by Renee Dudley, with research by Doris Burke
ProPublica is a nonprofit newsroom that investigates abuses of power. Sign up to receive our biggest stories as soon as they’re published.
In the summer of 2021, President Joe Biden summoned the CEOs of the nation’s biggest tech companies to the White House.
A series of cyberattacks linked to Russia, China and Iran had left the government reeling, and the administration had asked the heads of Microsoft, Amazon, Apple, Google and others to offer concrete commitments to help the U.S. bolster its defenses.
“You have the power, the capacity and the responsibility, I believe, to raise the bar on cybersecurity,” Biden told the executives gathered in the East Room.
Microsoft had more to prove than most. Its own security lapses had contributed to some of the incursions that had prompted the summit in the first place, such as the so-called SolarWinds attack, in which Russian state-sponsored hackers stole sensitive data from federal agencies, including the National Nuclear Security Administration. Following the discovery of that breach, some members of Congress said the company should provide better cybersecurity for its customers. Others went further. Sen. Ron Wyden, a Democrat who chairs the Senate’s finance committee, called on the government to “reevaluate its dependence on Microsoft” before awarding it any more contracts.
In response to the president’s call for help, Microsoft CEO Satya Nadella pledged to give the government $150 million in technical services to help upgrade its digital security.
On the surface, it seemed a political win for the Biden administration and an instance of routine damage control from the world’s largest software company.
But Microsoft’s seemingly straightforward commitment belied a more complex, profit-driven agenda, a ProPublica investigation has found. The proposal was, in fact, a calculated business maneuver designed to bring in billions of dollars in new revenue, box competitors out of lucrative government contracts and tighten the company’s grip on federal business.
The White House Offer, as it was known inside Microsoft, would dispatch Microsoft consultants across the federal government to install the company’s cybersecurity products — which, as a part of the offer, were provided free of charge for a limited time.
But once the consultants installed the upgrades, federal customers would be effectively locked in, because shifting to a competitor after the free trial would be cumbersome and costly, according to former Microsoft employees involved in the effort, most of whom spoke on the condition of anonymity because they feared professional repercussions. At that point, the customer would have little choice but to pay for the higher subscription fees.
Two former sales leaders involved in the effort likened it to a drug dealer hooking a user with free samples. “If we give you the crack, and you take the crack, you’ll enjoy the crack,” one said. “And then when it comes time for us to take the crack away, your end users will say, ‘Don’t take it away from me.’ And you’ll be forced to pay me.”
If we give you the crack, and you take the crack, you’ll enjoy the crack. And then when it comes time for us to take the crack away, your end users will say, ‘Don’t take it away from me.’
—former Microsoft sales leaderThe company, however, wanted more than those subscription fees, former salespeople said. The White House Offer would lead customers to buy other Microsoft products that ran on Azure, the company’s cloud platform, which carried additional charges based on how much storage space and computing power the customer used. The expectation was that the upgrades would ultimately “spin the meter” for Azure, helping Microsoft take market share from its main cloud rival, Amazon Web Services, the salespeople said.
In the years after Nadella made his commitment to Biden, Microsoft’s goals became reality. The Department of Defense, which had resisted the upgrades for years due to the steep cost, began paying for them once the free trial ended, laying the groundwork for future Azure consumption. So did many civilian agencies. The White House Offer got the government “hooked on Azure,” said Karan Sondhi, a former Microsoft salesperson with knowledge of the deals. “And it was successful beyond what any of us could have imagined.”
But while Microsoft’s gambit paid off handsomely for the company, legal experts told ProPublica the White House Offer deals never should have come to pass, as they sidestep or even possibly violate federal laws that regulate government procurement. Such laws generally bar gifts from contractors and require open competition for federal business.
Accepting free product upgrades and consulting services collectively worth hundreds of millions of dollars is “not like a free sample at Costco, where I can take a sample, say, ‘Thanks for the snack,’ and go on my merry way,” said Eve Lyon, an attorney who worked for four decades as a procurement specialist in the federal government. “Here, you have changed the IT culture, and it would cost a lot of money to go to another system.”
Microsoft defended its conduct. The company’s “sole goal during this period was to support an urgent request by the Administration to enhance the security posture of federal agencies who were continuously being targeted by sophisticated nation-state threat actors,” Steve Faehl, the security leader for Microsoft’s federal business, said in a statement. “There was no guarantee that agencies would purchase these licenses,” and they “were free to engage with other vendors to support their security needs,” Faehl said.
Pricing for Microsoft’s security suite was transparent, he said, and the company worked “closely with the Administration to ensure any service and support agreements were pursued ethically and in full compliance with federal laws and regulations.” Faehl said in the statement that Microsoft asked the White House to “review the deal for antitrust concerns and ensure everything was proper and they did so.”
The White House disputed that characterization, as did Tim Wu, a former presidential adviser who told ProPublica he discussed the offer with the company in a short, informal chat prior to the summit but provided no signoff. “If that’s what they’re saying, they’re misrepresenting what happened on that phone call,” he said.
A current White House official, in a statement to ProPublica, sought to distance the administration from Microsoft’s offer, which it had previously heralded as an “ambitious” cybersecurity initiative.
“This was a voluntary commitment made by Microsoft … and Microsoft alone was responsible for it,” the White House official said in the statement. Furthermore, they said the decisions to accept it were “handled solely by the respective agencies.”
“The White House is not involved in Agency decisions regarding cybersecurity and procurement,” the official said.
The official declined to comment on the legal and contracting concerns raised by experts but noted in the statement that the White House “is broadly concerned” about the risks of relying too much on any single technology vendor and “has been exploring potential policy steps to encourage Departments and Agencies to diversify where there is concentration.” Cybersecurity experts say that such concentration can leave users vulnerable to attack, outages or other disruption.
Yet the White House summit ushered in that very type of concentrated reliance, as well as the kind of anticompetitive behavior that the Biden administration has pledged to stamp out. Former Microsoft salespeople told ProPublica that during their White House Offer push, they advised federal departments to save money by dropping cybersecurity products they had purchased from competitors. Those products, they told them, were now “redundant.” Salespeople also fended off new competitors by explaining to federal customers that most of the cybersecurity tools they needed were included in the upgraded bundle.
Today, as a result of the deals, vast swaths of the federal government, including all of the military services in the Defense Department, are more reliant than ever on a single company to meet their IT needs. ProPublica’s investigation,........