Google Cloud Security Exec: Government Reliance on Microsoft Is a Security Vulnerability

"Google is taking aim at Microsoft's dominance in government technology and security," reports NBC News: Jeanette Manfra, director of risk and compliance for Google's cloud services and a former top U.S. cybersecurity official, said Thursday that the government's reliance on Microsoft — one of Google's top business rivals — is an ongoing security threat.

Manfra also said in a blog post published Thursday that a survey commissioned by Google found that a majority of federal employees believe that the government's reliance on Microsoft products is a cybersecurity vulnerability. "Overreliance on any single vendor is usually not a great idea," Manfra said in a phone interview. "You have an attack on one product that the majority of the government is depending on to do their job, you have a significant risk in how the government can continue to function."

Microsoft pushed back strongly against the claim, calling it "unhelpful." The study comes as Google is positioning itself to challenge Microsoft's dominance in federal government offices, where Windows and Office programs are commonly used....

The blog post comes as hackers continue to discover critical software vulnerabilities at an increasing pace across major tech products, but especially in Microsoft programs. Last year, researchers discovered 21 "zero-days" — an industry term for a critical vulnerability that a company doesn't have a ready solution for — actively in use against Microsoft products, compared to 16 against Google and 12 against Apple. he most prominent zero-day was used against Microsoft's Exchange email program, which cybersecurity experts say was first employed by Chinese cyberspies and then quickly adopted by criminal hackers, leading to hundreds of companies becoming compromised.

Rich, coming from Google.

[Narcocide]

I'm sure there's some "In Soviet Russia" joke material here but it's just not funny anymore.

Re:Rich, coming from Google.

[leonbev]

The world's reliance on Google is also a giant privacy vulnerability as well, but that doesn't stop us from letting them suck up all of our browsing and search history for freakishly personalized advertising.

Re:

[Antique Geekmeister]

Many others are. Their search engine is ubiquitous, as is their browser, and their email system is relied on worldwide as as a fallback system if not the primary business email.

Re:

[mikeiver1]

Sadly all true, more or less. Choosing either Microsoft or Google as more trustworthy my money would be on Microsoft. Google is full of shit when they say one of their motto's is "do good" or something to that effect. Clearly they are no better than face book and casting shade at Microsoft takes some major balls!

Re:

[Narcocide]

They actually don't say that anymore. It was "don't be evil" but they removed that phrase from the document that contained it shortly after the big debacle about the Google Maps cars getting caught wardriving.

Pot... kettle... black

[Rosco P. Coltrane]

We The People to the government: reliance on unaccountable, unchecked, big data ultra-monopolies for your cloud services is a security vulnerability.

Re:

[youngone]

The government could not possibly care less about you, the people, and they never have.

Re:Pot... kettle... black

[HiThere]

That's a legitimate point. Clearly reliance on Microsoft is unwise. In fact I'd go so far as to say reliance on ANY single source product is unwise. (Of course, this includes Google.)

It used to be basic business sense that one should never become dependent on any single source product.

Re:Pot... kettle... black

[gtall]

Nice thought, but in current practice it is unhelpful. The problem with second sources is that they don't conform to the same standards as your go-to widget. Part of this is the abhorrence to government standards and regulation. If you want to engineer for two different widgets, you just increased your costs and the little boy MBAs running your company will have an outbreak of acne.

Re:Pot... kettle... black

[Antique Geekmeister]

This was the basis of various governmental agencies struggling to get off of Microsoft Word for documents and switch to an open, published standard. It did not work out well: Look up the the OOXML RFC, and the shenanigans Microsoft used to get that incomplete and inconsistent standard approved as an RFC.

Re:

[george14215]

We The People to the government: reliance on unaccountable, unchecked, big data ultra-monopolies for your cloud services is a security vulnerability.

Government agencies don't seem very good at it either, though. Sad state of affairs.

Forget vulnerability

[Krishnoid]

How about actual failures [wired.com]? And not just in the military, also in securities exchanges [edugeek.net] (not sure how long that link will remain valid)?

