In its most insane attack yet against Microsoft, Google this week claimed that using Microsoft technologies made governments less secure. But it has no data to back up that claim at all.
Google senior director Jeanette Manfra cites—actually, mischaracterizes—a survey from the Public Opinion Strategies that was commissioned by Google as evidence of this claim. But there’s no real evidence: this survey relies on the opinions of a small selection of U.S. workers, only a tiny percentage of which are even government employees.
Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!
"*" indicates required fields
“The Public Opinion Strategies survey found that more than half of all respondents said that the government’s reliance on these Microsoft products actually made the federal government more vulnerable to hacking or cyberattacks,” Manfra writes. But she then provides a slide detailing the survey results, that makes a very different point, which is that “workers [but not specifically government workers] are pretty divided on whether the federal government’s reliance on Microsoft makes it more or less vulnerable.”
She then goes on to say, “given these vulnerabilities, why does government IT continue to rely on the same set of productivity tools in the workplace?” Woah, woah. What vulnerabilities? The survey doesn’t provide evidence of actual vulnerabilities let alone successful attacks. It cites the opinions of “workers” about whether they believe their governmental agencies’ reliance on a single software vendor—Microsoft—could lead to more vulnerabilities.
Really, what this survey is about is whether having a single software supplier could make the government more or less vulnerable to security vulnerabilities. It’s only about Microsoft in the sense that the survey shows that 85 percent of government employees overall use Microsoft productivity software, while 84 percent of D.C. metro government employees primarily use Microsoft products at work. In other words, what Google is really worried about is getting a seat at the table.
And Manfra admits that.
“At Google Cloud, we believe it’s time for more diversity and choice in the tools available for our civil servants across the nation, 70 percent of whom use Gmail outside of work, according to our survey,” she concludes. “Government workers have the right to benefit from the same flexible, secure-by-design tools at the office that they use in their personal lives. You can learn more about Google Workspace for Government here.”
In other words, monoculture is fine when Google is in the lead. But monoculture in the government isn’t, because Microsoft is in the lead and because Google was able to pay for a study showing that some employees—mostly not government employees, and certainly not government decision-makers, but “workers”—have some “concerns.”
PS: One final point. I often get weird pushback from some people when I cite AdDuplex numbers for Windows usage share, which are based on monthly surveys of several thousand PCs. For example, the most recent report is based on a survey of about 5,000 Windows Store apps. This Google report is based on a survey of “2,600 working Americans,” but only 338 of them are “workers employed by federal, state, or local governments across the country.” I think we all understand that one can use any statistics to make any point, but this survey isn’t broad enough to make any point, let alone Google’s.
This is insane.
<p>As Mark Twain said, "There’s lies, damn lies and statistics". Or something like that. Googled again.</p>
<p>…another one from Andrew Lang: “he uses statistics as a drunken man uses lampposts—for support rather than illumination “</p>
<p>Let’s just say Google has tried the same BS when it approaches our leadership where we have 1000s of desktops and laptops and tried to push G Suite. Swapping one monoculture for another isn’t being more safe. </p>
<p>Statistics and poles are worthless these days. Anyone can manipulate the numbers to say what they want. It doesn’t make them accurate. </p>
<p>"<span style="color: rgb(0, 0, 0);">It’s only about Microsoft in the sense that the survey shows that</span><strong style="color: rgb(0, 0, 0);"> 85 percent </strong><span style="color: rgb(0, 0, 0);">of government employees overall use Microsoft productivity software, while </span><strong style="color: rgb(0, 0, 0);">84 percent </strong><span style="color: rgb(0, 0, 0);">of D.C. metro government employees primarily use Microsoft products at work. "</span></p><p>I must be having one. of those old-timers days because I can’t figure out where those percentages come from. Are they from a part of the survey not refertrenced or am I just missing something (a very real possibility these days).</p>
<p><span style="color: rgb(0, 0, 0);">Yes, you are missing the un-referenced survey that Google did. "Google senior director Jeanette Manfra cites—actually, mischaracterizes—a survey from the Public Opinion Strategies that was commissioned by Google as evidence of this claim."</span></p><p><br></p><p><span style="color: rgb(0, 0, 0);">As Paul also mentioned, the survey only used about 2500 people, and about 338 of them are government workers. It’s an extremely small survey sample, practically used to give Google the numbers it wanted.</span></p>
