U.S. Democratic Senator Ron Wyden on Wednesday requested the Federal Trade Commission “i
nvestigate and hold Microsoft responsible” for its role in a string of
high-profile cybersecurity incidents in recent years, saying the company’s approach to security “continues to threaten U.S. national security.”
Wyden wrote in a September 10 letter to FTC Chairman Andrew Ferguson that the tech giant’s “gross cybersecurity negligence” has resulted in ransomware a
ttacks against critical infrastructure, including U.S. health care organiza
tions at least in part due to default configurations in the Windows operating system.
“At this point, Microsoft has become like an arsonist sellin
g firefighting services to their victims,” Wyden wrote, and government agencies and other com
panies have “no choice” but to use the company’s products due to its “near-monopoly over enterprise IT.”
An FTC spokesperson acknowledged that the agency had received the letter but declined to comment further.
Widen said a prime example was the May 2024 ransomware attack on hospital operator Ascension, w
hich according to the company exposed private medical and insurance data of nearly 5.6 million people.
Watch More Image Part 2 >>>
Wyden wrote that the hospital operator told his staff that a contra
ctor using an Ascension laptop clicked on a malicious link served up by Microsoft’s Bing search engine, which
then allowed the hackers to gain access to the company’s network a
nd ultimately the organization’s Microsoft Active Directory server, which is used to manage user accounts.
Microsoft’s support for outdated encryption technology and default configuration settings set up by Microsoft a
llowed for the attack approach in the Ascension case, according to Wyden, and Microsoft has not done enough to educate companies about how to mitigate the threat.
A Microsoft spokesperson said Wednesday that RC4, the encryption standard referenced by Wyden, is old an
d makes up “less than .1% of our traffic,” and that the company discourages customers from using it.
“However, disabling its use completely would break many customer systems,” the spokesperson said, and the company is gradually reducing the extent to which customers can use it while trying to provide warnings and guidance on the safest way to use it.
RC4 will be disabled by default in certain Windows products starting the first quarter of 2026, and the company will include “additional mitigations” for existing deployments, the spokesperson said.
Wyden has previously pushed for U.S. government investigation and review of Microsoft’s role in cyberattacks, including after revelations in July 2023 that Chinese-linked hackers stole thousands of U.S. officials’ emails.