In the wake of the Crowdstrike incident, one of the largest IT outages in history, another prominent name has come into sharp focus: that of Microsoft, one of the world’s largest, most dominant software companies.
The CrowdStrike incident affected an estimated 8.5 million Windows devices worldwide in industries including finance, airlines, medical, and more within the broader IT ecosystem.
The wild part about this “potentially largest IT outage in history” is that it impacted a mere 1 percent of Windows devices, per Microsoft. Despite this metric, it still had devastating impact, with an estimated $5.4 billion in direct financial losses.
The discussion around risks posed by monoculture — one or a handful of vendors dominating the market — isn’t a new cybersecurity topic. In fact, it’s been discussed for decades. For example, in 2003 security legends Dan Geer and Bruce Schneier, along with others, wrote “CyberInsecurity: The Cost of a Monopoly: How the Dominance of Microsoft’s Products Poses a Risk to Security.” The paper advised that “risk diversification is a primary defense against aggregated risk when that risk cannot otherwise be addressed; monocultures create aggregated risk like nothing else.”
Now, 21 years later, analyses including Microsoft’s Global Sprawl Comes Under Fire After Historic Outage point out how the same issue continues to loom large: “Consolidation and dependence on one provider can be a catastrophic risk to IT systems.”
Microsoft’s Growing Reach
In the recent Morgan Stanley 2Q 2024 CIO survey, several metrics show positive signs for Microsoft. These include:
- Microsoft Azure is hosting 42% of application workloads on the public cloud, with an estimated growth to 49% in three years.
- A growing number of CIOs showing interest in Microsoft’s comprehensive E5 licensing
- Ninety-four percent of CIOs are expecting to use Microsoft’s GenAI products over the next 12 months
These developments have occurred despite numerous high-profile security missteps from Microsoft. These missteps have significantly impacted not only commercial customers but also U.S. federal agencies and Microsoft being labeled a “threat to national security,” as well as its president Brad Smith testifying before the U.S. House Homeland Security Committee about Microsoft’s security failures as well as its ties to China. Paradoxically, Microsoft accounts for 3 percent of the entire U.S. federal IT budget.
Smith’s testimony came on the heels of a damning report around Microsoft security incidents and lapses, published by the Cybersecurity Safety Review Board (CSRB), which cited systemic security issues at Microsoft and lack of a robust security culture.
Microsoft also holds the top spot on the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerability (KEV) catalog, an inventory used to prioritize remediation by federal agencies, with increasing numbers of commercial organizations also following a similar remediation approach as well.
Additionally, it recently came to light from a whistleblower that Microsoft failed to address known security vulnerabilities and weaknesses that were later exploited by Russian hackers to access over 100 companies and U.S. government agencies, including the department that maintains the U.S.’s nuclear weapons stockpile. It was said that Microsoft ignored the security concerns raised partly due to the fact that the company was actively pursuing a multi-billion-dollar cloud contract with the Department of Defense (DoD) at the time.
Despite decades-long calls from security professionals and regulators alike over the risks of monoculture, Microsoft’s market dominance only seems to grow.
Final Thoughts
This situation underscores the tension between persistent security concerns and the compelling benefits Microsoft offers including technical innovation, cost-savings, and a comprehensive product portfolio. Despite facing significant security challenges and ethical criticisms, Microsoft remains a dominant albeit polarizing force in the IT market, with technology leaders worldwide continuing to rely on its products and services.
