Federal Cyber Experts Called Microsoft's Cloud a 'Pile of Shit' — Approved It Anyway
Federal Cyber Experts Called Microsoft's Cloud a 'Pile of Shit' — Approved It Anyway
A ProPublica investigation has revealed that federal cybersecurity evaluators described one of Microsoft's flagship cloud computing products as a "pile of shit" due to inadequate security documentation — yet approved it for government use anyway. The revelation highlights the deep dysfunction in how the US government procures and evaluates technology.
The Evaluation
In late 2024, federal cybersecurity reviewers assessed Microsoft's cloud offering and found:
- Inadequate documentation: Microsoft's "lack of proper detailed security documentation"
- No confidence: Reviewers expressed "lack of confidence in assessing the system's overall security posture"
- Years of failure: Microsoft had "tried and failed to fully explain how it protects sensitive information"
Despite these damning findings, the product was approved for government use.
The Context: Microsoft's Security Record
The approval came despite Microsoft's products being at the center of two major cyberattacks against the US in three years:
- SolarWinds (2020): Russian hackers exploited Microsoft vulnerabilities to steal data from multiple federal agencies
- China hack (2023): Chinese state hackers accessed US government email through Microsoft cloud
These breaches compromised sensitive communications at the State Department, Treasury, and other agencies.
Why Was It Approved?
ProPublica's investigation suggests several factors:
- Vendor lock-in: The government is too dependent on Microsoft to reject its products
- Bureaucratic inertia: The procurement process makes it extremely difficult to disqualify major vendors
- Political pressure: Microsoft is one of the largest federal contractors
- No alternatives: The government lacks viable alternatives for many Microsoft products
The Broader Problem
This case illustrates systemic issues in government technology procurement:
- Security theater: Reviews happen but findings don't block approvals
- Capture: Procurement officials may face career incentives to approve rather than reject
- Scale mismatch: Government security teams are outmatched by vendor sales and lobbying efforts
- Classification: Critical security findings may be classified, limiting public accountability
Microsoft's Response
Microsoft has acknowledged past security shortcomings and announced a "Secure Future Initiative" to improve its security practices. However, the company's market dominance means government customers have limited leverage to demand improvements.
Source: Ars Technica | ProPublica Investigation