Springfield Standard

Recently, Senator Eric Schmitt and Senator Ron Wyden (D-OR) sent a letter to the Department of Defense (DoD) raising serious concerns about leaked draft guidance that calls for the mandatory use of Microsoft E5 across all DoD components. The letter also presses CIO John Sherman on the DoD’s strategy for ensuring robust cybersecurity that encourages competition and innovation among vendors.

“Although we welcome the Department’s decision to invest in greater cybersecurity, we are deeply concerned that DoD is choosing not to pursue a multi-vendor approach that would result in greater competition, lower long-term costs, and better outcomes related to cybersecurity. Cybersecurity should be a core attribute of software, not a premium feature that companies upsell to deep-pocketed government and corporate customers. The Department of Defense is one of the largest purchasers of cybersecurity services. Through its buying power, DoD’s strategies and standards have the power to shape corporate strategies that result in more resilient cybersecurity services. When the DoD demands sophisticated cybersecurity products, there are not only positive effects across the U.S. government but also beneficial consequences across the public and private sector. The Department of Defense’s pursuit of an anti-competitive strategy results in wasted taxpayer dollars and promotes a stagnant environment for innovation that has negative spill-over effects far beyond the federal government,” reads the letter.

“The risks associated with the government’s dependence on Microsoft were evident when a hacking group associated with the Chinese government known as Storm-0558 successfully compromised 22 enterprise organizations and over 500 individuals globally due to what the Cyber Safety Review Board (CSRB) described as ‘a cascade of failures’ by Microsoft. According to press reports, in May 2023, Storm-0558 successfully exploited vulnerabilities across email systems used by the U.S. State Department, U.S. Department of Commerce, and the U.S. House of Representatives. Those same press reports reveal that hackers accessed thousands of sensitive emails by high-level officials, including the Secretary of Commerce and high-ranking officials at the Department of State among others,” continues the letter.

“As our national security becomes more intertwined with technology, it is imperative Congress and the DoD work together to ensure robust cybersecurity practices. We appreciate your attentiveness to these concerns, as well as your prompt response to these questions,” concludes the letter.

Specifically, their offices request responses to several questions:

1. The Department of Defense has had 180 days since enacting FY 2024 NDAA to comply with Section 1553's cybersecurity reporting requirement. As Chief Information Officer of the Department, when do you plan to release the required report and provide a briefing?

2. Please explain DoD’s technical justification process which led to mandating deployment of all Microsoft E5 security solutions.

3. What consideration was given regarding reliance on one company for productivity, collaboration, security, cloud, and OS needs?

4. Is there any plan for providing guidance for interoperability with other cybersecurity vendors?

5. What is your plan for ensuring a multi-vendor approach?

6. Describe DoD’s efforts toward increasing secure open-source software usage per its 2018 Cyber Strategy.

7. How much financial support has DoD provided for maintaining and improving open-source software projects used by DoD in each of the last three fiscal years?

8. Has Microsoft fulfilled its promise post-Storm-0558 hack to provide free enhanced security logs rather than restricting them?

9. What is your rationale behind requiring DoD components to begin implementing E5 by June 3, 2024?

In September 2023, it was reported that Chinese hackers successfully breached Microsoft's email platform and stole thousands of emails from several high-level U.S officials.

Read full letter here.