Google is taking aim at Microsoft’s dominance in government technology and security.
Jeanette Manfra, director of risk and compliance for Google’s cloud services and a former top U.S. cybersecurity official, said Thursday that the government’s reliance on Microsoft — one of Google's top business rivals — is an ongoing security threat.
Manfra also said in a blog post published Thursday that a survey commissioned by Google found that a majority of federal employees believe that the government’s reliance on Microsoft products is a cybersecurity vulnerability.
“Overreliance on any single vendor is usually not a great idea,” Manfra said in a phone interview. “You have an attack on one product that the majority of the government is depending on to do their job, you have a significant risk in how the government can continue to function.”
Microsoft pushed back strongly against the claim, calling it "unhelpful."
The study comes as Google is positioning itself to challenge Microsoft’s dominance in federal government offices, where Windows and Office programs are commonly used. The survey, which talked to 2,600 people in and out of the government, was conducted by the polling company Public Opinion Strategies.
The blog post comes as hackers continue to discover critical software vulnerabilities at an increasing pace across major tech products, but especially in Microsoft programs. Last year, researchers discovered 21 "zero-days" — an industry term for a critical vulnerability that a company doesn’t have a ready solution for — actively in use against Microsoft products, compared to 16 against Google and 12 against Apple.
The most prominent zero-day was used against Microsoft’s Exchange email program, which cybersecurity experts say was first employed by Chinese cyberspies and then quickly adopted by criminal hackers, leading to hundreds of companies becoming compromised.
Manfra joined Google after heading the arm of the Department of Homeland Security that has since become the Cybersecurity and Infrastructure Security Agency.
Microsoft’s corporate vice president of communications, Frank Shaw, shot back at Google for conducting and publishing the study, calling it “disappointing but not surprising” in an emailed statement.
“It is also unhelpful to create divisions in the security community at a time when we should all be working together on heightened alert,” he said, referring to government warnings that the U.S. could see retaliatory cyberattacks from Russia because of its support for Ukraine.
“We will continue to collaborate across the industry to jointly defend our customers and government agencies, and we will continue to support the U.S. government with our best software and security services,” Shaw said.
Microsoft Windows has long been the most popular computer software in the world, and most government agencies have relied on it and Microsoft Office for years. But switching technology companies is no easy feat for an operation of the size and complexity of the U.S. government.
Government software contracts can be worth tens of millions or even billions of dollars for a tech company, and competition for them can be a dogfight.
In the highest-profile government contract competition in years, Microsoft beat out Amazon in 2019 for a $10 billion, decadelong contract to provide cloud computing services for the Defense Department. Amazon sued to block the contract, saying the process had been tainted by then-President Donald Trump’s bias against Amazon founder Jeff Bezos, and the Pentagon withdrew from the process.
The Pentagon said Tuesday that it plans to award up to $9 billion in cloud computing contracts in December. Google has said it wants to contend against Amazon and Microsoft for some of those contracts.
Katie Moussouris, who is the CEO of the cybersecurity company Luta Security and who previously led programs to bolster the Pentagon’s cybersecurity, said that Google’s products are more nimble, but Microsoft has the advantage of years of experience integrating complicated systems together.
“They’re faster in certain ways, because they have fewer products and less legacy code,” Moussouris said of Google. “However, they may end up destabilizing things that are by nature complex. Microsoft had to learn those lessons way back in the early 2000s and Google hasn’t had to yet.”
Google's study found that federal employees are more concerned about reliance on Microsoft as a potential entry point for hackers than the average Washington area resident. The majority of resopndents said they were “very” concerned about future cyberattacks, and people were more likely to say they were worried about cyberattacks if they worked for the government than if they didn’t.
As the most prominent information technology vendor for the government, Microsoft is a natural target for dissatisfied workers, said Trey Herr, the director of the Cyber Statecraft Initiative at the Atlantic Council, a Washington think tank.
“Microsoft’s the status quo vendor. So any IT problem you have, any IT frustration you have, in 90 percent of situations it’s going to be directed at Microsoft,” Herr said.
Even acquiring smaller contracts could be a major win for Google, Herr said, especially as it wants more organizations to choose Google Drive over Microsoft Office products.
“As the federal government goes, so goes a lot of other large organizations,” Herr said. “So if it [Google] can be competitive for federal contracts, or even seen to win some small ones, it may strengthen their case to other governments and corporations that they are a viable big enterprise cloud vendor.”