MICROSOFT PUTS PROFITS BEFORE CYBERSECURITY Part 2

Recent investigative reporting by ProPublica showed that Microsoft has put making profits, through securing a place as an industry leader in cloud computing, ahead of keeping its customers safe from cyberattacks – with very harmful results. [1] Punishments for corporations and their executives need to be increased to deter this type of corrupt extreme capitalism.

(Note: If you find my posts too long to read on occasion, please just skim the bolded portions. Thanks for reading my blog! Special Note: The new, more user-friendly website for my blog is here.)

Microsoft failed for three years to address a known flaw in its software that allowed Russian hackers in the SolarWinds breach to gain access to the data and emails of its customers, including sensitive agencies of the federal government. Moreover, its president lied in testimony to Congress claiming first that Microsoft flaws had not contributed to the breaches and later that he and Microsoft had not been aware of the flaw. (See this previous post for more details.)

In 2016, when the flaw was discovered, Microsoft was in a major industry battle to be a leader in cloud computing services and was vying for a multi-billion-dollar Defense Department cloud computing contract. Admitting to a software vulnerability in a related product would have hurt Microsoft’s chances of winning the contract. The Microsoft employee who discovered and reported the flaw, Andrew Harris, was told the decision not to fix the software flaw was a business decision not a technical one.

As background, Microsoft’s new CEO in 2014, Satya Nadella, saw cloud computing as the future of the technology industry and staked Microsoft’s future on being a major player in this arena. Under pressure to catch up to industry-leader Amazon, Microsoft focused on new features and functionality for its cloud computing products to generate sales and profits and not on security fixes, which cost money and have no immediately visible benefit.

In 2024, Microsoft President Brad Smith was called back to testify before Congress again (see this previous post for information on his 2021 appearance) after a series of cyberattacks on the federal government linked to flaws in Microsoft products. For example, in 2023, Chinese hackers exploited a Microsoft security flaw to access the email accounts of senior government officials. In addition, ProPublica’s reporting on Microsoft’s culpability in the 2019 SolarWinds breach (see this previous post for more information) had been published the day of Smith’s testimony. ProPublica had contacted Microsoft two weeks before with detailed questions related to its investigation and a request for an interview with Smith. Nonetheless, Smith claimed in his testimony to be unaware of the role of a Microsoft software flaw in the SolarWinds breach. [2]

The Federal Cyber Safety Review Board, in reviewing the Microsoft-related security breaches, found that Microsoft’s “security culture was inadequate and requires an overhaul.”

Microsoft’s ignoring of cybersecurity issues to maximize profits has put its customers at risk. It has allowed Russian, Chinese, and other hackers to steal information and data from government agencies, businesses, and their customers.

Publicly traded corporations, like Microsoft, are beholden to profits, to the price of their stock, and to stockholders, not to customers or any sense of the public good. That’s the reality of the unregulated, extreme capitalism allowed by current U.S. laws. This and the extreme personal wealth accumulation it allows seem to have resulted in greed rising to new heights and ethics falling to new lows.

The frequency, pervasiveness, and repetitiveness of business scandals driven by putting profits first and foremost is astounding. If you want to see how pervasive corporate violations of the law are, look at the Violation Tracker database compiled by Good Jobs First.

An underlying theme of this corrupt corporate behavior is the loss of robust competition in the marketplace due to the emergence of a handful of huge, monopolistic corporations in many industries. This has occurred largely through mergers and acquisitions that have occurred due to little or no enforcement of antitrust laws since the 1980s (until very recently).

To stop corporate corruption and bad behavior, there must be more enforcement with greater penalties. Otherwise, corporations just treat the penalties they pay as a cost of doing business. The size of the penalties must be big enough that it significantly reduces a corporation’s profits and share price. This would impact stockholders, particularly big ones, including senior executives. The impact should be big enough to put senior executives’ jobs at-risk.

For substantial illegal behavior by their corporations, CEOs and other senior executives need to be held personally accountable with criminal charges, the ability to make them return compensation (especially bonuses for generating big profits), and the risk of being fired with no severance package.

The ultimate penalty would be to revoke the corporation’s charter to do business, forcing the liquidation of the corporation. This does not seem likely to happen, so when the illegal or corrupt behavior is serious enough or repetitive enough, the financial penalties must be big enough to potentially put the corporation into bankruptcy and out of business – if the goal is to truly stop corporate corruption and bad behavior. Furthermore, corporations with a track record of serious violations should be banned from doing business with the federal government.

