The U.S. government is losing trust in Microsoft

Today: how a scathing government report about Microsoft's security culture could shape cloud competition, Cohere courts enterprise customers with a new model, and the latest moves in enterprise tech.

The U.S. government is losing trust in Microsoft
Photo by Tabrez Syed / Unsplash

Welcome to Runtime! Today: how a scathing government report about Microsoft's security culture could shape cloud competition, Cohere courts enterprise customers with a new model, and the latest moves in enterprise tech.

(Was this email forwarded to you? Sign up here to get Runtime each week.)

Talk about zero days

Security experts were sounding warnings about Microsoft's cloud security strategy long before it revealed last year that Chinese hackers broke into several U.S. government email accounts managed by the company. But new information about the cause of, and response to the incident puts the problem into sharp relief, and when one of your most important customers lays out in detail just how bad things have gotten, other customers are sure to notice.

The Cyber Safety Review Board issued a damning report Tuesday about the missteps that led up to last summer's discovery of one of the most serious breaches in Microsoft's history. Most of the details were already known, but the report chastised Microsoft for dragging its heels before correcting "inaccurate public statements" about the cause of the incident months later.

  • Last year Microsoft revealed that a hacking group widely believed to be associated with the Chinese government somehow obtained a sensitive authentication key and broke into Microsoft-managed accounts to steal sensitive U.S. government information.
  • Microsoft initially told customers that it believed the key had been stolen after a "crash dump" file, which contains normal information about what led to an error but for some reason also contained this extremely sensitive signing key, was moved out of a secure Microsoft network to an internet-connected corporate network.
  • But despite disclosing to the CSRB in November 2023 that it actually had no idea how the key was stolen, Microsoft didn't update its public statements to that effect until last month as the review board prepared to issue its report.
  • "The Board is troubled that Microsoft neglected to publicly correct this known error for many months." it said in the report.

Most enterprise tech buyers understand that no one is immune to a security lapse, but there's an implicit bargain in that understanding that vendors will come clean when those lapses occur.

  • "Left with the mistaken impression that Microsoft has conclusively identified the root cause of this incident, Microsoft’s customers did not have essential facts needed to make their own risk assessments about the security of Microsoft cloud environments in the wake of this intrusion," the board wrote in its report.
  • The report made clear that U.S. government agencies came out of this incident with less trust in Microsoft's security practices than they did going in: "Taken together, [the incidents] point to a failure of Microsoft’s organizational controls and governance, and of its corporate culture around security," it said.
  • Government contracts have long been proving grounds for cloud companies: AWS's 2013 deal with the CIA put it on the map with corporate customers who figured if the CIA trusts them, why shouldn't we?
  • This report lays out in writing why the U.S. government is no longer sure that Microsoft's security practices meet its standards, and if the government doesn't trust them, why should we?

Whatever policies Microsoft implemented last November as part of its Secure Future Initiative don't seem to have made an impact with the CSRB five months later.

  • Microsoft hired former AWS executive Charlie Bell in 2021 to overhaul its cloud security culture but as early as the following year he was reportedly having trouble driving change, and the CSRB did not identify any signs of improvement as of April 2024.
  • Cloud providers face countless security threats every day, and for the most part do a heroic job keeping out of the spotlight by dealing with them before they impact customers.
  • Microsoft, however, keeps finding itself in this situation, and at some point its obsession with riding OpenAI's coattails might need to take a back seat to regaining the trust of its customers.

Doin' that RAG

Cohere declared Thursday that it wants to be the enterprise LLM provider, launching a new model called Command R+ that it said was designed specifically around the needs of business customers. It also said the new model outperforms GPT-4 Turbo when working on business-oriented tasks, theoretically allowing the enterprise buyer to have their cake and eat it too.

"We do not have a cash-burning consumer chatbot; never have and never will,” Cohere chief operating officer Martin Kon told Bloomberg, and let's all bookmark that statement for the future. Instead, Command R+ focuses on improving retrieval-augmented generation tech to reduce hallucinations in business applications and works across a number of different languages that multinational businesses encounter every day.

The company said that Command R+ is also cheaper to use than OpenAI's GPT models, which could be a selling point even if the performance claims don't track perfectly across the needs of every business. It will be available first through Microsoft Azure, which continues to show signs that it wants to diversify its generative AI strategy beyond OpenAI.

Enterprise moves

Kunal Anand is the new executive vice president and chief technology officer at F5, and Lyra Schramm is the new executive vice president and chief people officer at the security and networking company.

Louis DiModugno is the new global chief data officer at Verisk, joining the data analytics company following similar roles in the insurance industry.

The Runtime roundup

Google Cloud's parent company is kicking around the idea of buying Hubspot, which would add enterprise marketing software to its portfolio for around $35 billion, according to Reuters.

Omni Hotels confirmed that a cyberattack is to blame for a multiday outage across its hotel empire, an incident that recalls the massive MGM hack from last year.

Splunk's lawsuit against Cribl is set to head to trial next week, a dispute over whether Cribl infringed on Splunk's terms of service when it offered a product that reduced the amount of money customers spent on Splunk's services.

DataStax acquired Logspace, a startup working on a low-code tool for building RAG into generative AI applications, for an undisclosed amount.

AWS snapped up 234 acres near Columbus, Ohio, as part of plans to expand the Ohio cloud region it launched in 2016.

Ivanti CEO Jeff Abbott apologized to customers and promised to overhaul its security practices after a series of breaches linked to flaws in its security and asset-management software products.

Thanks for reading — see you Saturday!

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Runtime.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.