Re:

[fermion]

It is typical for government to spread contracts around to insure a broad base of expertise. And incompetence is no issue.

Re:

[Antique Geekmeister]

It's typical for governments to spread contracts around to ensure that no one can understand, or properly manage, the whole system and many different agencies are required to manage ever part of the project. It's also very common to spread contracts to please the representatives of the districts where those companies will hire personnel, even though it often increases costs profoundly.

Re:

[dcw3]

FWIW, I worked contracts with DoD and various agencies for many years...42 to be precise. The first part of your comment is total BS, while the second gospel truth.

Re:

[Antique Geekmeister]

I've seen the first part among many agencies, and companies, that deliberately segment their security among different personnel and managers in the same department: deliberately keeping the firewall knowledge among some personnel, the authenticaitioon tools among others, the anti-virus among others. It leaves the group leader as the only one permitted to know the interactions, and keeps control of their interactions in his or her hands so they can attend all meetings and stay involved in every decision. It

Re:

[thegarbz]

Vulnerabilities are related to vendor's offers. Failures are related to dumb implementation by end users, and that first link is a prime example of stupid design, especially in an industry which should know better.

But then the USA armed forces does have a history of its "redundant" features causing problems including confusing operators and causing naval collisions.

Kettle .. Black.

[epasveer]

Right back at ya.

And Microsoft agreed

[raymorris]

--
the government's reliance on Microsoft products is a cybersecurity vulnerability ..
Microsoft pushed back strongly against the claim, calling it "unhelpful
--

Note Microsoft didn't say it's not true. Apparently Microsoft agrees it's *true*. It's just not *helpful* to Microsoft.

Re:

[Otis B. Dilroy III]

Or their shareholders.

Re:

[thegarbz]

That's the great thing about such a general term, everything is a cybersecurity vulnerability. Hell *you* are a cybersecurity vulnerability to your company if you have a login to a company PC.

It is an incredibly "unhelpful" term (to anyone, not just MS) which doesn't quantify risk at all, and risk is the only thing relevant in this discussion.

microsoft

[revisionz]

microsoft should have been split into OS and Office when Clinton was in office. Thanks for George Bush Jr. it wasn;t . also many other techs should have been spilt.

Re:microsoft

[drinkypoo]

Yep, the DoJ had Microsoft over a barrel and then Bush's dog Ashcroft said it wasn't in our best interest as a nation to do anything about their willful and flagrant abuse of an effective monopoly position, and basically every other kind of anticompetitive behavior besides. Splitting them up would have been good not just for America, but for the entire world.

Re:

[DarkVader]

I'm not sure that's really what the split should have been.

I think four companies, each starting with the code from all products, a quarter of the employees, and an absolute prohibition on ever rejoining or working together and none allowed to call themselves "Microsoft" ever again would have been a better option.

An OS/Office split would have just created two companies with continuing monopolies.

Re:

[DarkVader]

Oh, and it's now time to do the same thing to Google and Apple.

Too many words in tittle

[Sebby]

Google, Microsoft a Security Vulnerability

There FTFY.

that slut yo' wit be whack

[Anonymouse Cowtard]

Well of course he would say that. And, of course, that doesn't mean it's not true. But ... I'm sure there's a but.

Government Reliance?

[youngone]

The vast corporation I work for has decided to put all the companies' data into Microsoft cloud services. All of it, globally.
I'm pretty sure they're doing it because it saves them money. It will all be sunshine and roses until something goes wrong I suppose, but why would I care? Its not my money or my data.

Re:Government Reliance?

[ras]

I'm pretty sure they're doing it because it saves them money.

Save them money over what?

If you are comparing loud offerings from the big three, then maybe(?). They make it very difficult to compare, but it's generally Google > Microsoft > AWS. With the qualification that Google is far more reliable than the others.

But if you are comparing it to anything else, forget it. For example I've run exactly the same backups to Azure and Blackblaze. Azure is a literally factor of 10 more expensive. In general you can get everything far cheaper by simply avoiding the big 3.

