Google Cloud office building showing government employees view of Microsoft

Google Cloud Survey Finds Microsoft Products Unpopular With Security-minded Government Employees, but How Objective Is It?

A new survey commissioned by Google and the Computer & Communications Industry Association finds that a majority of federal government employees have concerns about the security of the Microsoft products that their agencies widely use. However, the fact that Google Cloud offers products that are in direct competition with Microsoft have some in the industry questioning exactly how objective this exercise was.

The survey was conducted by Public Opinion Strategies, but paid for in part and published by Google Cloud. It polled 2,600 currently employed residents of the United States, 338 of these working for “federal, state or local governments.” The survey also focused on a breakout of 600 workers from the Washington D.C. metro area, but did not disclose if these workers were at companies that had any connection to the federal government.

Google Cloud survey shows small majority worried about Microsoft security, but methodology raises questions

The Google Cloud survey opens with concerns about cybersecurity. About 75% of both all respondents and the group of government employees believe the federal government will be the victim of a cyber attack by a foreign adversary in the next few years, a fairly safe bet given that this has happened repeatedly over at least the past decade. DC Metro area employees are more likely to anticipate this happening at rates of 80-82%.

Worker concerns are mostly focused on the safety of their own personal data and that of their families, followed by the sensitive information that the federal government protects (such as Social Security and Medicare account information). A slightly smaller amount of respondents (but still a strong majority) expressed concern that their employers would fall victim to a cyber attack and lose confidential business information, with government employees being more concerned about this possibility.

Government employees were also much more likely to have already experienced a disruption at work because of a cyber attack; one-third, as compared to only one-tenth of other respondents. Government employees are also more likely to use Microsoft products at work, at a rate of 75% to 68% for other jobs. This goes up to 84% of DC Metro government employees. 60% of government employees said that Microsoft products were making the workplace more unsafe from a cybersecurity perspective, compared to 51% of other types of employees.

Government employees are also more likely to feel that the use of Microsoft products is a matter of employer inertia rather than them continuing to be the best available for the job, at 45% to 41% of other types of employees. That sentiment increases substantially for all groups in the DC Metro area. 35% of DC government employees say that they use shadow IT solutions at work, and that number jumps to 41% when controlling for the age 20 to 34 cohort.

Phil Neray, Vice President of Cyber Defense Strategy at CardinalOps, notes that “shadow IT” can be expected in similar degrees with any office software, however, as can the appearance of vulnerabilities: “It’s an interesting point of view, but the reality is that most high-profile attacks are the result of poor security practices rather than vulnerabilities in office productivity suites. The OPM breach, for example, happened because there was insufficient security monitoring to detect unusual activity in the network after attackers stole credentials from a government contractor. The Equifax breach was the result of poor web server patching practices. The SolarWinds breach occurred after attackers infected software updates for an IT application that’s widely used in both government and civilian organizations. The DNC breach was the result of a phishing attack. And in the case of the Colonial Pipeline ransomware incident, the attackers exploited the fact that the company had a high number of open remote access ports accessible from the internet.”

Would government employees feel safer with alternative office software?

The survey’s methodology raised some questions, as did its presentation: the Google Cloud blog it was publicized on opens with a preamble that openly calls for “choice in tools” and notes that 70% of government employees use Gmail outside of work. Microsoft responded to Nextgov by stating that the Google Cloud survey was a “tactic” akin to lobbying Congress under the auspices of representing the interests of small business.

Microsoft has seen this approach before; Apple went on a similar media blitz decades ago as it made a more serious push into the home and business computing market. And as before, Microsoft is the king of the hill with an estimated 85% market share of office productivity software. But Google has been moving aggressively into the space with several acquisitions (including security firm Mandiant) and added services for its Chronicle platform. Microsoft has paid for similar PR blitzes against Google in the past, however, most notably its “Scroogled” campaign of the early 10s as it attempted to carve out search market share for Bing.

As Casey Bisson, Head of Product and Developer Relations at BluBracket, notes: “Almost exactly 20 years ago, Bill Gates recognized the company’s dismal record on security and set a new path for the company that turned it into a recognized security leader. Unfortunately, there are too many examples of technology from 20 or 40 years ago still carrying on in critical roles in government and many industries. In one of the most famous examples, the Air Force depended on 1970s-era 8-inch floppy disks up until 2019 … There’s lots of opportunity to raise the bar for security in government and critical infrastructure systems, but no vendor has an unblemished security record. Competition over security is good, but security isn’t something a company can buy. It’s something they need to prioritize and practice with every purchase and every decision.”

The Google Cloud survey response was not overwhelmingly against Microsoft, but what sentiment there is might spring from recency bias. Microsoft is currently struggling to keep up with waves of attacks on Azure Active Directory (an estimated hundreds per second at this point), and it was breached by the LAPSUS$ hacker group in late March. The 2021 breach of Microsoft Exchange Server was also big enough to remain in people’s minds a year later. And Microsoft did outpace Google in zero-days in 2021, though the count was 21 to 16.

But Aaron Turner, Vice President of SaaS Posture at Vectra, notes that security concerns are not something that is exclusive to Microsoft: “Let’s be clear: Microsoft has suffered from some significant security problems lately due to the intensifying attacks on Azure Active Directory. What would be Google’s alternative? Google has underinvested in their Workspace solution. There have been times when doing security research into Workspace vulnerabilities when there literally has not been anyone at Google to answer my questions. At times, the lack of direction and strategy within the Workspace product team has created confusion within even their most loyal customers, such as in the case of Meet, Chat and Hangouts … Most telling about Google’s suggestion that they could be a viable alternative to the Microsoft collaboration stack, their proposal flies in the face of NSA guidance about using 3rd party identity providers. Google has no real Identity and Access Management (IAM) strategy. They are years behind anyone and any organization that opts into their Workspace platform will suffer tremendously from Google’s lack of authentication and authorization capabilities. So, the bottom line from my perspective, Google is trying to use the recent spate of Microsoft cloud vulnerabilities to their benefit. Which is what any competitor is bound to do. However, business decision makers should be very wary of turning their enterprise productivity needs over to a company who really doesn’t care about that market from a profitability and revenues perspective. Now, if Google were to make some massive acquisitions in the IAM space, in addition to systems management and combine those with the Mandiant technology, maybe they could really provide an alternative to Microsoft.”