“`html
Senator Urges FTC Investigation into Microsoft over “Gross Cybersecurity Negligence”
Table of Contents
The Federal Trade Commission is facing calls to investigate Microsoft’s cybersecurity practices following accusations of “gross negligence” from U.S. Senator Ron Wyden. The senator’s concerns center around the company’s continued support for an outdated encryption method, RC4, which he alleges leaves systems vulnerable to ransomware attacks.
Senator Wyden’s office conducted an investigation into the 2023 ransomware attack on healthcare provider Ascension,revealing that the continued support of the RC4 encryption cipher was a notable contributing factor to the breach. According to the senator, a single compromised account-in this case, a contractor clicking a malicious link-allowed hackers to exploit the weak encryption and ultimately steal the sensitive data of 5.6 million patients.
The Vulnerability: RC4 and “Kerberoasting”
RC4, or Rivest Cipher 4, was developed in 1987 and initially considered a secure encryption method. however, it was compromised in 1994 following a leak of its technical specifications. Despite this, RC4 remained in widespread use for years and is still utilized by Microsoft to secure Active directory, a key component of Windows systems used for managing user accounts.
While Windows defaults to the more secure AES encryption, Senator Wyden’s office discovered that windows servers continue to respond to RC4-based authentication requests. This creates an opening for a technique known as “Kerberoasting,” where attackers exploit the encryption weakness on a single machine to gain administrative privileges and spread ransomware across an entire network.
“As of dangerous software engineering decisions by Microsoft, which the company has largely hidden from its corporate and government customers, a single individual at a hospital or other organization clicking on the wrong link can quickly result in an organization-wide ransomware infection,” Senator Wyden stated.
Microsoft’s Response and Allegations of Profiteering
Microsoft acknowledged the vulnerability and stated that RC4 currently accounts for less than 0.1% of its network traffic. The company claims it discourages the use of RC4 through documentation and is working towards its eventual removal, with plans to disable it by default for new installations of active directory Domains using Windows Server 2025 in the first quarter of 2026. They also indicated plans for additional mitigations for existing systems.
However, Senator Wyden is critical of the slow pace of action and accuses Microsoft of prioritizing profit over security. He alleges the company has built a “multibillion dollar secondary business selling cybersecurity add-on services” to organizations forced to address vulnerabilities in Microsoft’s own software.
“The ascension hack illustrates how it is Microsoft’s customers, and, ultimately, the public, who bear the cost of Microsoft’s dangerous software engineering practices and the company’s refusal to inform its customers about the pressing need to adopt important cybersecurity safeguards,” the senator continued. “At this point, Microsoft has become like an arsonist selling firefighting services to their victims.”
Calls for Accountability
Senator Wyden’s letter urges the FTC to investigate Microsoft and hold the company accountable for delivering what he describes as “dangerous, insecure software” to both government entities and critical infrastructure, including the healthcare sector. The senator believes Microsoft’s actions have caused “serious harm” and warrant federal scrutiny.
Microsoft maintains it is indeed committed to improving security and is actively engaging with Senator Wyden’s office to address concerns. The outcome of the FTC investigation remains to be seen, but the case highlights the ongoing tension between software vendors, cybersecurity risks, a
