U.S. Senator accuses Microsoft of gross cybersecurity negligence

[Gandalf_The_Grey]

Content source

https://www.bleepingcomputer.com/news/security/us-senator-accuses-microsoft-of-gross-cybersecurity-negligence/

U.S. Senator Ron Wyden has sent a letter to the Federal Trade Commission (FTC) requesting the agency to investigate Microsoft for failing to provide adequate security in its products, which led to ransomware attacks against healthcare organizations.

The Senator started the formal asking by saying that Microsoft should be held "responsible for its gross cybersecurity negligence, resulting in ransomware attacks against critical infrastructure, including U.S. health care organizations."

The Senator highlights Microsoft’s prolonged failure to take decisive action to effectively mitigate well-documented security risks in its products, resulting in attacks such as the 2024 Ascension Health ransomware breach, which compromised data of 5.6 million patients.

The incident, which occurred in May 2024, unfolded when a contractor clicked a malicious Bing Search result in Microsoft Edge, allowing hackers to carry out a “Kerberoasting” attack.

U.S. Senator accuses Microsoft of “gross cybersecurity negligence”

U.S. Senator Ron Wyden has sent a letter to the Federal Trade Commission (FTC) requesting the agency to investigate Microsoft for failing to provide adequate security in its products, which led to ransomware attacks against healthcare organizations.

www.bleepingcomputer.com

 

[Victor M]

Like everything, it needs govt regulation. For example if there were no FIPS, gov't outsourced outfits can use whatever they want. And if Russia comes hacking, they could just shrug their shoulders. There should be some regulation for OS vendors for maintaining cyber readiness.

 

[ForgottenSeer 114717]

U.S. Senator accuses Microsoft of “gross cybersecurity negligence”

U.S. Senator Ron Wyden has sent a letter to the Federal Trade Commission (FTC) requesting the agency to investigate Microsoft for failing to provide adequate security in its products, which led to ransomware attacks against healthcare organizations.

www.bleepingcomputer.com

The U.S. Senator's request to the Federal Trade Commission (FTC) goes against all U.S. and international laws governing accountability and responsibility for incidents. It is ALWAYS the user's accountability and responsibility for the security of their infrastructure and networks, unless there is a contract and a shared responsibility matrix. Even then, the client is accountable and responsible for all items outlined in the contracts and agreements.

That U.S. Senator is a moron.

How can a software publisher or provider be made accountable or responsible for the actions of inept administrators and users? To suggest anything other "That cannot be done, ever. Unless there is a contract that makes them responsible." is idiocy.

Like everything, it needs govt regulation.

Some things do. Some things do not. With any government regulation there comes significant operating costs and the government is not going to pay those costs, generally.

For example if there were no FIPS

FIPS applies only to U.S. federal executive agencies, contractors, and partners.

The U.S. federal government does not enforce FIPS onto itself at all. It barely enforces compliance by contactors or partners.

If the U.S. Government is going to begin robust enforcement, then it will have to develop an assessment and enforcement framework that will result in very high costs for contractors and partners. In those cases, those very high costs are considered "overhead" and the costs passed along to the U.S. Government, within limits, as long as the contractors or partners have the type of contracts that permit the billing of those costs to the U.S. Government.

For contractors that have fixed-price contracts, they are beat. They have to pay the regulatory expenses themselves and cannot bill the U.S. Government. Most will tell the U.S. Government to FO and either break the contract or just not comply and refuse to renew at the next contract solicitation.

The U.S. Government, like any other government, is notorious for non-enforcement of contract terms and requirements.

Imposing and enforcing cybersecurity regulations on any digital product or service provider will never be practical, let alone is there is the political or societal will to do it.

 

[Dark Knight]

I half agree, I think Microsoft is more concerned with eye candy than it is with security, but if you regulate it and get government involved it will get a whole lot worse than it already is.

 

[Victor M]

The U.S. federal government does not enforce FIPS onto itself at all. It barely enforces compliance by contactors or partners.

