Google Has Released a Security Paper
Google has released a paper that begins with a very blunt statement targeted directly at Microsoft: “In the wake of significant cybersecurity incidents with Microsoft, Google Workspace offers a safer choice.”
Source: Scott Graham/Unsplash
With the timing of this paper, Google is looking to capitalize on Microsoft’s misfortunes. It has been a challenging year for Microsoft, as the tech giant has experienced a series of well-publicized breaches involving its enterprise solutions.
U.S. Cyber Security Review Board Ruling
The U.S. Department of Homeland Security’s Cyber Safety Review Board (CSRB) investigated Microsoft in the wake of these security incidents.
Source: Philipp Katzenberg/Unsplash
While Microsoft looks to position its enterprise solutions as being security conscious, the CSRB report instead speaks to prolonged, systemic issues and a corporate culture that deprioritizes both “enterprise security investments and rigorous risk management.”
The Storm-0558 Incident
The report particularly highlights Microsoft’s failings during the Storm-0558 incident in the summer of 2023.
Source: Towfiqu barbhuiya/Unsplash
In this cyber attack, a state-backed Chinese threat actor group known as Storm-0558 carried out a hacking campaign that targeted government officials. They successfully compromised the accounts of senior U.S. and U.K. government officials, gaining access to the mailboxes of 22 organizations and more than 500 individuals. This gave them sight of tens of thousands of emails.
Multiple Security Failures
This was obviously a huge, potentially damaging failure. The independent review commissioned by President Biden was heavily critical of Microsoft.
Source: Matthew Manuel/Unsplash
The crux of the attack was that Storm-0558 acquired a stolen signing key that essentially granted them access to any Exchange Online account they wished. The report describes a “cascade of failures” on Microsoft’s part and a “lax corporate culture” regarding security as contributing to the incident.
These Aren’t Microsoft’s Only Security Incidents
The Storm-0558 attack wasn’t the only high-profile Microsoft data breach that Google highlighted in its paper. A separate Microsoft data breach occurred just a few months later.
Source: Brett Jordan/Unsplash
The Google paper criticized Microsoft for the infiltration by Midnight Blizzard, a Russian-linked group, just a few months after the Storm-0558 incident. Midnight Blizzard successfully compromised a number of Federal Civilian Executive Branch (FCEB) agency email accounts.
An Ongoing Security Failure
The report highlighted that Microsoft stated this attack was still ongoing five months after the initial breach. When giving a security update on the matter, Microsoft was unable to provide a timeline for resolution.
Source: Clint Patterson/Unsplash
This left top-tier Microsoft communications exposed to attackers for months. What’s painfully ironic is that Microsoft itself put out a warning about Midnight Blizzard as far back as 2021.
Google’s Criticism of Microsoft
Google has not held back with its criticism of Microsoft’s failures, but all these failures fall in line with the CSRB’s own concerns.
Source: Mohammad Rahmani/Unsplash
The CSRB paper noted that Microsoft was unable to provide details of how Storm-0558 was able to infiltrate its systems. Google questions whether Microsoft can ensure an incident like this won’t happen again if they can’t even say how it happened in the first place.
Keeping the Public Informed
The CSRB report also highlighted a lack of transparency from Microsoft in its response to the Storm-0558 intrusion. Beyond this, the report states they failed to correct inaccurate public statements.
Source: Mitchell Luo/Unsplash
Google’s paper raises both of these criticisms over communication. In stark contrast, Google disclosed to the public that certain Gmail accounts had been compromised when they were the victim of a major cyber attack in 2009.
A Safer Path With Google Workspace
There is an obvious motive behind Google creating a paper to highlight Microsoft’s security failings — to position its own enterprise suite, Workspace, as the better, more secure alternative.
Source: Corinne Kutz/Unsplash
They describe Workspace as a safer alternative to Microsoft, citing a proven track record of engineering excellence and a transparent culture that accepts the “profound responsibility” of ensuring security for customers.
Microsoft’s Secure Future Initiative
This language in particular seems a pointed attack at Micosoft, mirroring the language used in the CSRB report. This isn’t the only such direct posturing against Microsoft from Google.
Source: Johnyvino/Unsplash
Google launched its Secure Alternative Program alongside the paper. This offers discounted rates on the Google Workspace Enterprise Plus package and the AI-powered Mandiant incident response service to customers who make the switch. The name seems a direct challenge to Microsoft’s AI-driven Secure Future Initiative.
A Win for Google Over Microsoft?
Google has been extremely opportunistic with this paper, looking to gain a reputational advantage over Microsoft off the back of recent high-profile security failings.
Source: Johnny Gios/Unsplash
But Google isn’t saying anything that isn’t true. Microsoft has had security issues and faced government criticism for its handling of these incidents. Couple that with Google’s positive track record in handling cyber-security incidents, and they might be able to influence public perception. People may think that Microsoft perhaps can’t be fully trusted to secure customer data and that Google is indeed a safer alternative.