Microsofts Secure Future Initiative: "Bullshit!"
With the Secure Future Initiative, Microsoft's bosses promised to make security a top priority. "It's all just security theater," says Jürgen Schmidt.
(Image: JeanLucIchard/Shutterstock.com/heise medien)
Just last April, Microsoft presented a report in which the company celebrated the implementation of measures to ensure greater security in the company and its products. “Secure by Design,” “Security first” – was the complete program. This was a reaction to the fact that an official commission of inquiry (the Cyber Safety Review Board) had previously found the company to be systematically sloppy when it came to IT security.
The Secure Future Initiative (SFI) was supposed to make things better, and the reports did indeed look promising. But now it's time to call bullshit. The SFI turned out to be exactly the Potemkin security facade that many experts had feared.
The reason for this sobering assessment are two events that allow a look behind the scenes and reveal that nothing has changed at all: Microsoft is sloppy on security and ignores security requirements when it promises bigger profits.
The Sharepoint fiasco
In May, two Vietnamese security researchers served up two critical vulnerabilities in Microsoft's SharePoint server on a silver platter, including exemplary exploits that demonstrate how they can be used to take over servers completely. Not only did it take Microsoft almost two months to release patches on June 8 to fix these vulnerabilities. The patch for CVE-2025-49706 turned out to be so botched that it could be bypassed by simply appending a / to a URL. The other patch also proved to be an amateurish hotfix on closer inspection. The result: several attacker groups used these loopholes to hijack Sharepoint servers. They took over hundreds of servers, and ransomware gangs will continue to profit from this reservoir of easy-to-harvest fruit for months to come.
Microsoft was forced to make amends on July 20 and provided Sharepoint with new software patches. However, installing the new security updates still did not ensure that previously compromised systems were secure. To achieve this, at least the so-called MachineKey of the IIS server had to be changed. Otherwise, the attackers would still have access with its help. Why didn't the security update also trigger this essential measure? Ask Microsoft! You will probably get just as little answer as we did to our questions about this Sharepoint issue.
The cloud rip-off
I could rant on for hours about this Sharepoint disaster and the self-inflicted incompetence in security matters that it demonstrates – but let's move on to the second data point that demonstrates Microsoft's already outrageous greed: the so-called “digital escorts”. The US government actually has strict requirements for providers who want to offer cloud services to US authorities. The Federal Risk and Authorization Management Program (FedRAMP for short) stipulates that specially trained personnel must look after the servers that provide these services. And because the data on these servers is confidential and security-relevant, these administrators must also have a special security clearance that is only granted to US citizens.
Such personnel are in short supply and correspondingly expensive. It's not that you can't afford it. These FedRAMP government contracts are extremely well paid precisely because of the quality required. These are the fillet pieces in the cloud market that all cloud providers are licking their chops for. But what is Microsoft doing? As ProPublica recently uncovered, they hired cheap admins with the necessary certificates for server administration abroad. And they put ex-military personnel with security clearance at their side, who they also hired for minimum wages.
They were then supposed to carry out the actions specified by the trained admins. They were also supposed to monitor what they were doing. But they were not sufficiently qualified for this.“Proven knowledge in the administration of Windows servers, domain servers, supporting desktops, desktop applications and Active Directory” are listed in a job advertisement for a “DoD Secret Cleared Escort” merely as dispensable “nice to have” skills. Ultimately, they were copying and pasting command sequences or executing scripts they didn't understand. “We trust that what they're doing is not malicious, but we can't say for sure,” ProPublica quotes an escort it interviewed.
In this way, Microsoft is saving millions on staff and has seemingly satisfied the letter of FedRAMP: only US citizens with security clearance are tampering with the cloud servers of US authorities. The fact that this has now blown up in their faces is again thanks to their greed. They did not limit themselves to cheap IT specialists from the Five Eyes or perhaps the EU. They apparently took the cheapest available – even if they lived in China. You read that correctly: In fact, Chinese IT specialists were administering the cloud servers of the US Department of Defense, among others. What could possibly go wrong?
Videos by heise
Now, of course, the outrage is huge; even US Secretary of Defense Pete Hegseth is ranting about “cheap Chinese labor”. And Microsoft's Chief Communications Officer, Frank Shaw, asserts that they will ensure that no more engineers based in China are employed. But note: only the Chinese are excluded; IT workers from India, Vietnam and so on would still be okay. I'm waiting every minute for the announcement that the overworked digital escorts will be assigned a specially trained AI co-pilot in the future.
My conclusion
Two specific examples – are certainly not isolated cases but rather glimpses behind the carefully crafted scenes that prove the point: The Secure Future Initiative is just security theater to keep up appearances, nothing more. When it comes to money, no trick is too embarrassing for Microsoft, no cutback too counterproductive, and no risk too high – as long as it affects others. As a customer, you should know that – and act accordingly.
Jürgen Schmidt originally wrote this commentary for the exclusive newsletter of heise security PRO, where every week he puts events in the IT security world into perspective for security managers in companies:
(ju)
