Microsoft just got called out in the most public way possible, and frankly, it’s about time. Of all people, Democrat Senator Ron Wyden is demanding the FTC investigate what he calls Microsoft’s “gross cybersecurity negligence.” That’s not hyperbole. It’s an overdue spotlight on a tech behemoth that continues to prioritize backward compatibility and market dominance over security, leaving hospitals, government agencies, and businesses vulnerable to disaster.
The latest catastrophe is the breach at Ascension Health, where nearly six million patient records were compromised. The culprit wasn’t a nation-state wielding cutting-edge zero-days. It was Microsoft’s own insecure defaults. A contractor clicked on a poisoned Bing link, and because Microsoft still ships RC4 encryption by default, attackers escalated privileges through Kerberoasting, took over Active Directory, and crippled a hospital system. RC4 is a cipher that should’ve been retired years ago. Microsoft plans to disable it by 2026. That’s several more months of exposure to a threat everyone knows about.
Wyden nailed the metaphor: Microsoft is “an arsonist selling firefighting services.” And the company’s customers are stuck paying the arsonist because they have little to no choice.
This is hardly the first example of Microsoft’s negligence. In 2023, Chinese-linked Storm-0558 hackers exploited Microsoft’s mistakes in Exchange Online, prompting the government’s Cyber Safety Review Board to slam the company’s “inadequate security culture.” In 2024, a SharePoint vulnerability allowed attackers to gain long-term persistence in corporate networks. Each time, Microsoft promised to do better, issued a blog post, and continued cashing billion-dollar government checks. It’s the equivalent of burning down the house and then sending the homeowner a bill for new fire insurance.
Meanwhile, the broader cyber ecosystem is buckling under failures just as reckless. The Shai-Hulud worm compromised npm packages—including some tied to CrowdStrike—injecting credential-stealing code into development pipelines. It demonstrated how a single poisoned dependency can cascade across the supply chain. CrowdStrike itself showed the fragility of “protection” last year when a faulty Falcon sensor update crashed an estimated 8.5 million Windows machines worldwide. Airports, hospitals, and corporations learned the hard way that endpoint agents can fail just as catastrophically as the threats they’re meant to block.
And it doesn’t stop there. New threats, such as Toneshell, a remote access Trojan designed for stealth and persistence, are spreading quietly, providing attackers with long-term access to compromised systems. Meanwhile, old-school plagues like the SnakeDisk USB worm are still circulating, hiding files and planting backdoors through removable media. These aren’t theoretical; they’re real-world threats exploiting the same gaps created by complacent security practices.
The pattern is clear: fragile systems, insecure defaults, supply chains compromised by weak oversight, and endpoint defenses that fail when needed most. And every time one of these dominoes falls, adversaries like Russia, China, or even ransomware gangs benefit while ordinary Americans suffer.
Wyden is right to call for an investigation by the FTC. Regulators must hold companies accountable when their negligence puts critical infrastructure and personal data at risk. If a carmaker knowingly shipped vehicles with defective brakes, there would be recalls, lawsuits, and congressional hearings. But when Microsoft ships insecure defaults that allow attackers to run wild, the consequence is usually another round of lucrative contracts.
Enterprises can’t just wait for regulators. They need to start demanding secure-by-default systems, independent security audits, and real accountability from their vendors. They must instead embrace layered defenses rather than relying on a single solution. Endpoint protection is vital, but it must extend beyond an antivirus agent. Zero-trust architecture, endpoint detection and response (EDR), rigorous monitoring, and hardened configurations are now essential tools, not luxuries.
The supply chain collapse around Shai-Hulud and the global outage tied to CrowdStrike all underscore one crucial truth: security can’t be bolted on after the fact. It has to be the foundation.
The stakes couldn’t be higher. Microsoft controls the operating system layer for much of the world’s IT infrastructure. Its decisions ripple across industries and into the heart of government systems. Every insecure default or delayed patch is not just a software issue—it’s a national security risk.
Wyden’s “arsonist” line may sound like political theater, but it’s deadly accurate. Microsoft lit the match, sold the fire insurance, and left us with a country increasingly vulnerable to hackers who don’t need to invent new attacks because the old ones still work just fine. The FTC needs to act, but so do the companies and agencies that continue to buy from the arsonist.
The next breach isn’t lurking in the shadows—it’s already in motion. Whether it spreads into another Ascension-sized meltdown depends on whether we continue to trust the arsonist or finally decide to build fireproof walls.
Julio Rivera is a business and political strategist, cybersecurity researcher, founder of ItFunk.Org, and a political commentator and columnist. His writing, which is focused on cybersecurity and politics, is regularly published by many of the largest news organizations in the world.
