In the wake of a recent ransomware attack that impacted critical infrastructure across the United States, most notably affecting Ascension Healthcare, US Senator Ron Wyden has called for an investigation into Microsoft's cybersecurity practices. Citing what he described as the delivery of 'dangerous, insecure software' to government and critical infrastructure entities, Wyden has urged the Federal Trade Commission (FTC) to look into these allegations. His concerns primarily center around the inadequate cybersecurity measures and potential national security threats posed by these actions.
Allegations of Negligence
Senator Wyden's request for investigation is grounded in an alarming scenario that unfolded when a contractor associated with Ascension Healthcare unwittingly clicked a malicious link after conducting a search using Microsoft's search engine. This action resulted in the contractor's laptop being compromised. The exploitation was further facilitated by what Wyden describes as insecure default settings within Microsoft software, allowing hackers to gain highly privileged access to Ascension's network.
The technique employed in the attack, known as 'Kerberoasting,' took advantage of legacy encryption technologies like RC4, which Microsoft continues to support. In his letter to FTC Chairman Andrew Ferguson, Wyden expressed grave concerns over the implications these outdated encryption protocols could have on national security.
Microsoft's Response
In response to these allegations, a Microsoft spokesperson acknowledged the outdated nature of RC4 but pointed out its minimal traffic impact, representing less than 0.1% of their systems. They highlighted the potential for significant disruptions were RC4 to be entirely disabled, noting that this could result in breaking many existing customer systems.
Microsoft has indicated a strategy of gradually reducing RC4 use, which includes issuing warnings and providing guidance to their customers. Furthermore, Microsoft has been in dialogue with Senator Wyden's office to address these concerns directly, reaffirming their commitment to bolstering cybersecurity measures.
Despite these reassurances, the potential ramifications of Wyden's calls for FTC intervention underscore the serious nature of cybersecurity and the challenges faced by tech giants operating with expansive enterprise influence. As the situation develops, the industry will be closely watching how Microsoft adapts its cybersecurity protocols in response to these accusations and the looming threat of compromised national security.
