The Software Licensing Disease Infecting Our Nation's Cybersecurity

Forcing Microsoft to compete fairly is the most important next step in building a better defense against foreign actors.

Steve Weber, Professor of the Graduate School, UC Berkeley School of Information

June 18, 2024

4 Min Read
US Capitol building
Source: Michael Urmann via Alamy Stock Photo

COMMENTARY

This month, Microsoft president Brad Smith was confronted by the US House Committee on Homeland Security, in a hearing over the cybersecurity woes that have plagued the government as a direct result of the company's security shortcomings. These issues, however, don't just come down to insecure products. They're symptoms of a larger disease — a lapse in market and competition policy that has allowed Microsoft to dominate virtually all of the public sector technology market. And the US government's failure to properly diagnose the deeper cause puts us all at risk. 

Microsoft, by its own admission, is ground zero for state-sponsored hacking groups, and flaws in the company's software have been responsible for a huge proportion of cyber breaches affecting the US government in recent memory. Our country's cyber watchdogs — the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) and Cyber Safety Review Board (CSRB) — have spent considerable resources assessing these incidents and trying to assess and address Microsoft's vulnerabilities.

There's a fundamental problem with this process. The government is confusing symptoms — persistent hacks, breaches, and vulnerabilities — with an underlying disease: the lack of competition around cybersecurity. Microsoft has systematically exploited weaknesses in procurement processes to stifle competition and lock government customers into its insecure technology. That confusion ultimately leaves the government's tools to enhance competition on the sidelines, when those tools are the best remedy for cyber insecurity.

The Problem With Microsoft's Market Share

Microsoft holds an 85% market share of government collaboration and communications technology and now is awarded at least a quarter of its contracts without any meaningful competition. It's reached this position through a series of deliberate, anticompetitive moves the government has largely neglected. Stretched government procurement officers and chief information security officers (CISOs) are taking the path of least resistance. That's not their fault; it's a difficult consequence of their job. But Microsoft exploits this by making it expensive and difficult to run its software on a competitor's cloud, including charging a five-times premium just to use Word on Amazon's cloud instead of its own Azure cloud service. Microsoft bundles dozens of ancillary applications with its Office productivity apps in its licenses (including Access, Delve, Viva, and others), which stifles competition by linking basic, widely used services with less popular ones and pricing them as free.

The result? A software monoculture with a simple attack surface for the United States' adversaries with nearly a single point of failure: Microsoft. This is a major threat to national security. The potential harm is real and expensive. The US government spent more than $11.1 billion on cybersecurity in 2023, in large part trying to compensate for and respond to the Microsoft incidents that left it vulnerable to intrusion. 

Some lawmakers are ready to take action. Senator Ron Wyden recently drafted legislation that would require the government to set new standards for collaboration software in response to a CSRB report. It's a good step, but it solves only part of the problem. Even if the government can collaborate with other providers while using Microsoft's software, the company's licenses still make it very expensive, all at a major cost to the taxpayer.

A Better Solution Is Needed

The government must use all the tools at its disposal to create a more comprehensive solution that immediately targets the root cause of its cybersecurity woes: Microsoft's anticompetitive licensing restrictions. These tools include using the General Services Administration (GSA) to modify procurement processes as a means of bolstering national security. The GSA is responsible for providing agencies with cost-effective, high-quality products from diverse vendors, and the evidence is clear that Microsoft doesn't meet these standards. The GSA can take action by either negotiating better licensing conditions with the company or by looking at other vendors to help diversify the government's tech infrastructure. That would be a strong and timely step to set the stage for more comprehensive and sweeping competition policy action by the Federal Trade Commission (FTC) or the Department of Justice. It's also a step that wouldn't take years to implement — which is vital given the current and future costs of Microsoft's efforts to lock government customers into long-term contracts. The longer the government waits, the harder the lock-in will be to reverse.

It can't settle for identifying symptoms. Microsoft's licensing is responsible for a debilitating disease that has infected our government's tech infrastructure. Allowing major government contracts to be awarded to any one company — in this case, Microsoft — is only plausible if procurement officials believe they really don't have any other choice. But we already have the remedies necessary to level the playing field and make enterprise software vendors accountable for weak cybersecurity. Forcing Microsoft to compete fairly is the most important next step to build a better defense against foreign actors. We have multiple tools to create a level playing field. We just need to use them. 

About the Author

Steve Weber

Professor of the Graduate School, UC Berkeley School of Information

Steve Weber works at the intersection of technology markets, intellectual property regimes, and international politics He has published numerous books, including The Success of Open Source and, most recently, Bloc by Bloc: How to Build a Global Enterprise for the New Regional Order, and serves as Professor of the Graduate School, School of Information, UC Berkeley. He has worked with and received research funding from a number of technology firms, including Google and Microsoft.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights