The Cybersecurity 202: Wyden calls for ‘time out’ in government cybersecurity contracting

“I’m going to do everything I can to stop the government just from shoveling out money in hundreds of millions of dollars in new government contracts,” Wyden told me when I asked about Microsoft, adding that the government needs “to shore up problems with the insecure software that they already sold the government.” 

That could spell trouble for companies including Microsoft and Amazon, which have competed for contracts throughout the federal government worth billions of dollars. The government needs to get much smarter about how it buys software and other IT products, Wyden said. (Amazon CEO Jeff Bezos owns The Washington Post.)

“I think it is just outrageous that the government doesn’t consider cybersecurity when it decides what to buy,” Wyden said. “Why is everybody so surprised this country has a bunch of insecure junk?”

Wyden has powerful allies in the House, including Homeland Security Committee Chairman Bennie Thompson (D-Miss.) and Rep. Yvette D. Clarke (D-N.Y.), chair of the Homeland Security Committee’s cyber subcommittee.

“The federal government is in a difficult position. Over time, it has come to rely on Microsoft products in a way that would make any significant change expensive and time consuming,” they said in a statement. “Moving forward, the federal government should reassess whether more should be expected of Microsoft as a security partner, given its footprint in federal networks.”

“That said, federal agencies are trying to close security gaps that exist today and our focus needs to be on identifying high-priority investments that will yield real security benefits,” they said.

Microsoft President Brad Smith repeatedly testified this past month on Capitol Hill as the company came under pressure to answer for its role in fallout of the SolarWinds attack, in which hackers were able to infiltrate Microsoft systems, and the Microsoft Exchange breach, which exposed vulnerable clients’ servers to hackers.

Yet at the same time, Microsoft is set to reap $150 million in funding for a “secure cloud platform” from the Department of Homeland Security’s Cybersecurity Infrastructure Security Agency (CISA), Reuters reported this week. That contract would eat up nearly a quarter of the money that Congress gave the agency in a coronavirus relief package this month. 

Microsoft spokeswoman Rachel Tougher directed The Cybersecurity 202 to CISA when asked about the funding.

“We intend to improve cloud security across the federal government, as well as increase the visibility that CISA and other agencies have into federal civilian cloud environments,” CISA spokesman Scott McConnell said in a statement. “One component of our approach may be to explore upgrading licenses from existing vendors, but there are a number of additional options that we are considering as well.”

The company’s $10 billion JEDI cloud-computing deal with the Pentagon is also at risk as challenges to the deal make their way through the courts. 

Google blasted its handling of the Microsoft Exchange hack last week, with an executive writing in a blog post that “Microsoft was warned about the vulnerabilities in their system, knew they were being exploited, and are now doing damage control while their customers scramble to pick up the pieces.” 

The executive also blasted Smith’s appearance at a House antitrust hearing on the news media, where he criticized Google, as a distraction from the breach.

Steven Adair, president of cybersecurity firm Volexity, which notified Microsoft of two of four of the Microsoft Exchange exploits, said that his firm tracked malicious activity back to early January, while Taiwanese researchers identified software bugs as early as December, my colleague Ellen Nakashima reported this month. At least 30,000 public and private U.S. organizations were affected by the Microsoft Exchange hacks, U.S. officials and people familiar with the matter told Ellen. 

Microsoft spent $9.4 million on Washington lobbying last year, according to a Cybersecurity 202 analysis of lobbying filings. 

Tougher, the Microsoft spokeswoman, declined to comment on Wyden’s call for a review of IT spending, and directed us to Smith’s written testimony criticizing Google.  

Wyden also says the hacks are increasing pressure on Congress to pass federal privacy legislation. Washington is “one more privacy disaster away” from the kind of environment where major privacy legislation could get to the floor of the Senate, Wyden said. He introduced such legislation in 2019 but it did not gain any momentum on Capitol Hill. Wyden said he plans to reintroduce his proposal in the “next few weeks.”

Some hacking groups have already taken advantage of the chaos surrounding the Microsoft Exchange flaw, with U.S. law enforcement agencies and researchers warning that some could steal data obtained in the hacks and hold it for ransom.

“We anticipate threat actors will leverage this vulnerability to obtain access to victim environments and conduct multifaceted extortion involving ransomware, data theft and victim shaming,” Charles Carmakal, senior vice president and chief technology officer of FireEye Mandiant, said in a statement.

The Biden administration’s first face-to-face meeting with Chinese officials involved a testy exchange over cybersecurity and other issues, John Hudson reports. The remarks came during the first day of meetings between Secretary of State Antony Blinken; China’s top diplomat, Yang Jiechi; and other officials.

When Blinken vowed to raise the issue of recent Chinese cyberattacks, Yang called the United States the “champion” of cyberattacks, Bloomberg reports.

The three scheduled meetings over the next two days “will be pretty tough,” a senior administration official said. China has indicated it would like to see Trump administration sanctions, including those on Chinese technology and chip companies, lifted. U.S. officials said they planned to discuss issues that Beijing has called “internal matters,” like Taiwan and its treatment of Uyghur Muslims.

Burns was confirmed at a moment of heightened tensions between the United States and Russia, Shane Harris reports. The former U.S. ambassador to Russia will begin work in the wake of cyberattacks on SolarWinds and other software, as well as Microsoft Exchange. 

At his confirmation hearing, Burns called the SolarWinds cyberattack, which the U.S. intelligence community says was conducted by Russia, a “very harsh wake-up call” about vulnerabilities in critical infrastructure and supply chains. Burns also warned that China and Russia have an “aggressive determination” to take advantage of those weaknesses.

The part of the energy grid that carries electricity to consumers faces increasing risk, the Government Accountability Office warned in a report, and such an attack could have significant national implications. Hackers have different weapons in their arsenals, including going after supply chains, GPS-enabled devices and networked devices that Americans plug in to the grid, like electric vehicles and charging stations.

The report came as the House Homeland Security Committee advanced bipartisan legislation to give the director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency the government’s lead role in identifying and mitigating threats to industrial control systems. The bill was proposed in the wake of an attempted attack on a water treatment plant in Florida.

Reporters disagreed on the implications of the indictment of Swiss hacker Till Kottmann, who said he hacked surveillance camera company Verkada. NBC News’ Kevin Collier and The Record’s Catalin Cimpanu:

Researcher @Donk_Enby, who is best known for scraping right-wing social media network Parler:

• The House Energy and Commerce Committee holds a hearing on infrastructure legislation on Monday at 11 a.m.
• Acting Cybersecurity and Infrastructure Agency director Brandon Wales discusses ransomware at an event hosted by Auburn University’s McCrary Institute on Monday at 1:30 p.m.
• Dmitri Alperovitch, chairman of the Silverado Policy Accelerator who previously co-founded cybersecurity company CrowdStrike and worked as its chief technology officer, discusses Russian cyberattacks at an event hosted by the Center for Strategic and International Studies on Thursday at 9:30 a.m.