Microsoft’s obsession with AI risks creating a security nightmare
As it focuses on new technology, basic software maintenance is in danger of not being prioritised
Is it bad to be boring? Apple’s “I’m a PC” TV ads of the Noughties wanted you to think so. We saw two friends bantering: one, a cool, casual and assured “Mac” computer, the other a socially awkward and dysfunctional “PC” in a bad suit, played in the UK by David Mitchell. Mr PC insisted timesheets and pie charts were fun.
But as Mitchell’s Peep Show character, Mark Corrigan, liked to explain at parties, being boring is good. Particularly when other businesses need to be able to rely on you. Microsoft’s problem today is that it’s trying too hard to be cool again.
In May 2023, Storm-0558, a Chinese hacking group, gained access to Microsoft systems that ran the email accounts at 22 organisations in the United States and UK; including 63 “high profile” individuals in the UK. Many were government bodies. The US Department of Homeland Security has just released its findings into the breach. It makes for grim reading.
The breach should never have happened, the department’s cyber safety review board concluded – and was because of a “cascade of avoidable errors”. The company had failed to match the basic security practices of other CSPS (cloud service providers) to keep account sign-in keys safe. This key should have been retired two years earlier. The report blamed leadership – the chief executive and the board – for not having a security culture.
Investigators described “a corporate culture that de-prioritised enterprise security investments and rigorous risk management, at odds with the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations”. Ouch.
“We very much disagree with this characterisation,” an executive responded in a statement.
A Microsoft spokesman said its engineering teams are working on identifying any security issues within its legacy infrastructure: “Our security engineers continue to harden all our systems against attack and implement even more robust sensors and logs to help us detect and repel the cyberarmies of our adversaries. We will also review the final report for additional recommendations.”
But this wasn’t the first attack. Three years ago, 18,000 Microsoft enterprise customers downloaded a component poisoned by suspected Russian hackers. Then, in January, the Russians called again. Hackers accessed “highly sensitive Microsoft corporate email accounts, source code repositories, and internal systems”.
Given its ubiquity in business, Andrew Grotto, a Stanford fellow and a former White House cybersecurity adviser, said last week that it’s fair to describe systemic risks in Microsoft’s products as a national security threat.
“Microsoft has a ton of leverage. It has the government locked in. It’s able to transfer a lot of its costs from these security breaches over to its customers, including the federal government,” he added.
Microsoft is doing well financially, reporting profits of $21.9bn for the most recent quarter. With both revenue and profit up handsomely from a year ago, $8.4bn was handed back to shareholders. But Microsoft wants to be cool, too, and one wonders if that’s a distraction.
The coolest technology of all today – at least among the tech bros – is artificial intelligence. Microsoft’s drive to put it wherever it can has become all-consuming. Ai-powered adverts have even begun to appear in the Windows start menu – something surely no one ever asked for. But this desire to prove that it really isn’t Mark Corrigan is a gamble.
Microsoft has set a price for its chatty AI pop-ups – it calls them “Copilots” – of $30 per user per month. It will require vast expenditure, given the energy required to power them. Data centres will need 50pc more power in the EU in 2026 than they did in 2022. Microsoft wants someone to “lead project initiatives for all aspects of nuclear energy infrastructure for global growth”. It has small modular reactors in mind.
And the question of whether business thinks it’s worth paying for is also open to question. If fewer staff are needed, $30 per month sounds like a bargain. According to Parkinson’s law, work expands to fill the time available for its completion, and studies have suggested that the employees keenest on AI are the least productive. Microsoft has benefited from this social dynamic before with its Powerpoint program, which has been banned by companies, including Amazon, and replaced with more efficient information sharing.
Chatgpt-powered Bing hasn’t seen a jump in market share. Businesses don’t have the luxury of “hallucinations” when some 20pc of answers are wrong or irrelevant. The worry is that in its determination to convince business that it needs AI, something it may not want, and dreaming of nuclear reactors, the basic software is not being maintained. Last week, Satya Nadella, the chief executive, assured analysts Microsoft was “putting security … before all other features and investments.”
Perhaps that isn’t enough. In 2002, Windows was notorious for its poor security. Microsoft responded by shutting down its Windows division and sending 85,000 employees on a week-long training course. The chances of that happening now, in the race to AI, seem remote. And in any case, wouldn’t that be boring?