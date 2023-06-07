A senior member of Congress has raised concerns over the Department of Defense's decision to rely more and more on Microsoft for cybersecurity tools and services, saying it shuts out other vendors and might pose a security risk.

Newsweek reported last month that many in the Pentagon's own IT leadership had opposed a decision last year to scrap a long running cybersecurity program that was open to competition, and replace it with Microsoft security tools, that the Redmond, Wash.-based technology giant bundles with its business software, at a cost of $543 million.

In a letter to Secretary of Defense Lloyd Austin in February, Maryland Democrat Rep. C.A. "Dutch" Ruppersberger, a senior member of the powerful House Appropriations Committee, asked whether that decision to buy the bundle of software and cybersecurity solutions provided best value for the taxpayer or locked the U.S. military into dependence on a single IT provider that cannot match its competitors' performance and will become more and more expensive over time.

"It is critical that DOD pursue a fair and open competition that ensures procurements for cybersecurity solutions are based on technical merits and are not limited to a single one-size-fits-all enterprise solution," Ruppersberger wrote in the February 23 letter, a copy of which was obtained by Newsweek.

Senior Airman Zach Wilt, 49th Communications Squadron cyber operator, installs Microsoft Windows 10 to a laptop at Holloman Air Force Base, N.M., on Nov. 1, 2017. Since 2017, DOD has used Windows 10 on all its 4 million-plus desktop computers. U.S. Air Force Public Affairs/Airman 1st Class Alexis P. Docherty

In a response last week, DOD CIO John Sherman said he shared Ruppersberger's concerns about the possible anticompetitive effects of large enterprise-wide bundled contracts. "We share this concern and we're working towards a long-term balanced strategy," Sherman wrote.

Ruppersberger told Newsweek in an emailed statement that: "I appreciate the response's candor."

"The Department acknowledged that a too-broad enterprise license agreement could lock out better cyber solutions and commits to a fair and open procurement process – and that could include adding acquisition-related language in upcoming legislation," he said, calling on the House Armed Services Committee to explore that option.

Ruppersberger's letter had been prompted by concerns raised by the cybersecurity community in his district of Maryland, which prides itself on being the Cyber Capital of the World, his spokesperson said.

Since 2017, DOD has exclusively used the Microsoft Windows operating system on all its four million-plus desktop computers and is increasingly employing Microsoft's Azure cloud computing services. Most of its 2.1 million active duty and reserve military personnel and 750,000 civilian employees use Microsoft programs such as Outlook or Office for email, calendar, word processing and other administrative tasks. Now it will also use Microsoft Defender for Endpoint (MDE), a set of cyber tools bundled with other software offerings.

Microsoft declined to comment on the concerns raised over its role at the Department of Defense.

DOD officials say security tools that come already integrated into the software they are defending offer important advantages over stand-alone products and say that Microsoft's will serve the Biden Administration's plan to strengthen cybersecurity, backed with a $12 billion budget and known as "Zero Trust".

Zero Trust was adopted after the Solar Winds hack by Russian intelligence operatives in 2020. Although aimed only at civilian agencies, Solar Winds demonstrated how vulnerable traditional security approaches are to foreign hacking.

In an interview with Newsweek, DOD Deputy CIO David McKeown defended the decision to give Microsoft an increasing role and said the Pentagon could meet most if not all the requirements of Zero Trust by deploying its MDE solution right away. He rejected the idea that it was better to buy multiple cyber tools from different providers.

"Our historical efforts to try to do that integration of various pieces and parts haven't really worked," he said. "We don't want to have to be the integrators any longer," he said, adding that he expected to shutter other cybersecurity programs which duplicated capabilities he could now get from MDE to avoid the need to buy one-off solutions.

McKeown said MDE had been piloted by the U.S. Navy and had provided greater visibility into the network and brought faster response times to security incidents with its built-in automation. He said there was still room for some smaller suppliers to serve the needs of the Defense Department by partnering with one of the large companies that provide cloud services to DOD.

From left, DoD Senior Information Security Officer, David McKeown, Chief of the Department of Defense Zero Trust Portfolio Management Office Randy Resnick, and DOD Spokeswoman U.S. Navy Cmdr. Jessica McNulty hold an off-camera, on-the-record virtual press briefing on the release of the DoD Zero Trust Strategy and Roadmap at the Pentagon, Washington, D.C., on November 22, 2022. U.S. Air Force Tech. Sgt. Jack Sanders/Dept. of Defense

But IT procurement experts have voiced concerns that the DOD's doubling-down on Microsoft might shut out competitors.

There are 250,000 small businesses in the defense industrial base, said John Weiler, CEO of the IT Acquisition Advisory Council, a non-profit that works to improve the way the federal government buys computer goods and services. He suggested that only one or two percent of them might be able to partner with the cloud service providers.

"It's the government's responsibility to ensure full and open competition. That's the law. You can't delegate your decision authority to a third party like a commercial contractor," he said.

