Ex-White House Cyber, Counter-Terrorism Guru: Microsoft Considers Security an Annoyance, Not a Necessity

Ex-White House Cyber, Counter-Terrorism Guru: Microsoft Considers Security an Annoyance, Not a Necessity

China's ability to p0wn Redmond's wares 'gives me a political aneurysm'

Roger Cressey served two US presidents as a senior cybersecurity and counter-terrorism advisor and currently worries he'll experience a "political aneurysm" due to Microsoft's many security messes. In the last few weeks alone, Microsoft disclosed two major security vulnerabilities – along with news that attackers exploited one involving SharePoint as a zero-day. The second flaw, while not yet under exploitation, involves Exchange server – a favorite of both Russian and Chinese spies for years.

"Cressey, who served in the Clinton and Bush administrations, prefers to call it 'A $4 trillion monster.'" Cressey, now a partner with Liberty Group Ventures, told The Register. "And from a national security perspective, this really bothers me," Cressey, now a partner with Liberty Group Ventures, said. "The Chinese are so well prepared and positioned on Microsoft products that in the event of hostilities, we know for a fact that Chinese actors will target our critical infrastructure through Microsoft products for two reasons," he said. "One: [Microsoft products] are everywhere within our digital ecosystem. And two: they are so vulnerable that the Chinese familiarity of them makes it a door already open. So that's what gives me the political aneurysm here."

Prior to spending several years in the White House, Cressey served in the departments of Defense and State. He's worked in the private sector as a counterterrorism professor and cybersecurity consultant since 2001.

"This is the latest episode of a decades-long process of Microsoft not taking security seriously. Full stop," Cressey said, acknowledging that the government continues spending billions on Microsoft products. "Anytime there's a major announcement of a Microsoft procurement by the government, the happiest people in the world first are in Redmond and second in Beijing."

Microsoft declined to comment for this story, but did point out that Google Cloud is a client of Cressey's in his consulting work.

"Cressey isn't the first to point out Microsoft's poor security record has national security implications," he said. "They resurface after every major breach … and then nothing changes."

AJ Grotto, another former senior White House cyber policy director, called Redmond's security failures a national security issue and said they date at least back to the Solar Winds hack.

"Groundhog Day … but with national security implications," Cressey said. "Cressey isn't the first to point out Microsoft's poor security record has national security implications." CrowdStrike Senior VP of Counter Adversary Operations Adam Meyers told The Register the same thing and likened Microsoft's stranglehold on government tech to the mafia shortly after Redmond's January 2024 admission that Russia's Cozy Bear had, once again, broken into its network.

In June 2024, US lawmakers questioned Microsoft President Brad Smith about his company's business in China during a Congressional hearing about a Homeland Security report that blasted Microsoft for a series of "avoidable errors." These errors, the investigation found, allowed Beijing-backed cyberspies to steal tens of thousands of sensitive emails from the Microsoft-hosted Exchange Online inboxes of high-ranking US government officials.

At the time, however, Smith defended Microsoft, which he claimed to be above the rule of law – in China, at least. National intelligence laws in China can be used to force companies operating there to provide snooping services for the government, or hand over proprietary code if pressured to do so. But Smith claimed Microsoft doesn't have to comply with that.

"The government will never escape this cycle unless it stops rewarding Microsoft for its negligence with bigger and bigger contracts," frequent Microsoft critic and US Senator Ron Wyden (D-OR) told us that "government agencies have become dependent on a company that not only doesn't care about security, but is making billions of dollars selling premium cybersecurity services to address the flaws in its products."

The US Energy Department, including its National Nuclear Security Administration (NNSA), which maintains America's nuclear weapons, was among the 400-plus victims in this most recent mass exploitation of a Microsoft product.

"Why are we allowing this company to have such major touch points within our national security infrastructure?" Wyden continued. "Each hack caused by Microsoft's negligence results in increased government spending on Microsoft cybersecurity services." Wyden continued. "The government will never escape this cycle unless it stops rewarding Microsoft for its negligence with bigger and bigger contracts."

"There is no indication that Washington, or Microsoft, is changing," Cressey said.

"Microsoft has got to be better at what it does," Cressey said. "At the end of the day, we as a nation are suffering because the number one software company we rely upon continues to treat security as an annoyance and not a necessity."