Broken promises and regulatory pressure
When Wyden’s staff briefed senior Microsoft officials about the Kerberoasting threat in July 2024, the letter added, they “specifically requested that Microsoft publish and publicize clear guidance in plain English so that senior executives would understand this serious, avoidable cyber risk.”
Microsoft’s response fell short, publishing guidance as “a highly technical blog post on an obscure area of the company’s website on a Friday afternoon.” The company also promised to release a software update disabling RC4 encryption, but eleven months later, “Microsoft has yet to release that promised security update,” Wyden noted.
The regulatory implications remained uncertain. “A full-blown FTC case against Microsoft on the basis of weak defaults still feels unlikely,” Gogia said. However, he noted that “the Cyber Safety Review Board’s report from last year complicates the picture. It concluded Microsoft’s security culture was inadequate and accused the company of avoidable mistakes in a government email breach.”
