Federal Cyber Experts Called Microsoft's Cloud 'a Pile of Shit', Yet Approved It Anyway (propublica.org) 64
ProPublica reports that federal cybersecurity reviewers had serious, yearslong concerns about Microsoft's GCC High cloud offering, yet they approved it anyway because the product was already deeply embedded across government. As one member of the team put it: "The package is a pile of shit." From the report: In late 2024, the federal government's cybersecurity evaluators rendered a troubling verdict on one of Microsoft's biggest cloud computing offerings. The tech giant's "lack of proper detailed security documentation" left reviewers with a "lack of confidence in assessing the system's overall security posture," according to an internal government report reviewed by ProPublica. For years, reviewers said, Microsoft had tried and failed to fully explain how it protects sensitive information in the cloud as it hops from server to server across the digital terrain. Given that and other unknowns, government experts couldn't vouch for the technology's security.
Such judgments would be damning for any company seeking to sell its wares to the U.S. government, but it should have been particularly devastating for Microsoft. The tech giant's products had been at the heart of two major cybersecurity attacks against the U.S. in three years. In one, Russian hackers exploited a weakness to steal sensitive data from a number of federal agencies, including the National Nuclear Security Administration. In the other, Chinese hackers infiltrated the email accounts of a Cabinet member and other senior government officials. The federal government could be further exposed if it couldn't verify the cybersecurity of Microsoft's Government Community Cloud High, a suite of cloud-based services intended to safeguard some of the nation's most sensitive information.
Yet, in a highly unusual move that still reverberates across Washington, the Federal Risk and Authorization Management Program, or FedRAMP, authorized the product anyway, bestowing what amounts to the federal government's cybersecurity seal of approval. FedRAMP's ruling -- which included a kind of "buyer beware" notice to any federal agency considering GCC High -- helped Microsoft expand a government business empire worth billions of dollars. "BOOM SHAKA LAKA," Richard Wakeman, one of the company's chief security architects, boasted in an online forum, celebrating the milestone with a meme of Leonardo DiCaprio in "The Wolf of Wall Street."
It was not the type of outcome that federal policymakers envisioned a decade and a half ago when they embraced the cloud revolution and created FedRAMP to help safeguard the government's cybersecurity. The program's layers of review, which included an assessment by outside experts, were supposed to ensure that service providers like Microsoft could be entrusted with the government's secrets. But ProPublica's investigation -- drawn from internal FedRAMP memos, logs, emails, meeting minutes, and interviews with seven former and current government employees and contractors -- found breakdowns at every juncture of that process. It also found a remarkable deference to Microsoft, even as the company's products and practices were central to two of the most damaging cyberattacks ever carried out against the government.
Such judgments would be damning for any company seeking to sell its wares to the U.S. government, but it should have been particularly devastating for Microsoft. The tech giant's products had been at the heart of two major cybersecurity attacks against the U.S. in three years. In one, Russian hackers exploited a weakness to steal sensitive data from a number of federal agencies, including the National Nuclear Security Administration. In the other, Chinese hackers infiltrated the email accounts of a Cabinet member and other senior government officials. The federal government could be further exposed if it couldn't verify the cybersecurity of Microsoft's Government Community Cloud High, a suite of cloud-based services intended to safeguard some of the nation's most sensitive information.
Yet, in a highly unusual move that still reverberates across Washington, the Federal Risk and Authorization Management Program, or FedRAMP, authorized the product anyway, bestowing what amounts to the federal government's cybersecurity seal of approval. FedRAMP's ruling -- which included a kind of "buyer beware" notice to any federal agency considering GCC High -- helped Microsoft expand a government business empire worth billions of dollars. "BOOM SHAKA LAKA," Richard Wakeman, one of the company's chief security architects, boasted in an online forum, celebrating the milestone with a meme of Leonardo DiCaprio in "The Wolf of Wall Street."
It was not the type of outcome that federal policymakers envisioned a decade and a half ago when they embraced the cloud revolution and created FedRAMP to help safeguard the government's cybersecurity. The program's layers of review, which included an assessment by outside experts, were supposed to ensure that service providers like Microsoft could be entrusted with the government's secrets. But ProPublica's investigation -- drawn from internal FedRAMP memos, logs, emails, meeting minutes, and interviews with seven former and current government employees and contractors -- found breakdowns at every juncture of that process. It also found a remarkable deference to Microsoft, even as the company's products and practices were central to two of the most damaging cyberattacks ever carried out against the government.