<p>I look-forward to the counter-attack from <em>Apple</em> who will say that using <em>Android</em> for Government-employee phones is less-secure, given how more-often there are rogue apps in their store than <em>Apple’s</em>.</p><p><br></p><p>And I’m sure <em>Microsoft </em>could demonstrate that, even with their telemetry in <em>Windows 10</em> and <em>11</em>, they still hover-up way-less user-data than <em>Google</em> does!</p>
<p>I assume different agencies operate independently, but I imagine they all follow some set of government-wide standards that are fairly strict, and I guess State and Defense would bump up the standards quite a lot. </p><p><br></p><p>My SO works for the Commerce Department, and her particular Bureau’s machines require RSA SmartCards to be inserted before they’ll even boot and decrypt the disk, much less log on. That’s a lot stricter than I’ve ever seen in a corporate environment. They also had a lot of PrintNightmare issues recently, which suggests they were quick to patch. I would guess the back-end is similarly locked-down. </p><p><br></p>
<p>She also has a special government-issued iPhone. My company, in contrast, just forces us to enroll our personal phones into MS InTune.</p><p><br></p>
<p>Ha, over my dead body would I agree to that. The company wants me to use a phone for work, they can give me one. I am not installing management software on my personal device for anyone. </p>
<p>Lol, millions do it all the time. At my company we use Intune if you want your company email, along with Azure Conditional Access. Company email on your device is not a requirement, you will just not have it unless you allow Intune.</p><p><br></p><p>BTW – Intune only touches the corporate stuff. If you leave or we quite you, we can use it to only remove corporate data. Prior to using Intune we used AirWatch to do the same thing. There are handful (10 or so out of thousands) that back off because they read something on the internet that we will track them and see everything they do on their phones. </p><p><br></p><p>I bet they keep on using Facebook, Instagram, Twitter, Gmail, Google Maps, YouTube and Whatsapp on a daily basis.</p>
<p>Yeah, and millions still watch reality TV and use algorithm-driven social media. Doesn’t make it less of a bad idea. </p><p>I can’t imagine why anyone would volunteer to have company comms in their phone if it wasn’t a requirement, there is overwhelming evidence that being always connected is terrible for mental health. </p>
<p>We keep it separate. This also has the added benefit, that when we leave the office, we can leave our company phones there (or if we are in home office, we can turn them off).</p>
<p>My employer has a strict policy:</p><p><br></p><p>No personal data on business devices. No business data on personal devices. No exceptions. Even the board has to have a second, private phone for all their private activities.</p>
<p>I would absolutely hate having two phones. </p>
<p>You get used to it. In home office, my company phone just lays on my desk next to my PC, day-in-day-out. It is there when I am "in the office", but ignored when I’m not. </p><p><br></p><p>The same for going to work, when I get to work, I take it out of my bag and put it on my desk, when I leave work, I put it back in my bag and forget about it, until I am back in the office.</p><p><br></p><p>My personal phone goes around with me, when I’m out and about.</p><p><br></p><p>It is a great way of keeping work and private lives separate. None of my managers or co-workers have my private number and I don’t need to individually mute apps or accounts on my private phone, once I leave the office in the evening / unmute when I "get to work".</p>
<p>"Microsoft technologies" – which ones? I mean we are talking about Government agencies… Are they speaking of Microsoft Cloud technologies or older on-prem technologies? If Google is trying to compare their Cloud tech to Microsoft’s older on prem technology (we are discussing governments here) then this would appear to be an Oranges to Bananas comparison before one even considers the statistics angle. Crazy…</p>
<p>Reminds me of these Microsoft-sponsored smear campaigns against cancerous Linux around the turn of the century. You know, those with doctored statistics and<strong> </strong>misrepresented facts. Guess it does not feel so nice and so unfair when you sit on the other side of that particular table for once.</p>
<p>I think there are security related arguments you could make against Windows in general:</p><ul><li>You can’t view the source code to verify its security for yourself (nor can anyone else)</li><li>There are hundreds of CVEs that get patched so much so that Microsoft had to dedicated an entire day each and every month to do them all in</li><li>Unix & Linux have always been way better for security and stability compared to DOS, just look at the historical claims from OpenBSD (Only two remote holes in the default install, in a heck of a long time!)</li><li>Windows is forced to support all this legacy junk by the demands of its very own customer base and the golden rule of good security practices is to have a very minimal setup to reduce and lessen the overall number and size of the attack vectors possible</li></ul><p><br></p><p>Does Paul Thurrott run his very own website on a Windows webserver or is it Linux based?</p><p>Does Pauls home router and firewall run Windows or Linux?</p><p>Does Pauls phone run Windows or Linux?</p><p><br></p><p>Windows is mostly geared towards enterprise-grade productivity and high-end gaming use only. The rest of your use-cases can and should be done with all of the better devices available today (androids/iphones, ipads/chromebooks, macs/linux-servers, etc.). Heck, even on Leo Laporte’s own radio show, he highly discourages the use of Windows unless *absolutely* necessary!</p>
