensive approach to addressing these concerns is necessary. This approach should encompass not only patching critical flaws but also fundamental reform of Microsoft’s product security and a reevaluation of its business practices.
- The cybersecurity concerns about Microsoft's products, particularly from Chinese actors, have intensified following the discovery of two major security vulnerabilities in recent weeks, one of which affects the Exchange server, a device favored by Russian and Chinese spies for years.
- The latest Exchange server bug could result in 'total domain compromise', posing a significant threat to sensitive U.S. government agencies and defense infrastructure.
- The US Energy Department, including its National Nuclear Security Administration (NNSA), is among the 400-plus victims of a recent mass exploitation of a Microsoft product.
- Microsoft's business practices, such as dependence on its software ecosystem and the use of Chinese engineers in sensitive roles, further complicate national security issues.
