A recent interview with AJ Grotto, former White House senior director for cybersecurity policy, shed light on the security risks posed by Microsoft's overwhelming dominance in the government IT market. As Grotto notes, Microsoft controls a staggering 85% share of federal productivity software and an even higher portion of operating systems. This gives Microsoft significant leverage over the government and limited incentive to prioritize security.
The risks of this dynamic have become alarmingly clear in the wake of major breaches like the SolarWinds hack, where Microsoft initially resisted providing adequate logging capabilities to agencies. Grotto argues Microsoft has the government "locked in" due to high switching costs, allowing it to pass on security risks to federal customers.
Grotto goes as far as to call Microsoft a "national security threat" given the potential for systemic compromises of its ubiquitous products. I tend to agree with this assessment. If 85% of government systems were reliant on a single power utility or financial network, major vulnerabilities in those systems would undoubtedly be deemed threats to national security. Why should we treat over-reliance on Microsoft any differently?
So, what can be done?
In the short term, agencies can look to solutions like Virtru's end-to-end encryption to help mitigate risks within their Microsoft environments. By encrypting sensitive emails and files at the object level, Virtru could provide an extra layer of defense even if underlying Microsoft systems are breached. Virtru's access controls and cross-platform capabilities could also support secure collaboration and a more diverse IT ecosystem.
In the long term, as Grotto rightly points out, the government must focus on increasing competition and reducing dependence on a Microsoft monoculture. Supporting alternatives like Google Workspace and open-source solutions could provide much-needed resilience through diversification. Virtru's encryption could help ease this transition by serving as a consistent security layer across platforms.
The government can further increase pressure on Microsoft by allowing for more rigorous security audits of its products, especially after major incidents. Congressional hearings and media scrutiny also have a role to play in holding the company accountable.
However, I agree with Grotto that such measures will likely have limited impact without addressing the underlying market incentives and the government's vendor lock-in. More must be done to support a vibrant, competitive public sector IT market. Solutions like Virtru can help manage risks in the interim, but are not a substitute for structural change.
With the Biden administration having a limited window before the coming election, we can only hope serious efforts to diversify government IT take hold over the next few months. At minimum, policymakers must recognize the magnitude of the national security risk posed by Microsoft's dominance and begin laying the groundwork for a more secure, competitive landscape.
Leveraging encryption solutions like Virtru can help chart a path to a more resilient future, but the status quo is no longer tenable.