Microsoft and pile of shit (Score:4, Insightful)
Re: (Score:3)
It does. And by now they have had that cloud partially and fully compromised several times. You basically have to be utterly incompetent as an IT security person to not see it now. Or deep into Stockholm Syndrome.
Re: (Score:2)
Or deep into Stockholm Syndrome.
That's the I.S./I.T. director and network manager where I work.
Re: (Score:2)
It seems to have high prevalence, unfortunately.
More Proof (Score:5, Insightful)
Should be labeled a "Supply Chain Risk" (Score:3)
like Anthropic. But they won't because that would be rational. The current administration likes to label companies with "Supply Chain Risk" if they don't go with the program as "punishment" not after damage is done.
Re: (Score:2)
If your primary motivation is greed (which is not accidentally in the short catalog of deadly sins), yes. If you actually want to deliver a good product and make the world a bit better, then no.
Time to deal with the cancer.
Knotty problem (Score:1)
Re: (Score:2)
wait for it.
Re:Knotty problem (Score:4, Insightful)
Builders build buildings precisely the same way programmers write programs. That's how society learns how to set building codes. There are no building codes for programs, that's the difference.
Re: Knotty problem (Score:3)
If builders built things the way vibe coders do, the first wood pecker would destroy the building. Fixed it for ya.
Re: (Score:3)
Re: (Score:1)
Not surprising (Score:5, Informative)
I mean, this is no big surprise for anyone that has had to deal with this shit on a daily basis. I'm sure we've all been forced to use Teams at some point, so just extrapolate that out to their entire tech stack.
Re: (Score:2)
it is the same shit everywhere, you do your best then the "stakeholders" come and say we don;t care make this work and you rubber stamp w/alacrity
Re: (Score:2)
Re:Not surprising (Score:4, Informative)
That is the reality isn't it?
There was no universe where any kind of security evaluation of MS GCC was going to be other then proforma, some rule might have required it but nobody was going deny Microsoft.
Just imagine the fallout and I don't even mean in upset political donors, I mean in very practical terms stalled IT projects. There entire current generation of government IT contractors grew up breathing Microsoft and their tech stack. I am not saying Microsoft isn't and can't lose its iron grip but realistically short term it does not matter what they do in terms of shoddy products and docs, # of little kids senior management didled on Epstine island, or how much of their staff is composed of agents in hostile governments, they can get away with all of it, because so much just grinds to halt without their stuff.
How many Microsoft engineers for a light bulb? (Score:3)
Q: How many Microsoft engineers does it take to screw in a light bulb?
A: Zero. Microsoft declares Darkness(tm) the new Standard.
Re: How many Microsoft engineers for a light bulb? (Score:2)
640 light bulbs should be enough for everyone!
Re: (Score:2)
Q: How many Microsoft engineers does it take to screw in a light bulb?
A: Zero. Microsoft declares Darkness(tm) the new Standard.
So... Extinguish and Embrace then Extend - novel. :-)
(Instead of their usual [wikipedia.org].)
Trust (Score:5, Funny)
Re:Trust (Score:5, Funny)
If you can't trust Microsoft to protect you, you can at least trust the government oversight to protect you.
Yes, governments excel when it comes to committing oversights...
Re:Trust (Score:4, Funny)
Damn. I wish I had a mod point. I'd mod this funny.
contract requirements (Score:4, Informative)
GCCH customer here. I concur, GCCH is a pile of crap. Imagine every Microsoft bug and issue amplified, and getting even less attention. Besides the fact that it is not great on security, it is at least most separate from the Commercial cloud and issues there.
We use GCCH to meet government contract requirements. Because, as the article notes, no one asks too many questions and just trusts this crap.
Good luck getting any bug fixed in GCCH. Good luck with basic O365 features working in your environment.
Re: (Score:3, Informative)
Why the Hell is Microsoft trusted with so much authentication? All it takes is a single Entra break, and the entire Fortune 500 sector and the Western government sector will be farting mayonnaise for years.
