Why Federal Agencies Must Learn from the Cyber Safety Review Board Report on Microsoft

Written by

The US government spends tens of billions of dollars every year procuring products and services from outside contractors and vendors. These relationships are essential to ensuring government services run smoothly, cash flow continues, and contracts to private sector companies get honored.

However, one government function that cannot be outsourced is oversight – federal agencies are responsible for ensuring that the services they purchase are delivered – on-time, complete, and error-free. However, as a recent report shows, the US government oversight is failing in one critical field – cybersecurity – and the time has come to rethink our approach.   

On March 24, the Cyber Safety Review Board (CSRB) issued a report criticizing Microsoft and its handling of cybersecurity for the US government. In this report, the CSRB strongly criticized the security culture at Microsoft – and held it directly responsible for several large cyber intrusions on US government networks in the last 24 months.

The report found that a "cascade of Microsoft's avoidable errors” allowed breaches from Chinese and Russian government-connected interests to succeed, leading to the emails of senior government officials becoming hacked.

In one recent compromise from the Russian Intelligence Service, the report found that Microsoft failed to detect the breach on its own, “relying instead on a customer who reached out after detecting and observing severe anomalies.” 

Governments Agencies Must Learn from the Findings Too

The truth, however, is that, while Microsoft clearly engaged negligently, government procurement and compliance officials should not be relying on private companies to keep their networks secure.

To ensure effectiveness, they must do it themselves.  Which raises the question: What steps should those involved in procurement and compliance in US government departments and agencies take to ensure the safety of government networks?  

Requiring strict adherence to contract protocols and statements of work (SOW) is the most important tool in any government procurement toolbox.  

Expectations, timeframes, and deliverables need strict definition, and any deviation from agreed-upon terms must be addressed immediately – before the underlying issue sprouts out of control.  

Many rely on the name brand of the service provider instead of the actual quality of work delivered. This practice needs to end.   

Equally important is the quality of in-house cyber experts charged with managing contracts and contractors. Despite the growing concern with cyber breaches at all government agencies, there are frequently too few experts who are spread too thin and perform too many tasks.

Agencies must receive the necessary resources to ensure that they can compete for and retain top cyber talent. Bringing in cyber experts as "blue badgers" will make contract monitoring more productive, efficient, and seamless.   

The US government also needs to take steps to end its nearly single-source reliance on contractors in the cyber-security space. The CSRB reports show how near-exclusivity in the cyber space world has put some of the US government's most critical systems and networks at risk, and the lack of recourse available to contracting officers represents a critical shortfall in holding these titans to account.

The Office of Federal Procurement Policy and the General Services Administration must prioritize diversifying federal computing contracting resources. Healthy competition amongst contractors will no doubt ensure a better service, and contracting officers will have options and alternatives should any breaches or failures occur.   

Finally, a workable system that allows federal cyber professionals to share information on contractors and their performance in real-time should be established. This would alert agencies considering proposals and SOWs to companies performing poorly and allow them to make procurement decisions based on all the available facts.  

Cyber warfare is the war-fighting domain of the future, and the recent CSRB report proves just how successful other countries can weaponize it against us if federal agencies don’t begin acting quickly. The time for a paradigm shift in this crucial respect is now. 

What’s hot on Infosecurity Magazine?