Photo: J. David Ake / Getty Images
Sen. Ron Wyden, D-Oregon, is urging the Federal Trade Commission to investigate Microsoft for what he says is a threat to national security due to its de facto monopoly on the software industry.
WHY IT MATTERS
At issue is Microsoft's continued support for outdated encryption and the company's perceived delay in disabling one particular outdated cipher, said Wyden, who used the massive Ascension cyberattack of May 2024 as one example of the risks.
In a statement urging FTC to investigate Microsoft, Wyden charged the software giant with contributing to ransomware attacks against critical U.S. infrastructure, and named the catastrophic Ascension cyberattack that affected more than 5.6 million people last year.
"Without timely action, Microsoft’s culture of negligent cybersecurity, combined with its de facto monopolization of the enterprise operating system market, poses a serious national security threat and makes additional hacks inevitable," said Wyden in the statement.
The Ascension cyberattack began when one of the provider's contractors clicked on a malicious link in a Microsoft Bing search results page, the statement noted. That infected laptop allowed hackers to gain access to the network. When it confirmed sensitive data had been breached in the Black Basta ransomware attack, Ascencion called it an "honest mistake."
Microsoft published a 2024 blog post about mitigating the against the technique known as "Kerberoasting," and said that it planned to issue a future software update to remove support for the encryption technology.
"RC4 will be deprecated, and we intend to disable it by default in a future update to Windows 11 24H2 and Windows Server 2025," the company said at the time.
But the outdated cipher, known as RC4, is still supported by Microsoft software in its default configuration, Wyden's office said, stating that its staff urged the company to warn customers about the vulnerability.
A Microsoft spokesperson told Healthcare IT News on Friday that it cannot yet pull the plug on the cipher. "RC4 is an old standard, and we discourage its use both in how we engineer our software and in our documentation to customers, which is why it makes up less than 0.1% of our traffic," they explained.
"However, disabling its use completely would break many customer systems," they added. "For this reason, we’re on a path to gradually reduce the extent to which customers can use it, while providing strong warnings against it and advice for using it in the safest ways possible."
While the FTC has not yet responded to Sen. Wyden's request, the trade commission has been investigating antitrust violations and released one report looking at the company's partnerships and investments, among those of other cloud service providers and generative artificial intelligence leaders.
Wyden said he's concerned that the "dangerously insecure default settings" in Microsoft software jeopardize the United States government and all critical sectors that rely on the company's software. He noted that he has asked federal agencies to hold Microsoft responsible for selling them dangerously insecure software.
"Today, 11 months after Microsoft published that blog post, the company has still not released the promised update, nor conducted direct outreach to warn customers," said Wyden's office.
The Microsoft spokesperson said disabling RC4's use is on its roadmap.
"We’ve already removed use of DES (another standard similarly problematic to RC4)," and "In Q1 of 2026, any new installations of Active Directory Domains using Windows Server 2025 will have RC4 disabled by default, meaning any new domain will inherently be protected against attacks relying on RC4 weaknesses," they added.
Further, "we plan to include additional mitigations for existing in-market deployments with considerations for compatibility and continuity of critical customer services."
THE LARGER TREND
In 2024, the FTC had launched an antitrust investigation of Microsoft Corp. and then said in March that it would continue to examine allegations that the company is potentially abusing its market power by imposing punitive licensing terms to prevent customers from moving from its Azure cloud service to rival platforms, according to Reuters' coverage.
While the FTC has not yet responded to Wyden's request, the commission released a report about Microsoft's corporate partnerships and artificial intelligence investments as well as those of Alphabet, Inc., Amazon.com, Inc. and generative AI developers Anthropic PBC and OpenAI OpCo, LLC in January.
"The FTC’s report sheds light on how partnerships by big tech firms can create lock-in, deprive start-ups of key AI inputs and reveal sensitive information that can undermine fair competition," former FTC Chair Lina M. Khan said in the commission's announcement about the report's release.
With the AI Partnerships & Investments Study report's release, incoming FTC Chairman Andrew Ferguson offered a concurring and dissenting statement regarding the, in which he took issue with one area of the study that he called "notably narrow in scope."
He said it should not be used to draw "conclusions about the AI industry and its future, or even about the partnerships themselves," adding: "An analysis of the impact that these partnerships might have on competition is beyond the scope of this report."
ON THE RECORD
"I urge the FTC to investigate Microsoft and hold the company responsible for the serious harm it has caused by delivering dangerous, insecure software to the U.S. government and to critical infrastructure entities, such as those in the U.S. health care sector," said Sen. Wyden in a statement.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
