In 2019, the Department of Defense awarded a $10 billion cloud computing contract to Microsoft, known as the “War Cloud” or JEDI contract. The contract’s objective was to modernize the Pentagon’s technology infrastructure and improve military operations. The JEDI contract was cancelled in 2022, but a new contract, the Joint Warfighting Cloud Capability (JWCC), steps up to take its place this year.
However, the contract has raised concerns among Congress and Defense Department officials over potential cybersecurity implications and antitrust violations as Microsoft is relied on more and more for cybersecurity tools and services. This shuts out other vendors and poses potential security risks with so many cybersecurity solutions consolidated to one source.
The $10 billion “War Cloud” contract was awarded to Microsoft by the Pentagon in October 2019, beating out Amazon Web Services in a competitive bidding process. The purpose of the contract was to help the Pentagon modernize its technology systems and improve its military operations, infrastructure, and data storage. This year, the contract has been replaced by the JWCC, which favors a wider net for multiple cloud vendors.
However, this may not be enough. The ending of the JEDI program came with a fair amount of backlash among Pentagon members as the reliance on Microsoft continues to grow. Even now under the new contract, there seems to be an overreliance on Microsoft cloud services to handle the heavy lifting. Saving money is nice, but not when it comes at the cost of security and the creation of a monopoly.
The JEDI contract was just one of many ways that the government relies on Microsoft to manage US military cybersecurity, something that could have drawbacks in the coming years as service prices continue to rise. Overdependence on a single entity for vital security solutions not only locks out competition from solutions that could be superior, but also leads to potential data storage risks.
The Department of Defense’s cloud contract also raised fears of potential security risks, fears that are echoed across other aspects of the ongoing service use. The Pentagon’s data would be moved to a commercial cloud, which could put sensitive information at risk of data breaches, cyber-attacks, or unauthorized access. Microsoft’s prior involvement in government contracts and its relationship with government officials also drew concerns over antitrust violations.
The Defense Department launched an investigation in April 2019 around the JEDI contract to review possible antitrust concerns. An ongoing review into the security implications of the contract is also in progress. Fair and open competition, especially in the cybersecurity solutions space, should be based on merit and use, not just convenience. Currently, worries around the JWCC stem from the bulk of cloud assets and operating systems falling under Microsoft’s umbrella.
Concerns around the JEDI contract prompted Congress to act. In November 2019, Congress requested a review of potential security risks associated with the contract and called for greater transparency in the procurement process. Microsoft and the Defense Department moved to address these concerns by emphasizing security protocols and promoting competition in the technology industry. Microsoft also offered a statement emphasizing its commitment to supporting national security. However, even with the termination of JEDI and replacement with JWCC, there are still concerns with the power Microsoft has within the government.
Since 2017, the DOD has exclusively used the Microsoft Windows operating system on all it’s four million-plus computers and increasingly uses Microsoft’s Azure cloud computing services. Most of all active and reserve military personnel use Microsoft programs like Outlook or Office. Now the government is using Microsoft Defender for Endpoint as well. With use cases rising and competitors left out to dry, it’s looking like Microsoft is setting it’s sights on full software monopoly in the government.
The Pentagon’s JWCC contract with Microsoft has raised significant concerns over potential security risks and antitrust violations. Congress’s response to JEDI was to call for greater transparency and accountability in the procurement process, while Microsoft and the Defense Department made efforts to address these concerns.
Now the stakes are raised as the current JWCC contract appears to appeal to more cloud vendors on the surface, but underneath is an ocean of Microsoft products and controls. There are plenty of options on the table, but when you’re used to using the same software, it’s hard to transition.
If the DOD doubles down on using Microsoft soon, they will be shutting out competitors. It’s the governments responsibility to ensure full and open competition and uphold the law in that regard. Delegating decision authority around cybersecurity to a third party opens up too many problems with not enough solutions, no matter the degree of control. Leaving it up to a third party like Microsoft takes the power away from the government and should be frowned upon, even if it makes their life easier. Security isn’t about ease of use, it’s about effectiveness.