Google has published a blog post implicitly criticising Microsoftβs βsecurity failuresβ in recent years while urging reform around security in the US public sector.
Prompted by last monthβs report by the US Cyber Safety Review Board (CSRB) that castigated Microsoft for βdeprioritisingβ enterprise security, which also galvanised Microsoft executives to tie fulfilling the companyβs security objectives to their compensation packages, Google suggests it can offer an alternative.
The CSRB suggested that Microsoft should have been better equipped for Chinese hackers breaching US government emails through its Microsoft Exchange Online software in July 2023 in the Storm-0558 cyberattack.
A joint blog post written by Charley Snyder, Head of Security Policy at Google, andΒ Jeanette Manfra, Senior Director of Global Risk & Compliance at Google Cloud, wrote:
The recent US Cyber Safety Review Board (CSRB) report detailing significant security failures and systematic weaknesses in a longstanding vendor reaffirms these risks. The report also comes during an ongoing breach by a state-sponsored threat actor against the same vendor. Itβs clear these problems are not going away.β
Google, which doesnβt namecheck Microsoft explicitly in the blog and only ever refers to the business as βthe vendorβ, says that public sector bodies should use βsystems and products that are secure-by-designβ, which would notably echo new principles it has recently adopted. It also advises that public sector entities regularly undergo security recertification for their tech products and services and to βgive security a seat at the procurement tableβ.
Google also suggests that governments avoid βusing the same vendor for operating systems, email, office software, and security toolingβ to βmitigate monocultureβ. Microsoft provides all these services to its enterprise customers, pertinently the US government and the wider public sector.
Google ended its blog by announcing a new Google Workspace offering to provide US public sector organisations with more options. To facilitate this switch, Google says itβs offering favourable pricing for qualifying public sector customers on Workspace Enterprise Plus, Assured Controls Plus, Chrome Enterprise Premium and providing training and migration assistance.
Microsoft has been scorned in recent years for its perceived lax security infrastructure. In October, compromised Skype accounts were hacked to spread the DarkGateΒ malware, while Microsoft Teams was also targeted.
In November, Russian hackers breached Microsoftβs defences, accessing the email accounts of several senior leadership team members and stealing source code. The attack went undetected by Microsoft for nearly two months and was only discovered in January.
Google Gemini and Security
Earlier this month, Google introduced Google Threat Intelligence, which combines an in-depth view of threats with Geminiβs AI capabilities to βsuperchargeβ the process.
Gemini,Β formerly Bard, is Googleβs multimodal large language AI model deployed to identify security threats and produce summaries of its findings. The new security solution was announced at the annual RSA conference for IT security professionals in San Francisco between May 6thΒ β 9th, 2024.
