By Julio Rivera,

In critiquing the federal government’s anti-competitive technology procurement process, many of my peers in cybersecurity analyst circles frequently quote famed economist Milton Friedman, who once said that “The great danger to the consumer is the monopoly, whether private or governmental.”

Indeed. Although few (if any) industries have more marketplace competition than the tech world, the government seems adamant about taking an “if it’s not broken, don’t fix it” approach to choosing the software it uses — even when said software is indeed broken.

For proof, look no further than last week’s findings from the U.S. Department of Homeland Security’s Cyber Safety Review Board, which found that the security culture of Microsoft — which the government effectively granted a monopoly to decades ago — requires a complete overhaul.

In Fiscal Year 2023, the U.S. government gave Microsoft nearly $500 million, cementing it as the company that 84% of D.C. metro employees primarily use, despite more than 50% of government employees saying that the government’s reliance on Microsoft’s productivity technology makes them more vulnerable to hackings and other security concerns.

The Cyber Safety Review Board’s Findings demonstrate that, as is often the case, the consumers — the users of this technology — know what they’re talking about here — far more than the government bureaucrats who mandate the use of this technology do.

The board found that Microsoft’s negligence was squarely responsible for a Chinese government-affiliated hacking last year, which, according to the board, “never should have happened.” Flaws in Microsoft’s authentication system allowed these Chinese hackers to sign into “essentially any Exchange Online account anywhere in the world.”

This unfettered access to nearly every Microsoft account in the country allowed them to breach the e-mails of multiple federal agencies, including that of Commerce Secretary Gina Raimondo, right before she flew to a meeting she had scheduled with the Chinese government.

This CCP attack wasn’t the first significant hacking of Microsoft by an adversarial nation, and, as recent news has demonstrated, it was not the last either.

A March report found that Russia’s SCR foreign intelligence service used data from hacking core Microsoft software to compromise some of the company’s internal systems in January. To date, Microsoft has yet to catch or evict said hackers.

All told, criminals have exploited over 280 Microsoft software vulnerabilities over the last 22 years. Where is the outrage? Where are the calls from Congress for more oversight and operational changes?

Why isn’t the government adding more contractors to its list of providers, or, at the very least, why isn’t it threatening to do so if Microsoft doesn’t begin hitting more aggressively set cybersecurity benchmarks and protocols?

The truth is that even if Microsoft did everything right, it would likely still experience some cybersecurity painpoints.

Last year, America witnessed a 72% increase in data breaches since 2021, making it difficult for even the most vigilant companies to stay 100% ahead of hackers’ curve. But Microsoft doesn’t seem to be improving despite the government’s massive investment in the company.

But in this instance of government spending and possible cronyism gone wild, we mustn’t blame the company solely for repeated failure but rather the government officials who are signing off on the payout. With a fat $500 million annual check all but guaranteed and few government officials calling on Microsoft to improve, why would it ever feel compelled to do so?

Innovation in the tech industry continues to evolve on a daily and, in many cases, even hourly, basis. This is especially true when it comes to cybersecurity, an area that analysts project realized an 11% increase in investments last year, making it a $188 billion business.

That makes all entities, individuals, and even singular devices, all potential targets on the “dark web.”

The time is now for Congress to tell the dinosaurs at Microsoft to either begin innovating with the rest of its peers or get left behind — because when it comes to tech, the government has options, and it’s high time it begins exercising more of them.


Julio Rivera is a business and political strategist, cybersecurity researcher, and a political commentator and columnist. His writing, which is focused on cybersecurity and politics, is regularly published by many of the most respected news organizations in the world. Read Julio Rivera’s Reports — More Here.