I urge you to contact President Biden to ask him to have the Department of Justice and other agencies investigate and seriously punish Microsoft and its executives for allowing dangerous cybersecurity breaches. You can email President Biden at http://www.whitehouse.gov/contact/submit-questions-and-comments or you can call the White House comment line at 202-456-1111 or the switchboard at 202-456-1414.

I urge you to contact your U.S. Representative and Senators to ask them to pass laws that place serious penalties and punishments on corporations and their executives when they put profits before the safety and security of their customers and the public. You can find contact information for your U.S. Representative at http://www.house.gov/representatives/find/ and for your US Senators at http://www.senate.gov/general/contact_information/senators_cfm.cfm.

[1] ProPublica, 6/18/24, “Nine takeaways from our investigation into Microsoft’s cybersecurity failures” (https://www.propublica.org/article/microsoft-solarwinds-what-you-need-to-know-cybersecurity)

[2] Dudley, R., with Burke, D., 6/13/24, “Microsoft president grilled by Congress over cybersecurity failures,” ProPublica (https://www.propublica.org/article/microsoft-solarwinds-cybersecurity-house-homeland-security-hearing)

MICROSOFT PUTS PROFITS BEFORE CYBERSECURITY

Recent investigative reporting by ProPublica brought to light another example of a corporation putting profit before the well-being of its customers. Microsoft put making profits, through securing a place as an industry leader in cloud computing, ahead of keeping its customers safe from cyberattacks – with very detrimental results.

You may remember the “SolarWinds” cybersecurity breach by Russian hackers that was revealed in 2020. It was one of the largest cyberattacks on U.S. government agencies and private businesses ever. The hackers penetrated the SolarWinds corporation’s software in 2019 and used it to gain access to the computer systems of multiple companies and U.S. government agencies. They got sensitive data from the National Nuclear Security Administration, which oversees U.S. nuclear weapons. They accessed the National Institutes of Health (NIH) as it was working to contain the Covid virus and develop a vaccine for it. They gained access to the email accounts of senior officials at the Treasury Department.

In 2021, Microsoft President Brad Smith testified before Congress that although all the affected companies and government agencies used Microsoft software and cloud computing services, no Microsoft vulnerability or flaw had been exploited in the SolarWinds cybersecurity breach. He said the customers should have done more to protect themselves.

Recent investigative reporting by ProPublica has shown this to be a lie and, moreover, that Microsoft had been warned multiple times, years earlier, about a software flaw that was taken advantage of in the cyberattack. [1] In 2016, Microsoft engineer and cybersecurity expert, Andrew Harris, identified a flaw in a Microsoft software product. The flaw allowed a hacker who had gained access to an individual’s local computer at a Microsoft customer to steal the keys needed to access a broad range of programs and networks. These included Microsoft products that provided remote computing services and data storage to multiple customers, a service called “cloud computing.” Millions of users of these Microsoft products, including federal government agencies and employees, were vulnerable.

In 2016, Harris reported the flaw to Microsoft’s Security Response Center and to the product’s manager, who agreed it was a significant flaw but did not feel it was urgent to address it. Harris suggested a simple fix that would require users of the Microsoft product to logon a second time to access other programs and networks, including cloud computing systems. This was rejected because it would inconvenience customers and hurt marketing of the product, for which the single logon capability was a key selling point.

Harris personally contacted some sensitive Microsoft customers he worked with to inform them of the flaw and their vulnerability. For example, he worked with the New York Police Department to implement the fix he had recommended. [2]

In November 2017, a private cybersecurity firm, Cyber Ark, identified the same flaw. It reported it publicly after having notified Microsoft about it twice with no response. In 2018, another Microsoft engineer identified a related flaw that made the flaw Harris had identified even more serious.

In 2019, another private cybersecurity firm, Mandiant, after notifying Microsoft but getting no response, publicly demonstrated the use of the flaw to gain access to cloud computing services.

Nonetheless, in 2021, after the SolarWinds cyberattack had given Russian hackers access to Microsoft’s cloud computing services and customers’ data and emails, as noted above, Microsoft President Brad Smith testified (untruthfully) before Congress that no Microsoft vulnerability or flaw had been exploited in the SolarWinds cybersecurity breach.

Harris, frustrated by the failure of Microsoft to address the flaw he’d identified, left Microsoft in August 2020, before the SolarWinds cyberattack became publicly known. He publicly stated that Microsoft’s “decisions [were] not based on what’s best for Microsoft customers but on what’s best for Microsoft.”

Some context for Microsoft’s behavior, as well as steps that should be taken to stop the corporate practice of putting profits before all else, will be in my next post.