You can get cheaper than Backblaze again, simply by buying 20 or so disk drives and rotating them yourself. Again, the same is true for computer, database, or anything else. It costs more to rent: news at 11.

So no, cost isn't it. Nor reliability at least when it comes to Microsoft. Their fuck ups are legendary. Taking everything out by forgetting to renew a cert - embarrassing. Doing it twice in quick succession - gob smacking. Google is far more reliable in one sense, but in another there are more stories about Google simply switching you off because for no apparent reason - and they will refuse to tell you why [ycombinator.com]. Google's engineering may be legendary, but so is their support.

So not cost, and not quality of engineering. So why?

It's the same reason hospitals base their operations on an OS that causes many of them to be ransomware'ed each day. It's because they are hospitals, not IT engineering firms. Their core business is renting out beds, operating theatres and nurses to operate it all. If they need a new building, they hire someone to build it. If they need a car park run, they contract someone to run it. Hell, most of them are so focused on the business of supplying beds they don't even have doctors - most of the doctors there work themselves, not the hospital and can come and go as they please. So when they need a computer with an OS, they bought the one the computer store sold them: a PC running Windows.

And now, they commissioned programs to run on those PC's, and they are locked in. Then they realise they can outsource servers, email, backups, web sites to the cloud and get rid of them and all the support staff too. Which cloud provider would they use, do you think? Would it be the one that integrates computing infrastructure with as little effort as possible - the one that supports their Active Directory client, their Exchange client, their One Drive client? Of course it is - they have no IT expertise, and absolutely no interest in developing any.

It's amazing how deep this extends. When Sony was owned by North Korea, where "owned" means they had no idea who their employees are, no idea who their debtors are, had all of their movie assets uploaded to the web, and even had no way to unlock the doors did that change? Of course not. That would be far too hard. Microsoft forever, even if it was the reason we are so royally fucked over, we couldn't operate our bank accounts for a while.

And that, my friend, is how all organisations that don't consider IT as core end as Microsoft Azure customers. Those of us whose core business is software engineer, don't touch the Microsoft "way" of doing things with a 40' barge pole - even if we run Windows on our laptops. It's too expensive, too unreliable, too insecure, and far, far too locked in.

Re:

[Anonymous Coward]

but it's generally Google > Microsoft > AWS.

WTF, For cloud is the reverse. Google are way way down on reliability while AWS and Azure are quite similar. Google has taken too many each way bets and have been uncertain if they want to stay in the cloud business so their investment and reliability is reflected in that.

Re:Government Reliance?

[thegarbz]

For example I've run exactly the same backups to Azure and Blackblaze. Azure is a literally factor of 10 more expensive.

You wrote a lot of someone who has no clue about what is going on. Hint: Microsoft's cloud offerings for company is not about storing some data on a remote server. Blackblaze may be cheaper for storage, but do they offer Exchange online? AD online? Office 365? Virtual remote desktops tied into your corporate domain?

"The Cloud" is far more complex than where you can store your shit. There's a reason Azure is so popular despite being so expensive and it's related to the service offer for businesses, and not offloading some hardware.

Re:

[youngone]

Look, you clearly put a whole lot of effort into your post, and you make some excellent points, however the vast corporation I work for makes billions every year in profits, and if they decide to completely bugger up their IT systems then that is their business.
Those of us who do the IT work within the company are not listened to, so we've given up objecting.

In fact, you may have mistaken me for someone who gives a shit.

Re:

[ras]

In fact, you may have mistaken me for someone who gives a shit.

I found myself working for one of those corporations too. Not out of choice, the founders sold out.

It took me a surprisingly long to figure out I had stopped giving a shit too. Turns it's hard to give a shit about about endeavours that take a whole pile of smart people, and collectively brow beat them into something about as smart as a Trump appointee. So I left.

The above post is the cumulation of my ruminations on "what the fuck just happene

Google plays footsie with the CCP

[RightwingNutjob]

and quite publicly declined to continue working on a DoD project at the behest of a vocal group of America-skeptic employees in its Silicon Valley offices.

