MICROSOFT PUTS PROFITS BEFORE CYBERSECURITY Part 2

Recent investigative reporting by ProPublica showed that Microsoft has put making profits, through securing a place as an industry leader in cloud computing, ahead of keeping its customers safe from cyberattacks – with very harmful results. [1] Punishments for corporations and their executives need to be increased to deter this type of corrupt extreme capitalism.

(Note: If you find my posts too long to read on occasion, please just skim the bolded portions. Thanks for reading my blog!)

Microsoft failed for three years to address a known flaw in its software that allowed Russian hackers in the SolarWinds breach to gain access to the data and emails of its customers, including sensitive agencies of the federal government. Moreover, its president lied in testimony to Congress claiming first that Microsoft flaws had not contributed to the breaches and later that he and Microsoft had not been aware of the flaw. (See this previous post for more details.)

In 2016, when the flaw was discovered, Microsoft was in a major industry battle to be a leader in cloud computing services and was vying for a multi-billion-dollar Defense Department cloud computing contract. Admitting to a software vulnerability in a related product would have hurt Microsoft’s chances of winning the contract. The Microsoft employee who discovered and reported the flaw, Andrew Harris, was told the decision not to fix the software flaw was a business decision not a technical one.

As background, Microsoft’s new CEO in 2014, Satya Nadella, saw cloud computing as the future of the technology industry and staked Microsoft’s future on being a major player in this arena. Under pressure to catch up to industry-leader Amazon, Microsoft focused on new features and functionality for its cloud computing products to generate sales and profits and not on security fixes, which cost money and have no immediately visible benefit.

In 2024, Microsoft President Brad Smith was called back to testify before Congress again (see this previous post for information on his 2021 appearance) after a series of cyberattacks on the federal government linked to flaws in Microsoft products. For example, in 2023, Chinese hackers exploited a Microsoft security flaw to access the email accounts of senior government officials. In addition, ProPublica’s reporting on Microsoft’s culpability in the 2019 SolarWinds breach (see this previous post for more information) had been published the day of Smith’s testimony. ProPublica had contacted Microsoft two weeks before with detailed questions related to its investigation and a request for an interview with Smith. Nonetheless, Smith claimed in his testimony to be unaware of the role of a Microsoft software flaw in the SolarWinds breach. [2]

The Federal Cyber Safety Review Board, in reviewing the Microsoft-related security breaches, found that Microsoft’s “security culture was inadequate and requires an overhaul.”

Microsoft’s ignoring of cybersecurity issues to maximize profits has put its customers at risk. It has allowed Russian, Chinese, and other hackers to steal information and data from government agencies, businesses, and their customers.

Publicly traded corporations, like Microsoft, are beholden to profits, to the price of their stock, and to stockholders, not to customers or any sense of the public good. That’s the reality of the unregulated, extreme capitalism allowed by current U.S. laws. This and the extreme personal wealth accumulation it allows seem to have resulted in greed rising to new heights and ethics falling to new lows.

The frequency, pervasiveness, and repetitiveness of business scandals driven by putting profits first and foremost is astounding. If you want to see how pervasive corporate violations of the law are, look at the Violation Tracker database compiled by Good Jobs First.

An underlying theme of this corrupt corporate behavior is the loss of robust competition in the marketplace due to the emergence of a handful of huge, monopolistic corporations in many industries. This has occurred largely through mergers and acquisitions that have occurred due to little or no enforcement of antitrust laws since the 1980s (until very recently).

To stop corporate corruption and bad behavior, there must be more enforcement with greater penalties. Otherwise, corporations just treat the penalties they pay as a cost of doing business. The size of the penalties must be big enough that it significantly reduces a corporation’s profits and share price. This would impact stockholders, particularly big ones, including senior executives. The impact should be big enough to put senior executives’ jobs at-risk.

For substantial illegal behavior by their corporations, CEOs and other senior executives need to be held personally accountable with criminal charges, the ability to make them return compensation (especially bonuses for generating big profits), and the risk of being fired with no severance package.

The ultimate penalty would be to revoke the corporation’s charter to do business, forcing the liquidation of the corporation. This does not seem likely to happen, so when the illegal or corrupt behavior is serious enough or repetitive enough, the financial penalties must be big enough to potentially put the corporation into bankruptcy and out of business – if the goal is to truly stop corporate corruption and bad behavior. Furthermore, corporations with a track record of serious violations should be banned from doing business with the federal government.

I urge you to contact President Biden to ask him to have the Department of Justice and other agencies investigate and seriously punish Microsoft and its executives for allowing dangerous cybersecurity breaches. You can email President Biden at http://www.whitehouse.gov/contact/submit-questions-and-comments or you can call the White House comment line at 202-456-1111 or the switchboard at 202-456-1414.

I urge you to contact your U.S. Representative and Senators to ask them to pass laws that place serious penalties and punishments on corporations and their executives when they put profits before the safety and security of their customers and the public. You can find contact information for your U.S. Representative at  http://www.house.gov/representatives/find/ and for your US Senators at http://www.senate.gov/general/contact_information/senators_cfm.cfm.

[1]      ProPublica, 6/18/24, “Nine takeaways from our investigation into Microsoft’s cybersecurity failures” (https://www.propublica.org/article/microsoft-solarwinds-what-you-need-to-know-cybersecurity)

[2]     Dudley, R., with Burke, D., 6/13/24, “Microsoft president grilled by Congress over cybersecurity failures,” ProPublica (https://www.propublica.org/article/microsoft-solarwinds-cybersecurity-house-homeland-security-hearing)