SHORT TAKES #10: ELECTIONS AND MONEY

Here are short takes on two important stories that have gotten little attention in the mainstream media. Each provides a quick summary of the story, a hint as to why it’s important, and a link to more information. They highlight the role of money in our elections and how the often overwhelming power and influence of the wealthy is only increasing.

STORY #1: U.S. federal elections are already awash in money that gives wealthy individuals and corporations inordinate influence in our elections and therefore in policy making. Very unfortunately, the Federal Elections Commission (FEC) is now making this even worse. For over ten years the FEC has been dysfunctional as hyper-partisanship among its three Democratic and three Republican members has caused gridlock. However, since her appointment in 2022, Democratic appointee Dara Lindenbaum has repeatedly voted with the three Republicans to further deregulate campaign spending. They are rolling back constraints on the spending and raising of money by candidates, political parties, and political action committees (PACs). [1]

For example, their decisions have:

Allowed candidates’ campaigns and PACs to coordinate door-to-door canvassing efforts. Previously, all coordination between them was banned because of the unlimited amounts of money PACs can receive and the potential for such large sums of money to corrupt elected officials. Although, the FEC has done a poor job of enforcing the prohibition on coordination, to officially allow it is a huge step in the wrong direction.
Permitted federal candidates to raise unlimited amounts of money for state-level ballot initiatives. Huge spending by corporations (hundreds of millions of dollars) in state ballot initiatives has skewed results of this supposedly ultimate democratic policy making avenue. Allowing federal candidates to raise unlimited amounts of money for these campaigns not only further undermines the supposed public interest democracy of ballot initiatives, it also presents serious opportunities for corruption of federal candidates.
Allowed wealthy campaign donors to put money into a trust which would then donate to campaigns, while keeping the original donor anonymous. More transparency not less is needed about the sources of campaign spending. Voters should know who is trying to influence their voting.
Ruled that mass text messages are not “public communications” thereby subjecting them to less regulation.
Allowed members of Congress to use money from their PACs for their personal benefit. This means that donors to these PACs can, in effect, put money into the pockets of members of Congress. If this isn’t ripe for corruption, nothing is.

STORY #2: As hyper-partisanship, influence by corporations and the wealthy, and other factors are blocking enactment of policies in state legislatures that have broad public support, voters are using ballot initiatives to attempt to enact such policies. These ballot initiatives, especially when they address hot-button issues like abortion, Medicaid expansion, marijuana legalization, and workers’ rights, are becoming very expensive. In 2022, across the country, spending on ballot initiatives exceeded $1 billion. In 2023, with fewer state elections and ballot initiatives in only eight states, spending exceeded $200 million. [2]

Much of the spending on ballot initiatives is in California because it is a huge state and it’s relatively easy to put a question on the ballot there. For example, in 2022, over $450 million was spent on two CA ballot initiatives on sports betting. In 2020, Uber, Lyft, DoorDash, InstaCart and others spent over $200 million on a successful CA ballot initiative to define their workers as independent contractors and not employees under labor laws and regulations. Those opposing the ballot initiative spent almost $20 million, a significant sum but less than one-tenth of what the proponents spent. [3]

The 2024 elections are almost certainly going to set records for ballot initiative spending with many issues in many states on the ballot in November. For example, at least 14 states have efforts underway to put an abortion rights question on the ballot. Spending on these ballot questions alone will certainly exceed $100 million.

[1] Goldmacher, S., 6/11/24, “On elections, from deadlock to deregulation,” The Boston Globe from The New York Times

[2] Serna, Jr., A., & Cloutier, J., 3/12/24, “Ballot measures shape debates on hot-button issues, drawing millions in outside spending,” Open Secrets (https://www.opensecrets.org/news/2024/03/ballot-measures-shape-debate-on-hot-button-issues-drawing-millions/)

[3] Ballotpedia, retrieved from the Internet 6/12/24, “California Proposition 22, app-based drivers as contractors and labor policies initiative (2020),” (https://ballotpedia.org/California_Proposition_22,_App-Based_Drivers_as_Contractors_and_Labor_Policies_Initiative_(2020))

OUR DEMOCRACY’S CHALLENGES ARE SERIOUS AND LONGSTANDING Part 4

Our democracy’s challenges are serious and longstanding. This post describes states’ laws and practices on voter registration and voting that create barriers to some citizens’ ability to vote. In most cases, they are Republican efforts to keep Democratic leaning voters from voting.

The one person, one vote standard is a cornerstone of democracy along with the assumption that every citizen can vote. Two violations of these standards are in the Constitution in the structure of the Senate and the Electoral College. (See this previous post for more details.) The Constitution gives control of elections to the states and state laws and practices create other violations of these standards. Gerrymandering is one way that states violate the spirit of these standards without directly violating them. (See this previous post for more details.)

