Alex Brandon/AP Photo
Even though Microsoft is the original Big Tech monopoly and still holds the title as the largest corporation in the world by market capitalization, we sometimes forget to place it among the modern-day robber barons. Its operating systems, the Edge browser, Outlook email client, Office suite featuring Word and Excel, Teams communications platform, job-focused social network LinkedIn, Azure cloud service, and Xbox gaming products are so ubiquitous that they can go almost unnoticed, humming in the background of our digital lives. That’s probably why for a number of years the company’s threat level was considered less pressing, almost genteel compared to the craven business practices of the Amazons, Facebooks, and Googles of the world, which feel more deeply embedded to most Americans.
But Microsoft’s power is still very real, and its image as the nicer tech giant is shifting because of its rapid expansion into artificial intelligence, through a partnership with OpenAI. Meanwhile, recent mishaps with Microsoft’s core software business, like a series of major cybersecurity attacks, remind us of all the many tentacles Microsoft has wrapped around technology markets, and even our national-security state.
One of those episodes came at the end of last month when the Department of Defense, the largest and most powerful body in the government, bowed down to its tech master from Redmond, the largest federal contractor for information technology (IT), according to several estimates.
Last month, DOD drafted a memo instructing all its offices that they would be required to upgrade their Microsoft 365 cloud-based productivity software to a new E5 license as part of the department’s cybersecurity initiative, known as the “zero-trust strategy.” Ostensibly, the updated E5 operating system is geared toward better security features. But it happens to also be significantly more expensive.
The internal memo then leaked to Axios, spurring an outcry. Microsoft has consistently failed to address numerous hacks of government bodies, most recently a massive Chinese state-aligned breach of the State Department. A highly anticipated report from the federal Cyber Safety Review Board in April described the attack as entirely “preventable” and caused by “a cascade of failures” from Microsoft’s security system, which did not take adequate safety precautions.
This wasn’t the first incident. There have been four other significant hacks on Microsoft’s watch across various departments.
Sens. Ron Wyden (D-OR) and Eric Schmitt (R-MO) argued in a stern letter to DOD on May 29 that rewarding the company after this conduct would set a bad precedent, and that the new E5 license essentially amounts to a no-bid contract. The senators called on DOD to reverse course and hold a multi-vendor competitive bidding process for whatever security features they think they’re receiving from E5 to accomplish its cybersecurity goals. DOD is currently weighing the implementation of the upgrade.
“Cybersecurity should be a core attribute of software, not a premium feature that companies upsell to deep-pocketed government and corporate customers,” the letter reads.
Microsoft has consistently failed to address numerous hacks of government bodies.
The senators’ letter comes ahead of a Judiciary Subcommittee hearing this week, where Microsoft President Brad Smith will appear before Congress to answer for the company’s failure to stop the proliferation of hacks into government officials’ devices.
The Federal Trade Commission also appears poised to take action in response to Microsoft’s poor protocols in dealing with cyber threats. First reported by Nextgov/FCW, the FTC has held extensive meetings this year grilling company executives and might launch an official probe targeting the specific business practices that may degrade the quality of Microsoft’s security products. It’s a stark contrast for one relatively small arm of the government to actually interrogate a giant corporation for malfeasance, while the largest department favors it with a lucrative contract.
Separately, The Wall Street Journal reported last week that the FTC is launching a probe into whether Microsoft engaged in what effectively was a merger with an AI rival without disclosing it to antitrust authorities. According to the probe, Microsoft directly hired Inflection AI’s co-founder, brought on almost all of its employees, and paid its investors around $650 million; this practice is often nicknamed an “acquihire.”
The FTC has been at loggerheads with Microsoft throughout much of the Biden administration. The scrutiny of the Inflection AI deal follows the agency’s extensive legal battle to block Microsoft’s merger with the gaming giant Activision Blizzard, which ultimately went through.
All these recent frictions between the company and government officials are actually a lot more related than it might appear on the surface. The company’s efforts to muscle its way into new lines of business while the quality of its core products withers is a direct function of its business model to thwart competition.
THROUGHOUT ITS HISTORY, MICROSOFT HAS A PATTERN of leveraging a dominant position in one tech market to expand into others, primarily through tying arrangements and bundling. Microsoft 365, for example, is a collection of a bunch of separate productivity services that could be disaggregated and in fact were once offered separately. With virtually every new generation of 365, Microsoft makes it harder to leave its ecosystem and choose other separate products without paying a lot more money. The bundling, in the language of antitrust, raises switching costs.
Microsoft’s original monopoly in operating systems was the subject of a major antitrust case in the 1990s, where the government alleged Microsoft tried to “featurize” and kill off rival browser Netscape through its control of operating systems, bundled with its Internet Explorer browser. (The recent Google antitrust trial, the first major monopolization case since Microsoft, attacks a similar bundling arrangement.)
Despite the 2001 consent decree that resulted from the antitrust case, Microsoft still maintains over 70 percent market share in desktop operating systems, and has parlayed that into other markets. Despite the ubiquity of Google, Bing now commands a 20 percent market share for desktop search. Despite Amazon Web Services, Azure has a 22 percent share of public cloud infrastructure. And despite competitors, Microsoft has 43 percent share for its Office suite, and 45 percent in the video game console market. For the niche productivity software category, the Office bundle of products, including Outlook, Word, PowerPoint, Excel, and Teams, owns approximately 90 percent of the global market.
