WASHINGTON, D.C. – In case you missed it, today, Microsoft Vice Chairman and President Brad Smith testified in front of the House Committee on Homeland Security after federal agencies were attacked by Chinese state-affiliated hackers last May.
The Coalition for Fair Software Licensing (CFSL) Executive Director Ryan Triplette released the following statement in response to the hearing.
“Today’s hearing again showed the broad consequences of Microsoft’s restrictive software licensing practices: customers locked into insecure technology and a corporate culture that prioritizes profits over security. These failures contributed to high-profile cyberattacks and breaches, including attacks that have jeopardized our national security.
“According to the Department of Homeland Security (DHS)’s Cyber Safety Review Board report, Microsoft’s security failings were, in part, a result of the company’s licensing tactics. Despite this fact, and concerns from global customers and competitors, Microsoft refuses to change its restrictive licensing behavior.
“The Coalition for Fair Software Licensing urges the Federal Trade Commission to hold the company accountable and open an investigation into Microsoft’s licensing practices.”
During the hearing, members of Congress questioned Smith on the significant harms posed by the company’s neglectful cybersecurity practices. Much of the questioning focused on the ProPublica whistleblower report published this morning which revealed that a Microsoft employee notified the company in 2016 of the vulnerability that allowed Russian actors to access U.S. government agencies during the SolarWinds attack years later. Despite repeated concerns and acknowledgment of the seriousness of the vulnerability, Microsoft did nothing. Key excerpts from the hearing are below.
“The company provides an estimated 85% of the productivity software used by the federal government. … Moreover, a reported 25 to 30% of government revenue comes from noncompetitive contracts, at least in part due to the terms of its licensing agreements,” said Ranking Member Bennie Thompson (D, MS-02). “Turning to the report’s findings, the CSRB determined that last summer’s intrusion was ‘preventable and never should have occurred.’ Additionally, it found that ‘Microsoft’s security culture was inadequate and requires an overhaul.’ As someone responsible for overseeing the security of federal networks that rely heavily on Microsoft, and as a user of Microsoft products myself, I found these observations deeply troubling.”
“How do you ensure that your bundling practices do not limit the ability of customers to prioritize security?” asked Rep. Delia Ramirez (D, IL-03).
“I’m aware of the Department of Defense (DoD)’s cyber challenges and needs. The recent cyber attacks impacting Microsoft demonstrate how vulnerabilities within a single vendor can be exploited to gain access to sensitive information and systems, potentially compromising national security,” said Rep. Dale Strong (R, AL-05). “Can you please explain, from your perspective, the risk posed by the DoD’s reliance on a single source vendor?”
“When you, or one of your representatives, testified before the committee in the aftermath of the SolarWind breach, they explained that ‘everything that we do is designed to generate a return, other than philanthropic work.’ The State Department paid for extra logging, generating a profit for Microsoft, and ultimately using these logs to detect this attack, but not every customer had that logging capability enabled,” said Rep. Troy Carter (D, LA-02). “Last summer, Microsoft finally announced that it would provide free logging to customers and in February made those logs available for all federal customers. Why did it take so long to make this decision?”
U.S. lawmakers are not the only regulators scrutinizing Microsoft. Over the past several months, there has been increasing global momentum to stop Microsoft’s anticompetitive and dangerous practices.
- In May 2024, the Spanish National Markets and Competition Commission (CNMC) opened a public consultation on cloud services in response to a complaint by the Asociación Española de Startups (Spanish Startups Association, AES) regarding Microsoft’s anticompetitive cloud practices.
- In February 2024, the European Commission announced it was probing Microsoft for preventing customers from using competitors’ services, including cybersecurity solutions.
- In October 2023, the U.K. Competition and Markets Authority (CMA) announced a market investigation, including an examination of restrictive software licensing. The CMA’s interim reports, released in June 2024, found that “Microsoft’s licensing practices may affect customers’ choice of cloud provider.”
- In July 2023, the European Commission opened a formal investigation into the company’s tying of Teams with Office 365 and Microsoft 365.
- In June 2023, CFSL described Microsoft’s anticompetitive licensing practices in a comment responding to the Request for Information by the U.S. Federal Trade Commission (FTC) on business practices in cloud computing.
- In March 2023, German antitrust regulators opened an investigation into the disproportionate power of Microsoft’s digital ecosystem across markets.
About the Coalition for Fair Software Licensing
The Coalition for Fair Software Licensing is a North American-based initiative seeking to unlock greater customer choice, innovation, and security in the cloud by advocating for the Principles of Fair Software Licensing. Our members span a cross-section of key industries, including healthcare companies, financial services businesses, as well as cloud and cybersecurity providers – each one has experienced or been exposed to anticompetitive and abusive software licensing practices in the cloud. Together, we are taking a stand against these predatory practices by advocating for the Principles of Fair Software Licensing to ensure more choice, innovation, and security in the cloud. To learn more about the Coalition for Fair Software Licensing, please visit FairSoftwareLicensing.com.