Why Amazon, Google and Other Tech Giants Are Flouting Some New Government Cybersecurity Recommendations

Major technology companies are resisting the Biden administration’s push to make basic security features free and automatic in products like their popular cloud platforms, forgoing changes that could neutralize many cyberattacks.

Amazon, Google, Microsoft, IBM, and Oracle are among the tech giants defying elements of recently issued guidance from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency that seeks to encourage the adoption of these so-called “secure-by-default” features. 

The halting early start to CISA’s campaign to shift the burden of cybersecurity upstream from users to vendors—which represents a major goal of President Joe Biden’s National Cybersecurity Strategy—raises questions about the administration’s ability to shape the behavior of these massive tech companies, which also happen to be some of the government’s most vital cybersecurity partners.

CISA says it’s making slow but steady progress convincing companies to adopt its recommendations. The agency has “had very positive conversations with a significant number of technology companies” that are planning to change policies currently at odds with government guidance, according to a CISA official, who requested anonymity to discuss internal deliberation.

“We do expect to see changes in the very near term,” the official added, “particularly in some of those areas that require less engineering investment and less architectural change.”

In a previously unreported advancement of its campaign, CISA is preparing to publish updated guidance this summer with “perspectives from industry” about what changes are feasible now and in the future, the official said. “You are seeing a full-court press across the administration on the need for technology companies to make necessary changes and investments,” the CISA official said.

But the continued refusal of leading tech firms to make relatively basic product changes with colossal security benefits has alarmed cyber experts.

“We're exceptionally vulnerable,” said Mark Montgomery, executive director of the congressionally chartered Cyberspace Solarium Commission and its nonprofit successor. “These companies should be held accountable. But they're not.”

Glaring gaps

In recent years, cyberattacks have increasingly exploited users’ lack of security knowledge and tech platforms’ refusal to activate basic protections. Hackers infected hundreds of thousands of routers by guessing their default passwords, breached major corporations through insecure administrator accounts, and roamed through victims’ computers undetected because their targets lacked information about what was happening on their networks.

In one of the most devastating attacks to exploit these vulnerabilities, Russian government operatives in 2020 breached nine federal agencies and more than 100 companies by infecting IT management software made by the Texas-based company SolarWinds.

The SolarWinds hack generated frantic investigations by the incoming Biden administration and prompted the president’s top cyber advisers to begin highlighting how tech companies’ product decisions enabled digital intrusions. Recently, officials began urging companies to make their products “secure by design” (by writing code in a careful, safe way, to minimize flaws like the one that enabled the SolarWinds attack) and “secure by default” (by enabling security features automatically and for free, rather than charging extra for them or hiding them in obscure menus).

“Consumer safety must be front and center in all phases of the technology product lifecycle, with security designed in from the beginning, and strong safety features — like seatbelts and airbags — enabled right out of the box, without added costs,” CISA Director Jen Easterly said during a February speech at Carnegie Mellon University.

In April, CISA, other federal agencies, and key foreign counterparts published the secure-by-design and secure-by-default guidance with specific recommendations. “Security is not a luxury option but is closer to the standard every customer should expect without negotiating or paying more,” the document said.

The secure-by-design push faces the most daunting technical obstacles: human coders will inevitably make mistakes, and no software development environment can be completely tamper-proof. And while the secure-by-default push is less technically challenging because it mostly requires policy and pricing changes, it may also be more politically fraught, because it involves the government asking tech companies to give up profitable upcharges and force users to jump through new hoops to access their accounts.

"It’s not in any way surprising that companies haven't changed their behavior,” said Trey Herr, director of the Atlantic Council’s Cyber Statecraft Initiative. “Anything that would cost them any money unless there's a hard requirement for it isn't something they're likely to do unless they see a clear [business] case for it.”

Flouting the guidance

Nothing epitomizes the tech industry’s apparent indifference to the government’s advice better than the high-profile violators of two of CISA’s most critical recommendations.

To stop attackers from hijacking administrator accounts and abusing their vast privileges, CISA recommends that companies require administrators to use a feature called multi-factor authentication (MFA), which supplements the traditional password with an extra layer of security. But tech giants Amazon Web Services, IBM, and Oracle still haven’t done this, according to online documentation, and while Microsoft began auto-enabling MFA on new accounts in 2019, it doesn’t require the feature for all administrator accounts created before then.

Another critical recommendation concerns network-activity logs. During the SolarWinds attack, many victims didn’t realize the hackers had accessed their Microsoft 365 systems because they weren’t paying Microsoft an extra fee for full access to their logs, so they couldn’t detect the anomalous activity. CISA recommends that companies offer full log access for free. But Amazon Web Services, Microsoft, and Google still charge extra for some log data.

A Microsoft spokesperson said requiring MFA for more existing accounts could lock out people unprepared to enable the feature. (It’s unclear how widespread this problem would be, but it’s possible that some organizations, particularly smaller ones, would struggle to educate their users about the new technology.) The spokesperson also said that Microsoft worked with CISA to determine what log data is actually necessary for investigating intrusions and will provide that data for free, with detailed analysis tools still costing extra. Offering all log data for free would significantly increase storage costs for customers, the spokesperson said.

A Google spokesperson said the company offers “a rich set of logs” and some analysis features for free. The spokesperson said Google charges extra for logs stored for more than 30 days and advanced analysis features because “the cost of storing and managing these logs can be quite significant.”

An Amazon spokesperson said the company "strongly encourage[s]" the use of MFA but declined to explain why it doesn't require administrators to use the feature when possible. The spokesperson also did not explain why Amazon charges extra for certain logging features.