Some states’ laws and practices on voter registration and voting create barriers to some citizens’ ability to vote. A true commitment to democracy would mean making it easy for every citizen to vote. However, historically, states erected a variety of barriers to voting by non-white citizens, particularly former slaves and Native Americans. The Voting Rights Act of 1965 addressed these barriers and did so quite effectively. However, since 2013, the radical, right-wing Supreme Court has effectively repealed the Voting Rights Act and suppression of voting by Blacks (and others) is now very much alive in some states. [1] Most recently, the Supreme Court has basically allowed racial gerrymandering if a state claims it’s partisan (not racial) gerrymandering, which the Supreme Court has ruled the courts have no jurisdiction over.

Republicans know that their policy positions are not popular with the majority of the voting public and, therefore, that they won’t win most elections. So, they try to obfuscate their policy positions, but even more effectively, they work to suppress voting by anyone who is not one of their fervent supporters.

Perhaps the most common barriers to voting are the ID requirements some states have put in place to register or to vote. Many states require a government issued ID such as a driver’s license. Low-income and minority citizens (who disproportionately vote for Democrats) are less likely to have a license and, therefore, this is more likely to be a barrier to voting for them. Some states bar the use of a student ID, but, as in Texas, allow the use of a firearm ID.

The number and location of polling places has long been a technique states use to make it easier for some voters to vote and harder for others. Voting on remote and rural Indian Reservations has often been made difficult by requiring a long trip to get to a polling location. Polling places in densely populated, low-income, neighborhoods, often with a high proportion of Blacks or Latinos, have sometimes been sparse and under-equipped leading to long wait times.

The expansion of voting by mail that occurred during the pandemic made voting easier for many people. However, some states have made it difficult to get a mail ballot or complex to submit a valid mail vote. Some have restricted the availability of drop boxes where mail ballots could be delivered, which was a particular issue given the slowing of mail delivery by President Trump’s appointees to run the postal service.

Many states have restricted voting by those convicted of a felony crime or those in prison. Some states have prohibited a convicted felon from ever voting again. These voting restrictions disproportionately affect Blacks and in some jurisdictions were clearly put in place with this in mind. There is a partisan effect, of course, because Blacks tend to disproportionately vote for Democrats. For example, in the 2000 presidential election, which Republican George W. Bush won by winning Florida by less than 600 votes, over 100,000 felons in Florida who had completed their jail sentences were barred from voting.

Purges of registered voters from the list of eligible voters is another technique that can be used to suppress voting. This is a strategy currently being used by Republicans in the run up to the 2024 elections. A common technique is to send a mailing to a voter that requires a response or the voter will be dropped from the voting rolls. Renters or others who have less stable housing, typically low-income and minority citizens and students, are less likely to get the mail and to respond, so they get purged and prevented from voting.

Another technique is to purge voters who have not voted in an election or two. This is done in Georgia, where in July 2017, Secretary of State Brian Kemp, who was running for Governor in the 2018 election, purged 560,000 voters. It was estimated that at least 107,000 of them were eligible to vote. Then in October 2018, the month before the election, he blocked 53,000 voter registrations, 70 – 80 percent of them for people of color, based on minor discrepancies such as a missing apostrophe or hyphen in a name. Kemp, a white, male, Republican, won the Governor’s race on November 6, 2018, by less than 55,000 votes over Stacey Abrams, a black, female, Democrat.

As you can probably surmise from this summary of barriers states are erecting to voting, these barriers (and others) are almost exclusively put in place by Republicans to disproportionately keep likely Democrats from voting.

One solution to much of this voter suppression is to establish national standards for voter registration and voting for national elections. A future post will discuss this and other solutions to the problems facing democracy here in the U.S.

[1] Dayen, D., 1/29/24, “America is not a democracy,” The American Prospect (https://prospect.org/politics/2024-01-29-america-is-not-democracy/)

SHORT TAKES #9: CRIME AND PUNISHMENT, OR NOT

Here are short takes on two important stories that have gotten little attention in the mainstream media. Each provides a quick summary of the story, a hint as to why it’s important, and a link to more information. They describe two very different crimes and a little perspective on who gets punished and who doesn’t. It seems like our criminal justice system is sometimes more focused on protecting the wealthy and powerful than meting out justice.