<p><em>I think there are security related arguments you could make against Windows in general:</em></p><ul><li><em>You can’t view the source code to verify its security for yourself (nor can anyone else)</em></li><li><em>There are hundreds of CVEs that get patched so much so that Microsoft had to dedicated an entire day each and every month to do them all in</em></li><li><em>Unix & Linux have always been way better for security and stability compared to DOS, just look at the historical claims from OpenBSD (Only two remote holes in the default install, in a heck of a long time!)</em></li><li><em>Windows is forced to support all this legacy junk by the demands of its very own customer base and the golden rule of good security practices is to have a very minimal setup to reduce and lessen the overall number and size of the attack vectors possible</em></li></ul><p><br></p><p>You can’t view Google’s source code either.</p><p>Every OS gets regularly patched – although my Linux distribution gets daily patches, usually a few hundred every week. CVEs for UNIX/Linux are just as common and can be just as bad (just look at the Bad Pipe vulnerability from last month).</p><p>UNIX and Linux (and the applications that are installed on them) can be very vulnerable. You need to know exactly what you are doing to ensure they are properly locked down. A lot of OSS databases "default open", for example, meaning that the databases "in the cloud" are often open to everyone, because the web devs don’t know the first thing about security and the database devs made setting up a working instance as easy as possible, which means it is open for all to access and needs to be locked down, to be safe, before they are made accessible from the Internet – in fact, in a majority of cases, they should be behind firewalls and only the web-server should be allowed to access the database!</p><p>Also, DOS hasn’t been a consideration in desktop operating systems in business for well over 2 decades, so I don’t even known why it was mentioned. Also, a standard install of Linux/UNIX includes OpenSSL and that had some major holes in it a few years back. Go through the CVEs and you’ll find plenty of Linux based ones, and UNIX based ones.</p><p>Have you looked at the junk in the Linux Kernel? They dropped ISA-Bus support only recently.</p><p><br></p><p>Yes, Linux and UNIX code can generally be looked at by everybody and you can tighten up the security on a Linux Server. But the same is true of Windows servers, if you know what you are doing, you can make them reasonably safe as well. Neither is safe-enough by default to be let lose on the Internet, without further tightening up of the standard configuration.</p><p><br></p><p>I used to work for an open source security company (the creators of openVAS). Their internal Wiki had long documents on how to configure your Linux workstation for optimal security and how to set-up a new Linux server to be secure (including which packages to remove/disable from a standard installation). Setting up a new Internet facing server (all Linux), took a long time and a lot of testing, before they would be approved for release. And we’d be applying patches to them every few days as new bug fixes and security patches to fix known zero-days were released.</p><p><br></p><p>No operating system is "secure by default" and no operating system is bug free, every piece of software has bugs that can be exploited in unknown ways. Running UNIX/Linux "because it is more secure," is a folly that can only lead to disaster. If you don’t know how to batten down the hatches on Linux, you shouldn’t be exposing it to the Internet.</p><p><br></p><p><em>Does Paul Thurrott run his very own website on a Windows webserver or is it Linux based?</em></p><p><em>Does Pauls home router and firewall run Windows or Linux?</em></p><p><em>Does Pauls phone run Windows or Linux?</em></p><p><br></p><p>What does it matter, one way or the other, for this article? The whole point is diversity is better. The point was that Google was saying more diversity in government systems is needed, <strong>as long as it all runs on Google.</strong></p><p><br></p><p>Diversification makes it harder to capture the whole infrastructure through one vulnerability. But it only makes it harder, not impossible.</p><p><br></p><p><em>Windows is mostly geared towards enterprise-grade productivity and high-end gaming use only. The rest of your use-cases can and should be done with all of the better devices available today (androids/iphones, ipads/chromebooks, macs/linux-servers, etc.). Heck, even on Leo Laporte’s own radio show, he highly discourages the use of Windows unless *absolutely* necessary!