Feds to Microsoft: Clean up your security act — or else

The US government, worried about the continuing growth of cybercrime, ransomware, and countries including Russia, Iran, and North Korea hacking into government and private networks, is in the middle of drastically changing its cybersecurity strategy. No longer will it rely largely on prodding businesses and tech companies to voluntarily take basic security measures such as patching vulnerable systems to keep them updated.

Instead, it now wants to establish baseline security requirements for businesses and tech companies and to fine those that don’t comply.

It’s not just companies that use the systems who might eventually need to abide by the regulations. Companies that make and sell them, such as Microsoft, Apple, and others could be held accountable as well. Early indications are that the feds already have Microsoft in their crosshairs — they’ve warned the company that, at the moment, it doesn’t appear to be up to the task.

First, let’s delve into the government’s emerging strategy.

The new National Cybersecurity Strategy

In early March, the Biden Administration released a new National Cybersecurity Strategy; it puts more responsibility on private industry and tech firms to follow best security practices such as patching systems to fight newly found vulnerabilities and using multifactor authentication whenever possible.

US regulators have long recommended that tech companies do this. The difference now, according to the New York Times, is that “the new National Cybersecurity Strategy concludes that such good-faith efforts are helpful but insufficient in a world of constant attempts by sophisticated hackers, often backed by Russia, China, Iran or North Korea, to get into critical government and private networks. Instead, companies must be required to meet minimum cybersecurity standards.”