If you’re hiding something from the US government, using Microsoft products may be a bad idea

“And then I said, it’s got so many holes, we should call it Windows.”
“And then I said, it’s got so many holes, we should call it Windows.”
Image: Sipa via AP Images
We may earn a commission from links on this page.

In 2007, the Washington Post wrote about the happy collaboration between Microsoft and the US’s National Security Agency. “When Microsoft introduces its long-awaited Windows Vista operating system this month,” the story began, “it will have an unlikely partner to thank for making its flagship product safe and secure for millions of computer users across the world: the National Security Agency.” The Post went on to explain that the agency helped Microsoft “to protect it from worms, Trojan horses and other insidious computer attackers.”

Now the assistance runs in the other direction. Bloomberg reports this morning that American firms routinely co-operate with the US government by giving them access to information that could help the government better protect itself but also exploit loopholes and infiltrate computers. In return, “leaders of companies are showered with attention and information.”

Chief among the firms mentioned is Microsoft, which alerts intelligence agencies about bugs in its software before releasing a public fix (discovering a software vulnerability before the public knows about it makes it more useful for cyber attacks). Microsoft may as well write a direct connection with the US government into the operating system. (Microsoft already denied doing that, in 1999.) “Microsoft has several programs through which we disclose information regarding vulnerabilities, some of which have Government participants,” the company told Quartz. “While timing varies slightly each month, disclosure takes place just prior to our security update for billions of customers.”

Two things come to mind in connection with this story. The first is how the creators of Stuxnet, a now famous virus used to infiltrate and sabotage Iranian nuclear centrifuges, were able to uncover multiple previously-unknown bugs in a Windows operating system. Discovering unknown bugs, known as “zero-day exploits,” is extremely rare. That the creators of Stuxnet, widely assumed to be the US and Israel, took advantage of four such bugs was a matter of great astonishment. It’s much less astonishing if we assume that Microsoft helped out. Microsoft told Quartz that “any insinuation that Microsoft participated in the creation of Stuxnet or any other malicious code is false.”

The other is the US government’s insistence that Huawei, a Chinese telecoms equipment manufacturer, is a threat to national security. British officials regret allowing Huawei to become part of the UK’s critical national security infrastructure. Australia, India, Canada and the US have either banned Huawei or are reluctant to let its wares pollute their shores. The reason is simple: Huawei was founded by an ex-officer of the People’s Liberation Army and has received generous support from the Chinese state. For that reason, Americans and others assume it is an arm of the party and that its products are full of back-doors, trapdoors and all manner of espionage-related bugs.

Last week, we wrote that governments shouldn’t shut out foreign tech firms that want do business in their countries. (We argued that it’s better to let in foreign firms in and monitor them, partly because it boosts trade and growth.) But examples of Microsoft’s cooperation with the US government help illustrate why the US prefers to block Chinese firms like Huawei out completely: because it suspects Chinese companies are just as tied to their governments as their American counterparts.