According to what I have read, the DoD documents says everything has to check out, or you don't get on their network, or they unplug you.

But then, you are saying it is just a ordinary rubber stamp process. I hope to god it is not true.

 

[Dark Knight]

According to what I have read, the DoD documents says everything has to check out, or you don't get on their network, or they unplug you.

But then, you are saying it is just a ordinary rubber stamp process. I hope to god it is not true.

I would probably go with the latter , government equipment , especially when it comes to electronics is so antiquated it is not even funny .

 

[Victor M]

the DoD documents says everything has to check out

To cite some concrete requirements that you can read, the PCI-DSS (Visa, Master Card ... ) document says: you have to use an approved vuln scan company to scan your org once every quarter. And you also have to have a penetration test done at least once a year. and after every major IT change. The results have to be handed in. The DoD is more stringent. For example, vuln mgmt has to collect KPI (key performance indicators) and the results have to be handed in. The vuln scanners and the patchers are 2 different teams, such that one doesn't validate your own work. The vuln scanners rate the severity and the target days for patching are pre-defined by severity level. And the patchers conncentrate on doing their thing. If a patch is not doable, then compensating security controls needs to be set up, with an expirary date. Everything is checked and sound vuln mgmt is considered an indicator of DoD's cyber readiness. There are other methods of security Assessment. And if you fail they pull the network plug on you.

 

[ForgottenSeer 114717]

According to what I have read, the DoD documents says everything has to check out, or you don't get on their network, or they unplug you.

No. That is not how the DoD does things.

For data exchange, the DoD generally uses DoDSAFE.

For incident reporting it requires a medium assurance certificate.

For contracts that include access to DoD facilities or networks, there are requirements that must be met, but not in the context of your premise.

But then, you are saying it is just a ordinary rubber stamp process. I hope to god it is not true.

The DoD performs its own assessments of contractor systems. The type of assessment is determined by the contract type, sensitivity classification of the data handled by the contractor, and other variables.

I never said that it was a rubber stamp process. What I said was that the U.S. Government does not do strict enforcement.

PCI-DSS (Visa, Master Card ... )

PCI-DSS is a voluntary, payment card industry standard that serves as a guideline. It is required by the industry only for organizations that conduct payment card operations.

The DoD is more stringent.

No. It is not.

And if you fail they pull the network plug on you.

That, generally, is not how it works.

The DoD is notorious for non-enforcement of requirements.

 

[ForgottenSeer 114717]

PCI-DSS is a voluntary, payment card industry standard that serves as a guideline. It is required by the industry only for organizations that conduct payment card operations.

Just so people who do not know, and stop them from going down the rabbit hole...

Clarification: PCI-DSS is mandatory for payment card industry organizations, but they must adopt it voluntarily because PCI-DSS is imposed as a contractual obligation. Entering into a contract and its requirements is always a voluntary process; no one is compelled by force of law or otherwise to enter into a contract. It is MasterCard, VISA, American Express, etc that make it obligatory within its contracts with payment card processors, white label bank card firms, etc.

PCI-DSS is not typically a matter of regulatory law.

 

[Victor M]

@bazang

The PCI-DSS contract may be voluntary, but who doesn't accept credit cards; so it might just as well be considered a 'must be followed' regulation. The contract makes it more than just a guideline.

As for the DoD, they have many checks and balances and on-going exercises to maintain cyber readiness. Why do you say they are not stringent ?

The DoD can pull the network plug on you if you pose a severe security risk to the DoD.

 

[cartaphilus]

It's not rubber stamped or it hasn't been in a while but I guess it depends on the agency.

 

[cartaphilus]

Don't get your meaning. Can you elaborate ?

I apologize it might seem like the comment was meant at you; it wasn't it was meant at the person you were replying to. The direct reply to you was: "It's Not" The rest was for the other user who claimed that it's just rubber stamped.

Sorry I should be clearer since words matter and wars were started over less.

edit: On the second thought let me remove my original reply since it does seem very mean spirited.