Microsoft Defied Regulators Before System Crash

A little more than a year before Friday’s systems outage triggered global chaos across the banking, airline and emergency services sectors, the company defied regulators investigating the risks of a handful of cloud computing companies controlling the world’s technology infrastructure, according to documents reviewed by Microsoft. Lever.

“Regulators should be careful to avoid any intervention that could disrupt competitive offerings that have driven the explosive innovation and growth attributed to the cloud,” the company wrote in response to a 2023 Federal Trade Commission report. overview security practices and interoperability protocols used by cloud computing companies.

The agency questioned whether the companies were “investing sufficient resources in research and development” of the systems on which the economy and government rely.

Microsoft blames this week global cloud outages in an update from CrowdStrike, a cybersecurity firm whose software protects against hacking. The debunking comes two days after federal agencies released new guidance that further warns that Big Tech’s consolidation of cloud services could put consumers at serious risk. It also came a day after Microsoft’s cloud services experienced a separate outage in some parts of the United States.

“This is an outage caused by CrowdStrike. It would be inaccurate to report this as a Microsoft outage,” the company said in a statement to Lever“The CrowdStrike update was responsible for taking multiple IT systems offline worldwide. We are actively supporting customers to help them recover.”

CrowdStrike did not respond to a request for comment.

“Today, it is all too common for a single fault to bring down an entire system, affecting industries such as healthcare, airlines, banks and car dealers.” published Lina Khan, chairwoman of the Federal Trade Commission, whose agency led the investigation into the cloud-computing industry. “Millions of people and companies are paying the price. These incidents expose how concentration can create fragile systems.”

At the root of the problem, regulators and researchers say is the consolidation of cloud services by Big Tech, a technology that allows consumers to store computer information in massive data centers rather than on-premises. Just three companies — Amazon, Microsoft and Google — control 65 percent of the cloud marketAccording to report published on July 18 by CloudZero, an expense management platform.

Microsoft and CrowdStrike too dominate an endpoint security market that provides cybersecurity for devices such as desktops, laptops, and mobile devices. From 2022both companies controlled more than 30 percent of the market.

This consolidation contributed to a simple mistake on Friday.

“We had a cascading collapse of all these companies, banks, the London Stock Exchange, all these airlines had to be grounded because of this one mistake,” said Zane Griffin Talley Cooper, a researcher at the University of Pennsylvania who studies digital infrastructure. “And that’s because the internet had become so centralized in the hands of four or five big companies.”

“This model will make catastrophic failures of this type happen more and more often,” he added.

Regulatory control is increasing

In March 2023, the Federal Trade Commission a large-scale study was announced to the business practices of cloud service providers. The agency looked at “market forces, business practices that affect competition, and potential security risks,” asking for comments from companies and the public.

In his answer In response to a Federal Trade Commission investigation, Microsoft said the cloud services market remains strong and warned that regulations could affect “billions of dollars” of investment.

The company also suggested that the Federal Trade Commission’s intervention “could impact the quality of these solutions and the pace of innovation, and ultimately, could harm the position of American companies in the global arena,” Microsoft said. he wrote.

Public Citizen, a non-profit consumer rights organization, warned The Federal Trade Commission in 2023 found that the market dominance of Amazon, Microsoft and Google in the cloud services sector poses a threat to the economy.

“A single cloud provider lock-in represents a structural weakness in the entire economy that could cause even greater harm to consumers in the future,” he said. the group wrote in June 2023

On Wednesday — just two days before the global outage — the Treasury Department, along with the Consumer Financial Protection Bureau and other federal agencies he warned that the industry’s heavy reliance on a small number of cloud providers makes it susceptible to widespread failures and disruptions.

The Ministry of Finance also published a package of guidelines for banks and financial institutions in response to its report since February last year which raised alarms about the potential risks of a heavily consolidated market. The report said an outage like Friday’s “could impact multiple financial institutions or U.S. consumers” and recommended additional oversight, such as inspections of third-party service providers.

