May 30, 2024 - Technology

Exclusive: Senators express "serious concern" with Pentagon's Microsoft plan

Sen. Eric Schmitt speaks during a news conference at the U.S. Capitol Hill in January.

Sen. Eric Schmitt (R-Mo.) speaks during a news conference at the U.S. Capitol on Jan. 24. Photo: Drew Angerer/Getty Images)

Sens. Eric Schmitt (R-Mo.) and Ron Wyden (D-Ore.) sent a letter to the Pentagon Wednesday expressing "serious concern" with a reported plan to invest in Microsoft product upgrades.

Why it matters: The letter is just the latest example of how tensions have risen between Washington and the tech giant amid the fallout from a pair of nation-state cyberattacks.

What they're saying: "Although we welcome the Department's decision to invest in greater cybersecurity, we are deeply concerned that DoD is choosing not to pursue a multi-vendor approach that would result in greater competition, lower long-term costs, and better outcomes related to cybersecurity," the two senators wrote in the letter to Pentagon CIO John Sherman.

  • "Through its buying power, DoD's strategies and standards have the power to shape corporate strategies that result in more resilient cybersecurity services."

Catch up quick: The Pentagon is weighing requiring all department offices to upgrade to Microsoft's E5 license as part of its zero-trust strategy, according to a draft memo Axios obtained earlier this month.

  • All Pentagon components would need to start upgrading to the new licenses by June 3 and complete the transition by next summer.
  • The Pentagon already widely uses Microsoft's products, and the department only has until the 2027 fiscal year to transition to a lofty zero-trust security strategy — which overhauls what information employees have access to and the level of identity verification needed to access key systems.

The big picture: Microsoft has been facing scrutiny from lawmakers and government officials over its cybersecurity practices since last summer's China hack.

Zoom in: Schmitt and Wyden say they're concerned that the Pentagon is now "doubling down" on a "failed strategy" by increasing its dependence on Microsoft.

  • The letter specifically asks Sherman to answer a set of questions about the proposed plan, including whether the Pentagon has considered working with other cybersecurity vendors.
  • Schmitt is also asking Sherman for an update on when the Pentagon plans to release a congressionally mandated report detailing the "risks and benefits" tied to buying Microsoft's products.

The other side: The Pentagon did not respond to a request for comment.

  • A Microsoft spokesperson directed Axios to an April blog post that "commends" the DOD's approach to its zero trust strategy and laid out guidance for how Microsoft can support its implementation.

What's next: The senators are hoping to receive answers before the Senate Armed Services Committee starts marking up this year's annual defense policy bill on June 12.

Go deeper