Them calling the other guys being security threats is fucking rich.

They better hope the Chinese don't make a move on Taiwan because, whatever happens in between, the end will see CCP sympathizers hang.

Re:

[HiThere]

Living up to your handle I see.

That said, I would assert than ANY single source product is a weakness than any sensible business (or government) should strive vigorously to avoid. This used to be basic business planning.

Re:

[Deal In One]

It will probably be safer to have different OSes, word processing software, etc spread out so that any one software gets compromised it will not compromise everything.

Only problem is the extra work in setting up and maintaining various system images, updates, security issues and making sure employees are trained in different software and processes.

Question every organisation has to answer : Is the cost savings in having a "standard" software for everyone is worth the extra security created by having differe

Re:

[HiThere]

That's safer from one kind of vulnerability. I was thinking more of "The vendor decides to make changes that you don't want, or stops selling the product at an affordable price.", which is another kind of vulnerability.

Translation

[93 Escort Wagon]

$COMPANY1 complains that $COMPANY2 isn't letting them get to the trough enough.

Re:

[Tablizer]

While MS security does suck, Google hasn't proven significantly more reliable yet.

Re:

[Teckla]

The Google exec's comment is true, even though the comment was self-serving...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Not exactly wrong, but...

[HiThere]

I'd only trust Microsoft more because I can avoid using all Microsoft products.

Re:

[Bert64]

Easier to avoid google than microsoft in most cases...

Re:

[Voyager529]

Easier to avoid google than microsoft in most cases...

....until you open a web browser.

Sure, one can run Firefox as to not be using Webkit (though, with Mozilla dependent on Google for funding, it depends how far one must go to successfully 'avoid'), but try blocking Google ranges and domains on your firewall. Sure, Adsense ads not working is a silver lining, but lots of websites use embedded Youtube videos, so those will break.

Other websites using Google AMP as a de facto CDN won't load, pages using Google Fonts will probably default to some system font that

Re:

[gravewax]

My thoughts exactly, only thing worse than current situation would be more Google.

Re:

[thegarbz]

With what? I'd be stupidly to universally trust either company over the other without being specific. Both of them offer very different things with very different competencies.

Based on the numbers...

[kmoser]

Maybe make contract payments inversely proportional to the number of bugs found in the vendor's products?

Re:

[Teun]

google are trying to not go bankrupt.

Yeah, they are soo on the knife's edge...

great news

[bloodhawk]

Sweet so I gather from this google will be actively looking to reduce their own market share in search, mobile and browser.

Re:

[Bert64]

The difference is that you are not locked in to search, it's easy to use a different search engine such as bing, duckduckgo or yandex. People use google because it either produces better results, because they are unaware alternatives exist, or because its the default on whatever device they use. There are no obstacles preventing them from using a different one.

Google have a large market share in mobile but they are far from dominant. Apple still have a significant share too, plus android itself is open sour

Re:

[Bert64]

You don't have to buy a google phone. You can buy Apple, or Amazon, or Huawei etc.
You won't be sent files that only open on a google phone.
You won't be pointed to applications that only run on google phones.
Businesses don't need to replace a lot of backend infrastructure and third party applications before they're able to transition from google phones to something else.

I use an iPhone, i don't feel any pressure to migrate to a google phone.
I use a Mac, i keep getting files in MS proprietary formats or end u

Well he would, would't he?

[andrewbaldwin]

Nothing new under the sun.

Reminds me of Mandy Rice Davies famous riposte

https://en.wikipedia.org/wiki/... [wikipedia.org]

Is the issue really Microsoft, or something else

[Veretax]

Hear me out? I get that A lot of Microsoft is used at the Federal Level, lots of Businesses use it also, but if you are trying to tell me that it is just because the brand, I can't buy that. As soon as Google becomes the monopoly Google would become the bigger vector to hit. The real question, the real problem is not the choice of software, its the way it is financed, planned for, and maintained. It impacts everything from requests for proposals, to project development, deployment, the practices of the