Rohit Chopra, head of the Consumer Financial Protection Bureau he said on Friday that the outages were just a taste of the devastation that such a failure could cause in the financial sector. His agency warned that such incidents could occur in the future could further “freeze part of the payment infrastructure or completely suspend other key services.”

“There are only a few large companies dedicated to cloud services, which are what most of the economy relies on today” Chopra said on CNBC. “We’re witnessing some of the potential consequences of sectors of the economy becoming truly dependent on a handful of cloud companies and other key systems.”

He added that Friday’s outage was just a preview of what could go wrong in extreme cases of corporate consolidation and deregulation.

“Let’s break up this cloud consortium”

First reports of failure he showed up early Friday morningbecause computers with the Microsoft Windows operating system stopped working all at once. The problem stems from system update promoted by a company called CrowdStrike, a cybersecurity provider that serves to protect against hackers in sectors ranging from airlines to banking — and was previously known for its involvement in 2016 investigation to the Russian attack on the Democratic National Committee.

CrowdStrike quickly announced that it had identified the issue with the update and began promoting a fix, but added that fixes may take several hours.

“We are aware of this issue and are working closely with CrowdStrike and the industry to provide customers with technical guidance and support to help them safely recover their systems,” said Satya Nadella, CEO of Microsoft. published on X

Microsoft, which was one of the first pioneers cloud computing software, controls a staggering 85 percent software that increases the productivity of the federal government and its operating system even more.

But the Big Tech giant has a history of opposing cybersecurity measures. In 2016, the Federal Reserve, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation published notification of joint law-making on the need to tighten the rules on “enhanced cyber risk management standards for large and interconnected entities”.

The proposed rules would have “significant implications not only for the financial services industry, but also for third-party entities like Microsoft,” the company said in a statement. letter with commentIt also raised concerns about new regulations and added that cloud providers offer better service and cybersecurity than traditional on-premises storage centers.

The rule was this withdrawn in March 2019

Agencies and Congress have repeatedly tried and failed to strengthen cybersecurity regulations. Over the past three years, lawmakers have introduced at least least four legislative Initiatives to allay these concerns, although no solution has been adopted to date.

In February this year, the Federal Agency for Cybersecurity and Infrastructure Security also announced that it is renewing global risk management task force information and communication technology supply chaincritical for protecting computer hardware, software and applications.

The companies themselves were clearly aware of the potential dangers of over-reliance on cloud-based systems.

IN 2023 Comment Letter to the Consumer Financial Protection Bureau regarding a proposed regulation aimed at tightening restrictions on personal data, CrowdStrike — the cybersecurity firm responsible for Friday’s data breach — argued that the biggest cybersecurity threat is not software supply chain issues but hackers.

“In our view, the most serious threat to data likely comes from bad actors acting illegally, leading to data breaches, cyberattacks, exploits, ransomware attacks, and other forms of consumer data exposure.” – CrowdStrike he wrote.

CrowdStrike in its latest announcement expressed concerns about threats from hackers and resulting system outages. 10-K annual reportThe company told investors that the “consolidation of siloed products” is a concern because “integrating and maintaining multiple products, data, and infrastructures across highly distributed enterprise environments” creates “blind spots that attackers can exploit.”

Microsoft in its Annual report to shareholders for 2023also expressed the view that “providing (its) customers with more cloud services and solutions puts a premium on the resilience of (their) systems.”

Yet companies have worked hard to prevent regulators from taking steps to address these risks.

Microsoft is one of the largest investors in the country, ranking in the top 100 corporations. This year, the company spent more than 5 million dollars on campaign donations and lobbying lawmakers and regulators. Microsoft has lobbied Congress, the Federal Trade Commission, the Treasury Department, the White House Executive Office and other regulators on “cloud computing policy issues,” including disclosures to show.

“What we really need,” said Cooper, the University of Pennsylvania researcher, “is regulators who will break up this cloud consortium of four or five companies and help separate the management of the internet backbone across many different companies.”