Microsoft’s latest public shaming comes courtesy of an unlikely source: Democratic Senator Ron Wyden of Oregon, one of the few Dems who actually is paying attention to the current cyber mess. Wyden is demanding that the FTC launch an investigation into what he bluntly calls “gross cybersecurity negligence.” That phrase isn’t hyperbole. It’s an indictment of a company whose software decisions keep leaving the barn door open while American hospitals, schools, and government agencies get ransacked by cybercriminals.
The spark for Wyden’s fury is the breach at Ascension Health, where nearly 6 million patient records were compromised thanks to Microsoft’s insecure defaults. A contractor clicked a poisoned Bing link, and suddenly the attackers had a path into the heart of the network. Microsoft’s outdated RC4 encryption, inexplicably left enabled by default, allowed hackers to escalate privileges with Kerberoasting, take over Active Directory, and wreak havoc.
This wasn’t a fluke. It was design negligence. RC4 has been known to be weak for years. Yet Microsoft decided to keep it around in the name of “compatibility,” effectively prioritizing convenience over national security. The company has promised to finally disable RC4—by 2026. Translation: three more years of systemic exposure while attackers laugh all the way to the command line.
Wyden’s analogy is brutal but on point: Microsoft is “an arsonist selling firefighting services to their victims.” And it’s hard to argue. The same company whose decisions lit the fire is the one selling cloud and security services to desperate customers who have no real alternative.
This is not the first time Microsoft has been caught asleep at the wheel. The 2023 Storm-0558 breach, tied to Chinese state actors, was traced back to Microsoft errors in Exchange Online. The Cyber Safety Review Board ripped the company for having a “security culture” better described as an afterthought. Then came 2024, when a flaw in SharePoint let intruders persist inside networks for months. Each time, Microsoft pledges reforms, issues a stern blog post, and cashes another multi-billion-dollar government contract.
The U.S. government, astonishingly, continues to shovel taxpayer money into contracts with the same vendor whose oversights weaken national security. That would be like hiring a contractor to rebuild your house after he burned it down with faulty wiring—then paying him double because he swears he’ll do better next time.
Meanwhile, the larger cyber landscape is being lit up by fresh disasters. The Shai-Hulud worm, a particularly nasty supply chain attack, compromised npm packages—including ones tied to CrowdStrike—and spread credential-stealing code like wildfire across development environments. CrowdStrike itself showed how fragile “protection” can be when, in 2024, a buggy Falcon sensor update bricked more than 8 million Windows machines worldwide. Airports, hospitals, and Fortune 500 companies all found themselves kneecapped by the very tool that was supposed to safeguard them.
Add in the recent emergence of Toneshell, a remote access Trojan now circulating in the wild, and the picture gets uglier. Toneshell is designed for persistence and stealth, burrowing into systems and maintaining a foothold for attackers who want long-term access. It joins a rogues’ gallery of digital plagues like the SnakeDisk USB worm, which spreads via removable drives, hides files, and tricks users into installing backdoors. These are not hypotheticals; they’re active threats chewing through unprepared networks every single day.
The common thread here is fragility. Supply chains collapse when one dependency is poisoned. Endpoint defenses fail catastrophically when a single update goes sideways. Trojans and worms slip through when security is treated as a software add-on instead of a foundational design principle.
That brings us back to Microsoft, because when one company controls the operating system layer of most enterprise IT, its negligence doesn’t just harm its own customers—it creates systemic risk for the entire country. Every insecure default, every decision to prop up obsolete protocols, every patch that breaks more than it fixes ripples outward, creating opportunities for adversaries. And adversaries don’t need to be particularly creative when the doors are already wide open.
So where do we go from here? Wyden is right to call for an FTC probe. The agency has the authority to treat insecure defaults and deceptive claims as unfair business practices. If Microsoft can’t or won’t fix its products, the government should force accountability the same way it would for an auto manufacturer shipping cars with defective brakes.
But regulation is only part of the solution. Enterprises need to demand secure-by-default systems instead of settling for bolt-on patches. They must insist on third-party audits and independent penetration testing instead of trusting glossy marketing decks. And they must recognize that endpoint protection cannot be outsourced to a single sensor or service. Real resilience requires layered defenses—EDR, zero trust segmentation, rigorous monitoring—that assume attackers will eventually get in and focus on containing the blast radius.
The supply chain chaos around Shai-Hulud, the global outage tied to CrowdStrike, and the persistence of cyber threats in general all point to the same conclusion: companies that treat security as optional or reactive are volunteering to become the next headline. In today’s threat environment, you’re either hardened or you’re hacked. There is no middle ground.
The stakes are enormous. A country whose hospitals are paralyzed, whose schools are ransomed, and whose infrastructure is crippled by worms and Trojans cannot function. And yet we keep betting our digital lives on a vendor that has failed time and again to prioritize security over legacy compatibility and market dominance.
Wyden’s words may sting, but they capture the reality: Microsoft is both the arsonist and the fire brigade. The flames keep spreading, and the company keeps selling hoses. The FTC investigation is overdue, but real change will require more than stern letters and fines. It will require a cultural reset in how we design, purchase, and enforce cybersecurity.
Because the next big breach is not lurking in the shadows—it’s already in motion, flowing through weak encryption, poisoned packages, and Trojan backdoors. The question isn’t whether the fire spreads, but whether we finally stop letting the arsonist run the firehouse
Do you enjoy PJ Media’s conservative reporting that takes on the radical left and woke media? Support our work so that we can continue to bring you the truth. Join PJ Media VIP and use the promo code FIGHT to get 60% off your VIP membership!
Join the conversation as a VIP Member