Google has published a blog post implicitly criticising Microsoftâs âsecurity failuresâ in recent years while urging reform around security in the US public sector.
Prompted by last monthâs report by the US Cyber Safety Review Board (CSRB) that castigated Microsoft for âdeprioritisingâ enterprise security, which also galvanised Microsoft executives to tie fulfilling the companyâs security objectives to their compensation packages, Google suggests it can offer an alternative.
The CSRB suggested that Microsoft should have been better equipped for Chinese hackers breaching US government emails through its Microsoft Exchange Online software in July 2023 in the Storm-0558 cyberattack.
A joint blog post written by Charley Snyder, Head of Security Policy at Google, and Jeanette Manfra, Senior Director of Global Risk & Compliance at Google Cloud, wrote:
The recent US Cyber Safety Review Board (CSRB) report detailing significant security failures and systematic weaknesses in a longstanding vendor reaffirms these risks. The report also comes during an ongoing breach by a state-sponsored threat actor against the same vendor. Itâs clear these problems are not going away.â
Google, which doesnât namecheck Microsoft explicitly in the blog and only ever refers to the business as âthe vendorâ, says that public sector bodies should use âsystems and products that are secure-by-designâ, which would notably echo new principles it has recently adopted. It also advises that public sector entities regularly undergo security recertification for their tech products and services and to âgive security a seat at the procurement tableâ.
Google also suggests that governments avoid âusing the same vendor for operating systems, email, office software, and security toolingâ to âmitigate monocultureâ. Microsoft provides all these services to its enterprise customers, pertinently the US government and the wider public sector.
Google ended its blog by announcing a new Google Workspace offering to provide US public sector organisations with more options. To facilitate this switch, Google says itâs offering favourable pricing for qualifying public sector customers on Workspace Enterprise Plus, Assured Controls Plus, Chrome Enterprise Premium and providing training and migration assistance.
Microsoft has been scorned in recent years for its perceived lax security infrastructure. In October, compromised Skype accounts were hacked to spread the DarkGate malware, while Microsoft Teams was also targeted.
In November, Russian hackers breached Microsoftâs defences, accessing the email accounts of several senior leadership team members and stealing source code. The attack went undetected by Microsoft for nearly two months and was only discovered in January.
Google Gemini and Security
Earlier this month, Google introduced Google Threat Intelligence, which combines an in-depth view of threats with Geminiâs AI capabilities to âsuperchargeâ the process.
Gemini, formerly Bard, is Googleâs multimodal large language AI model deployed to identify security threats and produce summaries of its findings. The new security solution was announced at the annual RSA conference for IT security professionals in San Francisco between May 6th â 9th, 2024.