Similar to Apple’s tactics laid out in the DOJ’s recent antitrust case, Microsoft tries to create an ecosystem of various products and build a moat around it to dominate competitors, or to simply acquire them if necessary. For example, Microsoft purchased Activision Blizzard, the largest-dollar-figure tech merger in decades. Gaming is a growing market that all tech players are getting involved in for attention and data, and Microsoft wanted a piece of it.
The same motivation drives Microsoft’s move into artificial intelligence, via its OpenAI partnership and Inflection AI acquihire.
Government contracting is a major area where Microsoft maintains a foothold, which provides an additional revenue stream. Microsoft and Oracle are the top recipients of the government’s estimated $10 to $15 billion annual spending on IT services.
Most importantly, Microsoft’s cloud product Azure shares a $10 billion DOD contract for cloud computing, granted in 2022 in a split with Google, Oracle, and Amazon. This multi-vendor arrangement came after the previous version of the contract, JEDI, was first awarded to Amazon and then terminated by the Trump administration, resulting in a major legal dispute. (One official involved in awarding JEDI came from Amazon, then left and returned to Amazon.) According to disclosures last year, Microsoft was bringing in the most operating income from the new contract, known as JWCC, thus far.
Having secured government deals, Microsoft then pursued what’s called a “vendor lock-in strategy.”
It’s difficult to get full figures and details on all the many contracts Microsoft holds, which are not entirely public. But according to one estimate, 25 to 30 percent of Microsoft’s federal contracts are awarded without a competitive bidding process, meaning they’re likely marked up. (The study was sponsored by NetChoice, which represents Big Tech competitors in contracting, but the cited numbers are verifiable.) In a handful of confirmed instances, the study also finds that Microsoft’s government deals are more expensive than they otherwise would be.
The extensive revolving door between Microsoft and the very government departments awarding the company contracts is certainly one factor working in the company’s favor. Prominent top officials like national security adviser Jake Sullivan previously worked at Microsoft. A former Microsoft executive, Kurt DelBene, was appointed to be the Department of Veterans Affairs chief information officer, who oversees contracting. He was granted a highly unusual waiver voiding ethics concerns, which allowed his family members to hold onto about $15 million in future financial holdings tied to his former employer.
These government connections include a handful of officials at DOD. Assistant Secretary of the Navy Meredith Berger was a senior manager for Microsoft’s Defending Democracy program, which advocates for policy issues, among them “threats posed by cyber mercenaries.” Ronald Moultrie, who recently stepped down as the undersecretary of defense for intelligence and security at DOD, worked as a consultant for the firm Deep Water Point and worked directly for Microsoft as one of his top clients, according to financial disclosures.
Having secured government deals for certain services, Microsoft has then pursued what’s called a “vendor lock-in strategy” to give it advantage for other contracts, namely for cloud computing, where governments are rapidly expanding.
“It’s like if you bought a car but then can only service it at the company’s own proprietary repair and gas stations,” said George Rakis, executive director of NextGen Competition.
In 2019, Microsoft instituted a new licensing policy change for government and commercial clients to tie together all its various products to Azure, as a tool to beat back competitors. This policy is intended to lock in customers to a fully integrated suite of its productivity software products and impose high switching costs. So to use a service outside its Azure/Office 365 tech stack, even if that competitor is higher-quality or more cost-effective, the client has to effectively repurchase its Microsoft software, which it already bought once, along with added fees.
This policy change directly applies to Microsoft’s push into cybersecurity services and specifically for the E5 license. After a series of rollups in recent years, the company is now the largest cybersecurity services vendor in the world “by order of magnitude,” at least according to its executive who runs the security division, which brings in $20 billion a year in revenue, almost double from 2021.
One cybersecurity expert at the blog Security Economics explains why Microsoft has gained this market share without their product necessarily being better than rivals, such as Splunk: “Microsoft’s offerings really don’t need to be better than security solutions from other vendors. Microsoft’s advantage is that they embed security offerings within their Microsoft O365 E5 suite (and other add-ons). For example, organizations that elect to purchase Microsoft’s E5 option get not only the traditional Office applications like Word, PowerPoint, and Excel, but also Teams (the Slack killer).”
Many large corporations that use Microsoft Azure have attested to this vendor lock-in strategy as a major hindrance for their cybersecurity protections. In a submission to the newsletter BIG, an anonymous cybersecurity employee for a Fortune 500 company explained that his team identified numerous security vulnerabilities with Microsoft’s system and tried to switch to a better security service. But it was especially challenging to defend the added costs to management, and Microsoft employees even directly tried to pressure the cyber team against leaving.
“I cannot get past the fact that Microsoft has built a commercial tool to protect their own operating system and office productivity applications from their own inherent security flaws,” said the employee.
You’d think a Fortune 500 company, or the government for that matter, would have leverage against this type of strong-arming by Microsoft.
But this same lock-in strategy is clearly also what’s hampering the Department of Defense for the E5 license upgrade. To open up a multi-vendor process and select a separate cybersecurity service might impose switching costs. That might be worthwhile if the risk in this case is another major security breach of government officials’ devices. Furthermore, it’s another reason for the Federal Trade Commission in its probe to target this specific tying arrangement for the Azure/O365 tech stack.
But for the time being, at least, DOD opted instead to bend the knee to Microsoft.