Senator Wyden Encourages FTC To Investigate Microsoft Over 'Severe Cybersecurity Equality'

JAKARTA - US Democratic Senator Ron Wyden on Wednesday 10 September asked the Federal Trade Commission (FTC) to "investigate and hold Microsoft accountable for its role in a series of high-profile cybersecurity incidents in recent years. In a letter to the FTC chairman, Andrew Ferguson, Wyden called Microsoft's approach to cybersecurity "continue to threaten US national security" due to "severe cybersecurity negligence".

Wyden highlighted ransomware attacks on critical infrastructure, including US health organizations, which were partly caused by default settings on the Windows operating system.

"Currently, Microsoft is like an incendiary who sells fire service to its victims," Wyden wrote. He also mentioned Microsoft's dominance of approaching monopolies in the company's IT sector, so governments and other companies "have no choice" but to use their products.

The FTC spokesman confirmed that it had received Wyden's letter but declined to comment further.

Wyden gave an example of a ransomware attack in May 2024 against the Asjection hospital operator, which the company said leaked medical data and insurance from nearly 5.6 million people. According to Ascention, the attack came after a contractor used an Ascention laptop and clicked on a malicious link from Microsoft's Bing search engine. The link allows hackers to access the company's network and eventually achieves Microsoft Active Directory servers, which are used to manage user accounts.

According to Wyden, Microsoft's support for outdated encryption technologies such as RC4 and default configuration settings facilitate attacks such as in the Ascention case. He also assessed that Microsoft was not enough to educate companies on how to reduce the threat.

A Microsoft spokesperson on Wednesday said that RC4, an encryption standard called Wyden, is obsolete and accounts for only "less than 0.1% of our traffic". The company encourages customers not to use RC4, but disabling it completely can disrupt customer systems.

Microsoft plans to disable RC4 by default on some Windows products starting in the first quarter of 2026, while providing "additional mitigation measures" for existing systems, the spokesperson said.

Previously, Wyden had also pushed for an investigation by the US government into Microsoft's role in cyberattacks, including after it was revealed in July 2023 that hackers linked to China stole thousands of US officials' emails.