In my three decades as an insurance and risk management professional, I have learned to evaluate risks and vulnerabilities and identify the best ways to mitigate them. Today, I see Microsoft’s cozy relationship with China, which demands security-compromising backdoor access to its software, as a major looming threat that demands urgent attention.
This concern isn’t just professional; it’s personal. As a veteran and now a city councilman in Hilliard, Ohio, I’m still guided by the oath I took to protect our nation. That same oath compels me to speak out today.
Microsoft’s licensing strategy has created a near-monopoly in government IT systems. A study commissioned by the Computer & Communications Industry Association revealed that roughly 85% of government employees use Microsoft products. This isn’t just about Microsoft making money – it could be dangerous for the whole country if something goes wrong.
Here’s why: Microsoft’s restrictive licensing terms lock in customers and make it near impossible for government agencies to transition to alternative solutions, even if they would prefer to work with companies that don’t do business in China. The agreements these agencies sign often locks them into Microsoft’s ecosystem, hindering competition and innovation. And because of Microsoft’s ties to China, it gives the Chinese Communist Party access to a vast swath of our government’s IT infrastructure.
Microsoft has more than 9,000 employees who work in the country. China makes every foreign company doing business there follow laws that include providing the Chinese government access to source code, encryption keys, and backdoor access to their products. Microsoft’s continued operations in China means that they adhere to these rules, which is deeply troubling given their expansive role serving the U.S government.
Moreover, China recently enacted a “national security law” that requires large foreign companies to appoint a Chinese “employee representative” to the board of their Chinese subsidiary. Experts warn these representatives are likely to have close ties to Chinese authorities or the Communist Party – another vulnerability that cannot be ignored.
In fact, we’ve already seen the consequences. In July 2023, Chinese state-backed hackers breached Microsoft Exchange Online, accessing emails from U.S. government agencies and high-ranking officials, including the Commerce Secretary. This wasn’t just a run of the mill data breach; it was a national security incident.
As a side effect of Microsoft’s practice of using its market share to lock in customers and make it difficult to use competitors’ software or cloud platform, the company has made its consumers’ data more vulnerable to hacks. When one company’s products are so ubiquitous, a single vulnerability can have far-reaching consequences. It’s akin to building a city where every house uses the same lock – if someone cracks that lock, every house becomes vulnerable.
In risk management, we always advise against putting all your eggs in one basket. Yet, that’s exactly what our government is doing with its IT systems. This lack of diversity not only stifles innovation but also weakens our cybersecurity position. Microsoft’s unchallenged market dominance has eliminated competitive pressures that typically drive product improvement and security enhancements. This lack of competition has fostered a complacent security culture within Microsoft, as evidenced by the scathing critique from the Department of Homeland Security’s Cyber Safety Review Board. Their post-mortem analysis of the 2023 Chinese cyberattacks on government emails highlighted Microsoft’s glaring security failure. Our current IT monoculture is setting us up for disaster.
We need action. The U.S. Senate should investigate how Microsoft’s market dominance and its dealings in China are putting our national security at risk. We must promote competition in government IT procurement, ensuring we’re not overly reliant on any single vendor, especially one with such close ties to a potential adversary.
This isn’t about vilifying Microsoft. It’s about recognizing that their business practices, however profitable, have created a vulnerability in our national security. We need to diversify our cybersecurity apparatus, just as we would diversify any other critical infrastructure.
As someone who’s spent a career assessing risks and now serves in public office, I can say with certainty: this is a threat we can’t ignore. It’s time to reevaluate our approach to government IT procurement and prioritize national security over corporate convenience. Our digital sovereignty depends on it.
Les Carrier, Hilliard City Council