IBM and Oracle did not respond to requests for comment. The trade group BSA, which represents many large software companies, declined to comment.

No enforcement, no incentives

Tech companies have plenty of reasons to brush off CISA’s advice.

One of the biggest: CISA isn’t a regulator, so companies don’t have to fear consequences for ignoring its guidance. The agency says its non-regulatory status encourages companies to partner with it on various initiatives, but this can also limit the impact of its recommendations — especially when it’s acting alone.

The Biden administration needs to “get serious” about secure-by-default by ordering agencies to reinforce CISA’s guidance and encouraging independent regulators to do the same, Herr said. “CISA’s trying to do the right thing,” Herr said, but “they really haven’t been backed up by the White House.” With pushes from the administration, Herr said, the FTC could investigate companies for claiming to be secure while withholding basic features, and the SEC could require public companies to disclose the material impacts of their failure to arm customers with basic protections.

The White House’s National Security Council and Office of the National Cyber Director did not comment for this story.

Another problem is that some of these currently optional security features may be very profitable. Microsoft’s security business brought in $20 billion in 2022. Some online service providers charge their customers extra to use a third-party login platform for increased security, another upcharge that CISA discourages. 

Exactly how much might the tech giants lose? In Microsoft’s case, their lucrative security business wouldn’t entirely disappear, but if the company made more features free, Herr said, it might lose “a very significant portion of that.”

Meanwhile, vendors face few incentives to abandon these profitable upcharges, because customers aren’t pressuring companies to change their practices. “We've created an incentive structure in the marketplace that doesn't support accountability, because it’s more about the bottom line,” said Megan Stifel, a former White House cyber official who is now the chief strategy officer at the Institute for Security and Technology. The CISA official agreed that the problem “is largely a matter of business incentives.”

To address the market failure, CISA plans to enlist the support of large companies from powerful industries like finance and retail to increase pressure on tech vendors. The official didn’t offer details about this pressure, but it could involve public letters or private meetings between vendors and coalitions of influential customers. The vendors may not have to worry about losing business, but they “still want happy customers,” the official said. “If we can get greater coalescence around those requirements, that's going to drive some real change.”

Playing nice with powerful partners

Biden is no stranger to criticizing powerful industries for what he sees as reckless price-gouging, but his administration is taking a different approach with tech companies. Biden’s top cyber aides have pointedly avoided naming and shaming vendors that refuse to embrace security defaults.

The CISA official offered several explanations for the discrepancy. For one thing, that person said, “many of the changes that we are demanding are not as simple as lowering a price and actually do require real technical investment.” But more broadly, CISA believes that the most effective way to foster more responsible corporate practices is to encourage those changes through friendly conversations.

CISA has been privately pushing companies to make specific commitments to either implementing the recommended changes or establishing timelines for doing so. “We have been having those conversations constantly since our guidance was published, and even beforehand,” said the official.

Instead of publicly shaming vendors that are defying government recommendations, Easterly and others are praising companies that adopt them, believing that positive reinforcement will accomplish more. 

One elephant in the room is that CISA desperately needs these same companies’ help with numerous cybersecurity team-ups. “All of our work is grounded in trust-based voluntary partnerships,” the official said. Google and Microsoft, for example, provide vital information about digital threats, and they frequently assist the FBI and CISA with federal investigations, creating what the Atlantic Council’s Herr called “a difficult line to walk.”

There is evidence that the companies are sensitive to policymakers’ criticism. In March 2021, with the U.S. still reeling from the stealthy SolarWinds attacks, lawmakers slammed Microsoft for charging extra for log data. One month later, Microsoft announced that it was giving government customers a free year of log access.

“There may be occasions when naming individual companies is appropriate,” the CISA official said, and the agency will “continuously evaluate” the effectiveness of its friendlier approach. 

The long road ahead

As the Biden administration continues prodding tech giants to adopt its recommendations, it will have to contend with pressure from Capitol Hill, where key lawmakers are eager to see if the White House can make good on its promise to fundamentally transform the cybersecurity responsibilities of users and vendors.

“The administration’s efforts are still new and it will take time for companies to meet these new standards,” House Homeland Security Committee ranking member Bennie Thompson (D-Miss.) and cyber subcommittee ranking member Eric Swalwell (D-Calif.) said in a statement. They expressed hope that more time and collaboration would produce the necessary “public demand and private sector buy-in” for improvements.

One looming question is whether Congress will eventually tire of corporate delays and mandate compliance with CISA’s guidance.

Legislating technological requirements is tricky, experts said, because of how quickly technology changes. But if major companies continue resisting changes, some kind of mandate might be inevitable.

“We're headed towards regulation,” Montgomery said. The tech giants, he added, “are really pennywise and pound-foolish to not step in now and self-regulate.”

Another question is whether CISA’s plea for patience in its persuasion campaign will generate friction among the outside experts who advise the agency and promote its work.

The CISA official argued that intensive efforts to address this “decades-long challenge” really only began with the National Cybersecurity Strategy’s release in March, a point that security experts and lawmakers acknowledged.

But some experts said there’s no time to waste, especially with adversaries like Moscow, Beijing and ransomware gangs growing more capable and determined every day.

“You're not going to build unhackable systems,” said Jeremy Grant, a former cyber official at the National Institute of Standards and Technology who is now the managing director of technology business strategy at the law firm Venable. “But there’s a few really simple things we could be doing that significantly raises the level of resources an attacker has to expend in order to breach the system.”