Google has published a blog post implicitly criticising Microsoft‘s “security failures” in recent years while urging reform around security in the US public sector.
Prompted by last month’s report by the US Cyber Safety Review Board (CSRB) that castigated Microsoft for “deprioritising” enterprise security, which also galvanised Microsoft executives to tie fulfilling the company’s security objectives to their compensation packages, Google suggests it can offer an alternative.
The CSRB suggested that Microsoft should have been better equipped for Chinese hackers breaching US government emails through its Microsoft Exchange Online software in July 2023 in the Storm-0558 cyberattack.
A joint blog post written by Charley Snyder, Head of Security Policy at Google, and Jeanette Manfra, Senior Director of Global Risk & Compliance at Google Cloud, wrote:
The recent US Cyber Safety Review Board (CSRB) report detailing significant security failures and systematic weaknesses in a longstanding vendor reaffirms these risks. The report also comes during an ongoing breach by a state-sponsored threat actor against the same vendor. It’s clear these problems are not going away.”
Google, which doesn’t namecheck Microsoft explicitly in the blog and only ever refers to the business as “the vendor”, says that public sector bodies should use “systems and products that are secure-by-design”, which would notably echo new principles it has recently adopted. It also advises that public sector entities regularly undergo security recertification for their tech products and services and to “give security a seat at the procurement table”.
Google also suggests that governments avoid “using the same vendor for operating systems, email, office software, and security tooling” to “mitigate monoculture”. Microsoft provides all these services to its enterprise customers, pertinently the US government and the wider public sector.
Google ended its blog by announcing a new Google Workspace offering to provide US public sector organisations with more options. To facilitate this switch, Google says it’s offering favourable pricing for qualifying public sector customers on Workspace Enterprise Plus, Assured Controls Plus, Chrome Enterprise Premium and providing training and migration assistance.
Microsoft has been scorned in recent years for its perceived lax security infrastructure. In October, compromised Skype accounts were hacked to spread the DarkGate malware, while Microsoft Teams was also targeted.
In November, Russian hackers breached Microsoft’s defences, accessing the email accounts of several senior leadership team members and stealing source code. The attack went undetected by Microsoft for nearly two months and was only discovered in January.
Google Gemini and Security
Earlier this month, Google introduced Google Threat Intelligence, which combines an in-depth view of threats with Gemini’s AI capabilities to “supercharge” the process.
Gemini, formerly Bard, is Google’s multimodal large language AI model deployed to identify security threats and produce summaries of its findings. The new security solution was announced at the annual RSA conference for IT security professionals in San Francisco between May 6th – 9th, 2024.
