Microsoft commits $150 million to modernizing government cyber infrastructure

As local and county governments pivot to meet rapidly evolving cybersecurity threats, Microsoft, alongside several other leading American tech brands, is stepping up to contribute expertise, support and investments in the effort. 

“Fostering U.S. economic growth and prosperity hinges on our collective ability to create a safer world,” Rick Wagner, president of Microsoft Federal penned in a statement issued along with a pledge to commit “$150 million in technical services to help federal, state and local governments upgrade security protection.” 

Of that, $50 million will be targeted to help federal agencies secure applications and servers “by replacing legacy infrastructure with cloud infrastructure that is always patched and up to date.” 

The end goal, Wagner writes, is to bring local governments and federal agencies into a Zero Trust architectural framework—a digital security type that requires users to confirm their identity every time they access a system, regardless of who they are, as opposed to a perimeter defense. 

The commitment follows a meeting held by the White House with representatives from industry leaders (including Google, IBM, Travelers and Coalition, JPMorgan Chase and Apple, among others), and a public-private collaboration led by National Institute of Standards and Technology (NIST).  

It comes amid a broader push by the Biden Administration to modernize the government’s cyber-defenses against an expanding digital threat—centered around an executive order, “Improving the Nation’s Cybersecurity,” which President Joe Biden issued in the spring. Earlier this month, the Cybersecurity and Infrastructure Security Agency released a draft of the Zero Trust cybersecurity framework it created to meet the requirements outlined in Biden’s executive order for public review. Comments on that document are due Friday, Oct. 1. Reviewers can submit their comments and feedback to [email protected] 

Following the comment period, a notice issued by CISA says it will work with stakeholders like Microsoft to “assess the valuable feedback and produce a new version of each guidance document.” 

More than agencies themselves, the administration is focused on bringing private organizations that do important business with the government under standardized security requirements. 

A major impetus for the push was the Colonial Pipeline ransomware attack, which in May brought much of the nation’s fuel supply chain to a grinding halt. More than an inconvenience, the attack laid bare the inadequate cybersecurity measures being deployed by agencies and government contractors in the face of increased attacks.  

“Americans are routinely experiencing real-world consequences of the ransomware epidemic as malicious cyber actors continue to target large and small businesses, organizations and governments,” said Eric Goldstein, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency.  

Goldstein’s agency, along with the Federal Bureau of Investigation and the National Security Agency, recently released an advisory warning of an uptick in Conti ransomware cyberattacks—a variant of the same type of ransomware that was used in the Colonial Pipeline attack. The agencies have observed 400 attacks internationally in recent days. 

“The cyber criminals now running the Conti ransomware-as-a-service have historically targeted critical infrastructure, such as the Defense Industrial Base (the worldwide industrial complex that enables research and development, according to CISA), prior to Conti campaigns, and the advisory highlights actions organizations can take right now to counter the threat,” said Rob Joyce, director of cybersecurity at the NSA in a statement. 

A real-world example of these increased cyber threats can be seen in Walla Walla, Wash., when an attack on a large internet-based phone provider, Bandwidth, disrupted the city’s phone service Wednesday. 

Compounding the challenges faced by local governments in modernizing their cyber defenses, there’s a cybersecurity labor shortage. The White House estimated last month that there are approximately 500,000 cybersecurity jobs currently unfilled.  

A report released this year by the Information Systems Security Association International and the analyst firm Enterprise Strategy Group, “The Life and Times of Cybersecurity Professionals 2021,” highlighted the severity of the issue. A statement issued by the security association in conjunction with the report’s release called the “cybersecurity skills crisis … a downward, multi-year trend of bad to worse” that has “impacted more than half (57 percent) of organizations.”  

Of nearly 500 cybersecurity professionals surveyed for the report, 62 percent said their workloads have increased, 38 percent reported unfilled jobs, 95 percent said the job shortage hasn’t improved in the past few years and 44 percent said it’s gotten steadily worse. Cloud computing security, security analysis, investigations and application security were the most-often cited “areas of significant cybersecurity skills shortages.” 

Among the other contributions Microsoft has committed to, the tech company committed to expanding partnerships “with community colleges and non-profits for cybersecurity training to help the workforce keep pace with in-demand skills,” Wagner noted. “We are also dedicated to providing agencies actionable insights and tools to accelerate modernization and help cyber professionals stay ahead of sophisticated adversaries. Microsoft has launched a free repository of educational resources to address the critical cybersecurity shortage and gaps.”  

On the portal, local government cybersecurity leaders can access government-specific training, workshops, certifications and reference architectures “like our Zero Trust Scenario Architectures mapped to NIST standards,” Wagner wrote.