ASV senators liek FTC izmeklēt Microsoft par “bruto kiberdrošības nolaidību”

US Democratic Senator Ron Wyden on Wednesday called on the Federal Trade Commission to “investigate and hold Microsoft accountable” for its role in a series of high-profile cybersecurity incidents in recent years, saying the company’s approach to security “continues to endanger US national security.”

Wyden wrote in a Sept. 10 letter to FTC Chairman Andrew Ferguson that the tech giant’s “gross cybersecurity negligence” has led to ransomware attacks against critical infrastructure, including U.S. healthcare organizations, at least in part due to compromised configurations in the Windows operating system.

“At this point, Microsoft has become a malicious arsonist selling firefighting services to its victims,” ​​Wyden wrote, and government agencies and other companies have “no choice” but to use the company’s products given its “near monopoly over them within the company.”

An FTC spokesperson acknowledged that the agency received the letter but declined to comment further. The agency said a key example was the May 2024 ransomware attack on hospital operator Ascension, which the company says exposed the private medical and insurance data of nearly 5.6 million people.

Wyden wrote that the hospital operator told its employees that a contractor using an Ascension laptop clicked on a malicious link served by Microsoft’s Bing search engine, which then allowed hackers to access the company’s network and ultimately the organization’s Microsoft Active Directory Server, which is used to manage user accounts.

Microsoft’s support for outdated encryption technology and default configuration settings created by Microsoft allowed the attack approach in the Ascension case, according to Wyden, and Microsoft has not done enough to educate companies on how to mitigate the threat.

A Microsoft spokesperson said Wednesday that RC4, the encryption standard Wyden refers to, is old and accounts for “less than .1% of our traffic,” and that the company discourages customers from using it.

“However, disabling its use would completely break the system for many customers,” the spokesperson said, and the company is gradually reducing the extent to which customers can use it, trying to provide warnings and guidance on the safest way to use it.

RC4 will be disabled by default in certain Windows products starting in the first quarter of 2026, and the company is including “additional mitigations” for existing deployments, a spokesperson said. Wyden has previously spoken out in U.S. government investigations and reviews of Microsoft’s role in cyberattacks, including after revelations in July 2023 that Chinese-linked hackers stole thousands of U.S. officials’ emails.