Federal cybersecurity evaluators delivered a scathing indictment of one of Microsoft’s flagship cloud services, describing its security documentation as so lacking that they had “a lack of confidence in assessing the system’s overall security posture.” The blunt assessment, revealed in an internal government report, was even more starkly put by one reviewer: “The package is a pile of shit.”
Years of Red Flags Ignited
For an extended period, Microsoft struggled to provide a clear, comprehensive explanation of how its cloud service, known as Government Community Cloud High (GCC High), safeguards sensitive government data as it moves across numerous servers. This persistent vagueness left cybersecurity experts unable to fully endorse its security, a critical issue given Microsoft’s prominent role in two major, damaging cyberattacks against the U.S. in recent years. Russian hackers exploited vulnerabilities to access sensitive data from various federal agencies, including the National Nuclear Security Administration, while Chinese hackers infiltrated email accounts of high-ranking government officials.
Unusual Approval Amidst Lingering Doubts
Despite these deep-seated concerns, the Federal Risk and Authorization Management Program (FedRAMP) took the highly unusual step of authorizing GCC High. This approval, akin to the government’s cybersecurity stamp of approval, came with a cautionary note for agencies, effectively a “buyer beware” warning. This decision has significantly bolstered Microsoft’s lucrative government business, enabling the expansion of a cloud empire worth billions. The authorization celebrated internally by a Microsoft chief security architect with a triumphant meme highlights the company’s perspective on this pivotal moment.
This outcome deviates sharply from the original intent behind FedRAMP, established over a decade ago to instill confidence in cloud service providers handling classified government information. Investigations reveal significant shortcomings throughout the review process, including an apparent deference to Microsoft. FedRAMP first flagged security concerns regarding GCC High in 2020, requesting detailed encryption diagrams. However, when Microsoft’s responses were incomplete and delayed, the program instead of rejecting the application, allowed the review to languish for nearly five years. During this protracted assessment, federal agencies were permitted to implement the product, leading to its widespread adoption across government and defense sectors. Ultimately, the authorization was granted not because all security questions were answered, but largely due to the technology’s already entrenched presence. Today, critical agencies like the Justice and Energy departments, along with the defense industry, rely on GCC High to protect information whose compromise could have severe national security repercussions. Experts suggest this situation shatters the illusion of robust security, branding the process as mere “security theater.”
The long-term implications for national security and the integrity of government data protection remain a critical question as the nation grapples with the fallout from this decision.
📰 Source: Ars Technica
