Federal Investigation Requested into Microsoft’s Cybersecurity Practices
JAKARTA – On Wednesday, September 10, U.S. Democratic Senator Ron Wyden urged the Federal Trade Commission (FTC) to undertake a comprehensive investigation into Microsoft’s accountability regarding a spate of prominent cybersecurity breaches that have transpired in recent years.
In a compelling letter addressed to FTC Chairman Andrew Ferguson, Wyden characterized Microsoft’s handling of cybersecurity as an ongoing menace to U.S. national security, attributing this peril to “egregious cybersecurity negligence.”
Wyden pointed to a series of ransomware assaults targeting essential infrastructure, notably health organizations in the United States, which were exacerbated by default configurations within the Windows operating system.
“At present, Microsoft resembles an arsonist who profits by offering fire services to its victims,” Wyden articulated. He further criticized the corporation’s near-monopolistic position in the IT sector, asserting that governmental bodies and businesses alike are essentially coerced into utilizing its products.
A spokesperson for the FTC confirmed receipt of Wyden’s correspondence but refrained from providing further commentary.
Wyden cited a particularly egregious ransomware incident in May 2024, wherein the Ascention hospital network reported the breach of medical and insurance data affecting nearly 5.6 million individuals.
According to Ascention, the compromise stemmed from an incident where a contractor, utilizing an Ascention-issued laptop, inadvertently clicked a nefarious link originating from Microsoft’s Bing search engine.
This action permitted hackers to infiltrate the company’s network and ultimately gain access to Microsoft Active Directory servers, which are instrumental in user account management.
According to Wyden, Microsoft’s continued utilization of antiquated encryption protocols such as RC4, alongside its default configurations, significantly undermines cybersecurity defenses, as exemplified in the Ascention case. He critiqued the corporation for its insufficient efforts to educate clients on mitigating these vulnerabilities.
In response, a Microsoft spokesperson asserted that RC4, the encryption standard singled out by Wyden, is rendered obsolete, constituting less than 0.1% of the company’s traffic. While the firm actively encourages clients to abandon RC4, they noted that complete deactivation of the standard could disrupt customer systems.
Microsoft intends to deactivate RC4 by default across various Windows products commencing in the first quarter of 2026, while also offering “additional mitigation measures” for legacy systems, as conveyed by the spokesperson.
Previously, Wyden has advocated for a federal investigation into Microsoft’s involvement in cyberattacks, particularly following revelations in July 2023 that hackers associated with China infiltrated thousands of U.S. officials’ email accounts.
Source link: Voi.id.