STORY #1: A former Internal Revenue Service (IRS) contractor, Charles Littlejohn, who leaked the tax information of thousands of wealthy individuals (including President Trump) was just sentenced to five years in prison, six times the maximum under sentencing guidelines. Stealing tax information is a crime and he pleaded guilty, but the sentence is much longer and harsher than the sentencing guidelines call for or than sentences in other similar cases. He is appealing his sentence. When President Nixon’s tax return was leaked in the 1970s, the leaker was not even indicted. [1]

In some ways, Littlejohn performed a public service. The information he leaked revealed how little many of the very rich pay in U.S. income taxes. ProPublica published dozens of articles analyzing the data, showing, among other things, that for the first time in history U.S. billionaires had a lower effective tax rate than working-class Americans. In many countries, tax information is public information so the public and lawmakers know how the tax system is or isn’t working. The tax returns of presidents and presidential candidates have been made public for decades because they contain valuable information for the voting public. Trump broke this tradition and refused to release his tax returns. So, leaking his information also performed a public service. [2]

The judge stated in sentencing Littlejohn that deterrence was necessary and, shockingly, even compared him to some of the January 6^th insurrectionists. However, deterrence is hardly necessary in this situation as IRS workers rarely leak information, in part because they are likely to be caught due to the IRS’s security systems that track who accesses every tax return. Unauthorized accessing of tax returns will cost someone their job and may well put them in jail. This is plenty of deterrence and a ten-month jail sentence, in alignment with sentencing guidelines, seems like plenty to underscore the deterrence of getting caught. Moreover, this harsh sentence makes it seem like the IRS is more focused on protecting the interests of wealthy taxpayers than exposing tax cheats and unfairness in our tax system.

Many wealthy tax evaders have been sentenced to more lenient sentences than Littlejohn, even though deterrence is truly necessary to reduce tax evasion. Tax evaders are many and are rarely caught and rarely punished, despite stealing millions of dollars from the government (and, in effect, from other taxpayers). So, deterrence is truly important in their cases.

STORY #2: In 2021 and 2022, Scott Sheffield, the CEO of a Texas oil and gas corporation, Pioneer Natural Resources (Pioneer), manipulated the price of oil and gas. This cost every American consumer an estimated $2,100. This is one piece of the “inflation” in the post-Covid period that clearly wasn’t inflation but reflected the greed and manipulative power of an American corporation and its CEO. Over those two years, Sheffield exchanged hundreds of communications with leaders of the Organization of Petroleum Exporting Countries (OPEC), which is led by Saudi Arabia, about reducing oil production to maintain high prices and high profits. It’s estimated that this scheme and collusion accounted for 27% of the increase in gas prices. Industry profits in this period hit a record high of $205 billion and, in 2021, Pioneer enjoyed its highest profits in ten years. [3]

Sheffield has significant influence in the federal government due to his $281,000 in campaign contributions to congressional and presidential campaigns since 2006. In addition, his known contributions to political action committees (PACs) are $200,000 and, since 2012, his corporation’s PAC and employees have contributed $1.2 million to campaigns.

This influence allowed him to spearhead the successful effort in 2014 to get the longstanding ban on the export of U.S. oil overturned. The ban had been in place for national security purposes and also had the effect of keeping oil and gas prices down in the U.S. In 2021, he personally and successfully lobbied President Trump to use his leverage with OPEC and the Saudis to constrain oil production, which increased prices and profits.

This scheme and collusion were uncovered by the Federal Trade Commission (FTC) while it was reviewing the recently completed merger between Pioneer and ExxonMobil. Because of Sheffield’s actions and as a condition of approving the merger, the FTC banned Sheffield from serving on the Board of the combined corporation. It could refer Sheffield to the Department of Justice for prosecution.

I urge you to contact President Biden and ask him to encourage the FTC to make a criminal referral of Sheffield. Corporate crime needs to be appropriately punished. Executives responsible for corporate crime need to be tried and, if convicted, given serious penalties, including jail time, to provide strong incentives to other executives and corporations to obey the law. Unfortunately, criminal charges for executives rarely happen.

You could also ask Biden to commute Littlejohn’s sentence if it isn’t reduced on appeal.

[1] Avi-Yonah, R., 5/21/24, “A five-year prison sentence for a public hero,” The American Prospect (https://prospect.org/justice/2024-05-21-five-year-sentence-public-hero-charles-littlejohn/)

[2] Eisinger, J., Ernsthausen, J., & Kiel, P. 6/8/21, “The secret IRS files: Trove of never-before-seen records reveal how the wealthiest avoid income tax,” ProPublica (https://www.propublica.org/article/the-secret-irs-files-trove-of-never-before-seen-records-reveal-how-the-wealthiest-avoid-income-tax)

[3] Goldstein, L., 5/7/24, “The mega-donor who colluded with OPEC,” The American Prospect (https://prospect.org/power/2024-05-07-mega-donor-scott-sheffield-opec-exxonmobil/)