U.S. Senator Ron Wyden recently addressed a letter to the FTC chairman, where he tagged Microsoft a national security threat due to what he describes as “gross cybersecurity negligence.” 

In the letter, Wyden called for an investigation into Microsoft’s role in multiple high-profile cybersecurity incidents, asserting that the company’s practices have endangered critical infrastructure and U.S. national security.

Wyden accuses Microsoft

In the September 10 letter to FTC Chairman Andrew Ferguson, Wyden alleged that the tech giant’s “gross cybersecurity negligence” has led to ransomware attacks against critical infrastructure, including U.S. health care organizations, at least partially due to default configurations in the Windows operating system.

Wyden likened Microsoft to an “arsonist selling firefighting services to their victims,” and according to him, government agencies and other companies have “no choice” but to use the company’s products because it has “near-monopoly over enterprise IT.”

Wyden cited the May 2024 ransomware attack on hospital operator Ascension as a prime example.

That case, according to the company, exposed private medical and insurance data of nearly 5.6 million people. He wrote that the hospital operator had informed his staff that a contractor on an Ascension laptop had clicked on a malicious link provided by Microsoft’s Bing search engine.

Wyden claims Microsoft’s support for outdated encryption technology and default configuration settings led to the Ascension exploit. He also said the firm has yet to properly educate companies about how to mitigate the threat.

A Microsoft spokesperson confirmed on Wednesday that RC4, the encryption standard referenced by Wyden, is indeed old, but it makes up “less than .1%” of the company’s traffic, and it discourages customers from using it.

“However, disabling its use completely would break many customer systems,” the spokesperson said, and the company is gradually reducing the extent to which customers can use it while trying to provide warnings and guidance as well.

RC4 will be disabled by default in certain Windows products starting the first quarter of 2026, and the company has said it will include “additional mitigations” for existing deployments.

Wyden demanded a review of court system’s cybersecurity practices

Wyden’s move on Microsoft comes not long after he urged Chief Justice John Roberts to initiate a comprehensive review of the federal court system’s cybersecurity practices.

His request came after a significant hack of the electronic case management system, marking the second major breach in five years.

The latest breach was recorded in June of this year and has pushed the courts to finally announce the implementation of multifactor authentication, a basic security measure that has been standard in executive branch agencies since 2015.

As far as Wyden is concerned, the negligence in court cybersecurity poses serious risks to national security, as sensitive information related to ongoing investigations and federal witnesses could be exploited by foreign adversaries.

Sealed court filings located in the case management system often include extremely sensitive information about national security sources and methods, the names of key federal witnesses, or details of ongoing investigations.

Such information in the hands of foreign adversaries or criminal cartels could be highly damaging to Americans’ security. It does not help matters that the New York Times has reported that “documents related to criminal activity with overseas ties,” were the target of the most recent hack.

KEY Difference Wire helps crypto brands break through and dominate headlines fast