Citing key cybersecurity attacks on critical infrastructure, one software giant has been named for necessary investigation for monopoly and negligence.

On 11 September 2025, a US senator urged the Federal Trade Commission (FTC) to investigate Microsoft for what he described as “gross cybersecurity negligence” that had allowed ransomware attacks to severely impact critical US infrastructure, including healthcare networks.

In a four-page letter to FTC Chair, Senator Ron Wyden criticized Microsoft for a cybersecurity culture which, combined with its monopoly over enterprise operating systems, creates a serious national security risk and makes further cyberattacks unavoidable.

Comparing the firm to “an arsonist selling firefighting services to their victims” to underscore his alarm at the situation, the action is linked to a ransomware incident affecting Ascension, a major healthcare system hit last year by an attack that had compromised sensitive personal and medical data of approximately 5.6m people. This assault, attributed to the Black Basta ransomware group, also disrupted electronic health record access and was ranked among the top three largest healthcare-related breaches in 2024 by the US Department of Health and Human Services.

The central risk factor: RC4
The attackers had used a method named Kerberoasting, which targets Microsoft’s Kerberos authentication protocol to extract encrypted service account credentials from Active Directory. Central to this risk is Microsoft’s continued default support for the outdated RC4 encryption algorithm within Kerberos, despite RC4 being known for significant cryptographic weaknesses since the 1980s.

Wyden’s letter has highlighted that RC4 is especially vulnerable because it uses no salt or iterated hash in password encryption, allowing attackers to rapidly guess passwords. The senator criticized Microsoft for failing to enforce strong password policies — such as a minimum 14-character length — for privileged accounts and maintaining RC4 enabled by default, which together expose customers unnecessarily to ransomware and other cybersecurity threats.

Reactions by the firm to help corporate users mitigate risk have been deemed by the US senator as insufficient and too slow. The firm has responded by stating that RC4 is an old standard they discourage and that less than 0.1% of their traffic involves its use. Completely disabling RC4 immediately would break many customer systems, so the firm is pursuing a gradual reduction in RC4 usage with strong warnings to customers, and will ultimately disable it. Starting Q1 2026, any new Active Directory domains using Windows Server 2025 will have RC4 disabled by default, and that additional mitigations for existing deployments are planned to maintain service continuity.

Elephant in the room
This is not the first criticism Microsoft has faced over cybersecurity. In 2024 a report by the US Cyber Safety Review Board had faulted the firm’s preventable mistakes that had allowed Chinese threat group Storm-0558 to access hundreds of Exchange Online mailboxes globally.

Wyden’s office is arguing that despite the firm’s poor cybersecurity record, it continues to secure lucrative government contracts due to the lack of regulatory consequences and its dominant market position.

Cybersecurity experts acknowledge that the security decisions of a dominant platform can have widespread impacts on national infrastructure security, and have highlighted the critical need for improved default security designs.

Ultimately, the senator’s call is for the FTC to recognize how national security is entwined with the default settings of key IT platforms, and he urges enterprises and government entities to demand and adopt more secure-by-design software environments.