Google claims US government is too reliant on unsecure Microsoft products

Google has called on the US government to rethink its practice of favouring Microsoft technology when procuring technology, accusing the company of having a reputation for cyber security vulnerabilities and poor user perception.

Repeated cyber security breaches on US government systems have interrupted vital work and cost the taxpayer billions of dollars, said Google Cloud’s Jeanette Manfra, senior director of Global Risk and Compliance in a blog post.

Manfra, who has spent 20 years in the public sector, most recently as the head of the Cybersecurity and Infrastructure Security Agency (CISA)’s cyber security division, claimed that the government was at a disadvantage due to its approach to procurement, and an over reliance on Microsoft products.

She pointed to a recent Google poll of 2,600 US government workers, which found that the majority of those surveyed reported being “very” concerned about cyber attacks against their employers in the coming years. Most of those surveyed (80%) also said that the recent attacks, like the SolarWinds breach, has them concerned about their personal data and privacy, and that of their family members.

Results also showed a lack of satisfaction with legacy software, with over 50% of government workers stating that there are other products or services that could help them do their jobs better.

According to Google's data, around 84% of D.C. metro government employees primarily use Microsoft products at work, including Word, Outlook, Teams, and OneDrive. This is confirmed by another recent study by Omdia which found 85% of government employees use Microsoft productivity software.

“This reliance on a single software suite might suggest that these products are safe and secure, but the Public Opinion Strategies survey found that more than half of all respondents said that the government’s reliance on these Microsoft products actually made the federal government more vulnerable to hacking or cyber attacks,” said Manfra.

However, a US Senate report released last August detailed that seven out of eight federal agencies had failed to protect critical data due to inadequate cyber security policies, rather than problems with their systems. It stated that most agencies failed to install security patches quickly enough, and warned that at least seven out of the eight agencies are still using legacy systems that have reached end of life, and no longer receive vendor security patches.

When survey respondents were asked why their employers used Microsoft services, 45% said the reason was because their employer has always used those products and services and doesn’t want to change, while 55% said because they are the most effective at helping them to do their job.

Manfra said that with so many respondents reporting they're dissatisfied with their legacy IT solutions, it may be time for the government to rethink its approach to procurement.

“As governments work to meet the demands and preferences of their constituents—and their employees—it’s clear that there’s an overreliance on legacy solutions, despite a track record of cyber security vulnerabilities and poor user perception,” she added.

IT Pro has contacted Microsoft for comment.

Despite the tech giant criticising Microsoft for its cyber security, it isn't immune to these kinds of threats either. In February, it had to resolve a critical security flaw in Android 12 with its February 2022 Android security update. In the same month, the company had to release another wave of patches for seven high-severity issues affecting Chrome, including one zero-day vulnerability being actively exploited.

A report highlighted in January that Google Drive accounted for the most malware downloads in 2021, taking the top spot from Microsoft OneDrive. It accounted for 37% of all malicious downloads last year, while OneDrive fell to second place with 20% of downloads.

Google Cloud also revealed in November last year that 86% of compromised Google Cloud Platform instances in 2021 led to cryptocurrency miners being dropped into customers' environments. Its customers were heavily targeted by attackers who were attempting to leverage the high levels of compute available to them without having to pay for it.