Re: (Score:2)
hopefully your CISO is managing security with 3rd party integration
Re: (Score:2)
Re: (Score:2)
Rubles aren't worth what they once were. Enjoy what little you have left.
The product is crap... (Score:4, Insightful)
...but is too deeply embedded not to continue using.
Sounds like Microsoft's business model.
Re: (Score:2)
The Europeans are currently trying to get out. Since they do it for another reason that is pretty much catastrophic for MS (hard evidence that the US government can order them to withdraw services from individuals and organizations), it will likely be successful. And as soon as it becomes obvious how massive the benefits are from getting away from MS, the dam will break.
Re: (Score:2)
And as soon as it becomes obvious how massive the benefits are from getting away from MS, the dam will break.
Also the more countries do so, the fewer drawbacks there will be due to Mickeysoft applications not being able to correctly read standards-based documents from other applications.
Meaningless opinion (Score:2)
This is just a chicken little article from an unsourced opinion from who knows who. Complaining about the documentation, not any actual gap in security protocols.
Re: (Score:2)
This just shows you have absolutely no clue how IT security works.
Documentation is critical. Without it, all risk management fails. But there is also the history of partial and full cloud compromises MS has, often with no way to do reasonable forensics to find out how bad it was.
Re: (Score:2)
A lack of documentation does not automatically translate into "exploit exists and our systems are vulnerable" but you can keep pretending to know how "IT security" works.
Re: (Score:2)
How do you positively identify a properly configured system without good documentation?
Re: (Score:2)
Identifying compliance standards is not the same thing as "exploit exists".
It's probably because (Score:2)
lobbying talked to someone to take the deal. Thats the way it usually works.
probably TINA's fault (Score:4, Funny)
TINA = "there is no alternative"
Re: (Score:1)
Exchange says Hi
Business As Usual (Score:3)
Every IT department will call Microsoft's everything a pile of shit and then approve/use it anyway. So, this is hardly news.
I will say that Microsoft does seem to be trying to secure their cloud more than anyone else. But, that's because their SaaS is compromised more than anything else. Due to the extreme frequency of attacks, Business Email Compromise(BEC) is starting to feel meaningless because of how frequently it occurs in Microsoft-slop-land. From a security perspective, you're better off using just about any other "lesser" used email service. This despite Microsoft's extensive security measures.
Re: (Score:2)
The real issue is no one wants to take the risk of selecting anything else but Microsoft. After all, no one was ever fired for selecting microsoft even though the CFO cries every time he sees the quarterly hit to the bottom line.
Re: (Score:2)
MIcrosoft.... (Score:2)
... too big to bail.
Re: (Score:2)
... too big to bail.
I think that was the alternate motto for the Titanic. :-)
On par (Score:1)
I mean, it is quite on par with the other software from M$, so I guess that is why they approved it. No change in quality.
Linux has existed for 35 years (Score:2)
Re: (Score:2)
Completely wrong. LibreOffice is actually _older_ than MS Office. The only advantage that MS has is that they engage in bribery, coercion, lying to customers and other "criminal enterprise" type marketing practices.
Re: (Score:2)
Ding, ding, ding, ding ... winner, winner, chicken dinner.
Re: (Score:3)
You sure about that? "Office" can trace it's roots back previous to the 1984 introduction of the Macintosh, where Microsoft was asked early in the Macintosh project by Apple to create a word processor and spreadsheet app for the new platform. Word and Excel were born, and the first version of Excel shipped in September of 1985
According to LibreOffice's own timeline [libreoffice.org], their first anything was in 1985, on CP/M.
Seems they are roughly "as old" as each other. Not that it matters in any way at all.
Re: (Score:2)
Switch to what? BSD?
It's an old joke ... (Score:5, Informative)
Linux (Score:3)
Re: (Score:2)
Is this Bill or Satya? It's so hard to tell these days.
Slop (Score:3)
Slop also describes a pile of shit. Microsoft is on its way out. It's coming, hopefully sooner that later. Before they were just thinly veiled evil, but now with the curtain pulled we see it's full on retard.
FedRAMP (Score:3)
I remember where the very large bank I worked at (Score:1)
How to guaranteed security (Score:2)
as it leaps from server to server? No problem: do it exactly as the PCI DSS. Everything is fully encrypted between two machines.
Oh, but cloud... I see, it should be encrupted everywhere.