FTC-industry talks over possible Microsoft probe raised recent hacking incidents

The Federal Trade Commission held meetings with tech industry executives to gather information for a possible antitrust probe of Microsoft’s licensing and bundling practices, fueled in part by major hacks linked to the company that occurred last year and in early 2024, according to three people familiar with the matter.

Since last fall, the agency has asked executives to expound on how Microsoft’s licensing and bundling strategies — methods used by the company to package software services that often combine multiple offerings for sale — could serve as justification for an investigation, said the people, who spoke on the condition of anonymity to be candid about the sensitivity of the discussions. 

The meetings occurred as recently as the first quarter of this year, one of the people said, adding that two major cybersecurity incidents involving Microsoft email services from the past year that involved Chinese and Russian hackers have come up in the conversations.

Amazon, Microsoft and Google hold more than 60% of the global market share in the cloud computing space. But Microsoft has secured hefty business with much of the U.S. federal landscape, amounting to billions of dollars in contracts with the government. The federal IT ecosystem, in particular, is predominated with Microsoft’s email offerings.

The company has come under scrutiny over the past year, having faced security breaches that allowed nation-state hackers to exfiltrate thousands of email exchanges from U.S. agencies and officials. The incidents led some agency tech leaders to reshuffle their IT stacks in the event of another cybersecurity episode.

Given the hacks, the FTC is potentially gauging whether the bundled sales models that influence customers to stick with Microsoft risk opening up government systems to further cyber exploitation because the company creates incentives that make it too costly for their customers to move to other competitors, the people said.

A particular hack that came up in the FTC deliberations was carried out by Chinese cyberspies last summer that targeted both senior State Department and Commerce Department officials. It became the subject of a critical report released by a Homeland Security Department oversight board in April that faulted Microsoft for maintaining a culture not focused on cybersecurity best practices, including poor management of signing keys that authenticate user entry into applications.

The other incident raised was when Kremlin-linked hackers earlier this year seized email communications from multiple federal agencies through brute force password-guessing techniques that targeted Microsoft corporate email accounts.

FTC attorneys also asked the executives to detail their experiences running their organizations while competing with Microsoft, in an effort to see whether it was viable to investigate the company, said the people. Questions included how its licensing rules created difficulties for other competitors to enter into the market, including for prospective government clients.

The FTC and Microsoft declined to comment.

Microsoft last month announced an expansion of its Secure Future Initiative meant to overhaul internal managerial practices to mitigate exposures in its products. In a recent briefing with reporters, Microsoft Federal Security CTO Steve Faehl said that the company wants to focus more on collaborating with competitors, some of whom have sought to use the recent Microsoft incidents as leverage to sell their own offerings.

“We know that the U.S. government is a target. We are a target, as a result,” he said. “And we are looking for partnerships to address those threats.”

“This isn’t a company at stake, this is national security at stake,” he later added. “We’re very focused on the work that needs to be done and we believe that those [Secure Future Initiative] gains will be beneficial to all of our customers.”

The FTC last year solicited comments on the business practices of major cloud providers, asking how their activities may impact data security and market competition, though an official investigation connected to that request for information was never announced.

The agency collated the overall findings in November, saying that “outages, or other issues that degrade the service of a cloud provider, could have a cascading impact on the economy or specific sectors” because of the U.S. market’s widespread reliance on a small number of cloud services.

“Such degradations could be the result of an issue inadvertently introduced by a cloud provider, or the result of a targeted attack,” the FTC said at the time. It flagged input from several commenters, saying cloud security models lack “shared responsibility” guidelines that create an environment where both providers and customers don’t implement safeguards aimed at stopping cyberattacks.

The Pentagon is notably pushing its offices to onboard Microsoft E5 licenses as part of a broader zero trust strategy, leading to scrutiny from two senators, Axios first reported last month. The senators — Ron Wyden, D-Ore. and Eric Schmitt, R-Mo. — told Pentagon CIO John Sherman they are “deeply concerned that DOD is choosing not to pursue a multi-vendor approach that would result in greater competition, lower long-term costs, and better outcomes related to cybersecurity.” 

Wyden last year also asked the FTC to probe Microsoft for potentially engaging in unfair and deceptive business practices linked to the summer 2023 email hack.

An April WIRED report — which cited cybersecurity experts, lawmakers, former government officials and employees of Microsoft’s competitors — said that the U.S. government’s hefty ties to Microsoft are preventing the country from fully shoring up its defenses against cyberthreats.

Clare Martorana, the government’s Chief Information Officer who oversees the federal ecosystem’s IT strategy, called the recent DHS report faulting Microsoft in the Chinese hacking incident “an incredibly thoughtful, methodical investigation” whose findings were “fairly scathing.”

“It takes all of us across the federal government to keep [the country] secure,” she said in an interview with Nextgov/FCW in April.

She declined to say whether her office advised agencies on moving certain systems off of Microsoft products. “We have conversations every single day about how we make our environments as secure as possible. They are broad in nature, but we do not dictate to any federal agency unless we do it as a whole of government.” she said.

The Biden-era FTC and Department of Justice have put tech giants in their crosshairs, but have mainly focused on antitrust and competition practices.

That effort is not limited to the United States. Consumer protection agencies around the world made headlines for months as Microsoft sought to stave off global legal challenges against its acquisition of video game company Activision Blizzard, which critics say would have choked off competition in the gaming industry.

The United Kingdom in October formally launched an investigation into Microsoft and Amazon’s cloud computing practices, alleging the companies contribute “to the lock-in of customers to a single provider” through practices like egress fees, which are charged to users when they transfer data between providers.

Microsoft President Brad Smith is expected to testify before a House panel June 13 on the recent cyber intrusions and remediation steps the company has taken.

Editor's note: This article has been updated to note Smith's upcoming House testimony.