</em></p><p><br></p><p>It depends on what you are trying to do and, whilst Windows has a lot of problems, so do those others. All of them had major critical vulnerabilities patched last week that needed immediate patching (Linux Bad Pipe, among others, ChromeOS had a major CVE in its Blink engine, as did Chrome/Chromium browsers on Android and Windows, iPadOS, iOS and macOS all had critical updates to vulnerabilities being exploited in the wild.</p><p><br></p><p>Windows, like Linux, is too complex to get it set up securely by the layman. Chromebooks are easier to use and more restricted in what they can do, which minimises the attack surface, but they aren’t invulnerable. iPads, iPhones and Android devices are the same, they offer an easier way to get going and a more restricted experience, which makes them safer for the layman, but, again, it doesn’t make them invulnerable. macOS sits somewhere between Windows/Linux and Andoid/iOS.</p><p><br></p><p>Now, if you’ll excuse me, my Linux workstation has 293 updates waiting to be installed.</p>
<p>Without intending offense, a survey (not a study) asking the average worker to make guesses on cybersecurity, with no knowledge of or experience in the topic, has zero value. </p><p><br></p><p>There have been high level Microsoft security incidents, sure. The State Department’s Exchange server got hacked, for one. But that tells you nothing about what other, competing products would do in the same situation. </p><p><br></p><p>The other problem is that Google’s "support" effectively does not exist. Google doesn’t actively support (someone to contact when something doesn’t work) almost anything they make. They also get bored and cut products off constantly, with short term warning at best. When you’re running an environment with thousands to tens of thousands of people, you can’t do business with a company who doesn’t support their products and that may completely pull the rug from under you at any given moment.</p><p><br></p><p>Microsoft, for all their problems, is much better at the long term support that’s necessary for adding technology that might improve business, as opposed to trying to find workarounds because the vendor won’t help you or scrambling teams of people twice a year because a tool you rely on is being axed for no reason.</p><p><br></p><p>The other issue is that Google’s productivity products are not functional enough for complex work. Docs, Sheets, etc. are fine for simple documents and tables, but doing complex work with them is limited at best. (And yes, Word is a pain to use for complex documents, but at least it’s capable.)</p><p><br></p><p>On a personal level, Gmail’s email threading sucks. I can’t quantify this, but the use case for an individual is not the same as it is for a work environment, where email threading really matters. Outlook email threading is easy to understand. GMail is backward, out of order, hides previous replies, and when you start expanding messages to figure out what the previous messages were, you’re lost almost instantly. I think half the reason Slack exists is that GMail’s email threading is so terrible.</p>
<p>Hi. Actual Government worker here. An IT Director mind you. I’m pretty confident about my Office 365 GCC 3 deployment, along with Azure AD, and some on-premises systems that rely on Windows-based servers. </p><p><br></p><p>I can ASSURE you, my workers (90% ask for iPhones and iPads and Surface tablets. Very few ask for Android-based devices. Even fewer know, or care what "cloud" they’re on.</p><p><br></p><p>As for security, end-users are always the weak link, regardless of what device/platform they use.</p><p><br></p><p><br></p>
<p>Every product that Google makes collects data. They may not use it for directing ads, but the information is collected anyway, and you can be sure it is not directed to the ether.</p>
<p>85% of statistics are made up on the the spot…</p>
<p>I thought it was 87.5%…</p>
<p>The House of Representatives should drag Google into a hearing and make them explain their claims and show cause for their public statements. And there should be consequences if they fail to back up their claims with data. Microsoft should sue the daylights out of them. The EU would not stand for this behavior (and may not yet). </p>
<p>Does any part of the survey ask these supposed security experts how they would respond to an email from the CEO or their company asking them to send a gift card on his behalf?</p><p><br></p><p>Or any other social engineering attack?</p><p><br></p><p>IT and software don’t make organizations vulnerable…the employees do. </p>
<p>so much for "do no evil"</p>
<p>They didn’t say ‘speak no evil’. That’s a different monkey.</p>
<p>I’m one of those people who objects to using AdDuplex as a source of Windows usage data.</p><p><br></p><p>AdDuplex, as you say, uses stats from ‘5000 Microsoft Store Apps’ to collect data. That’s a problem.</p><p><br></p><p>My workplace does not use the Microsoft Store. In fact, Store access is blocked. Applications are managed and installed by (Microsoft) SCCM, which is what most (perhaps all) large Windows-using enterprises would do.</p><p><br></p><p>The Store measures the consumer segment only. Microsoft’s heartland is the enterprise segment.</p><p><br></p><p>Ergo, AdDuplex stats are useless. Completely useless.</p>
<p>I’ve worked at several companies over the last decade, since Windows 8 was released. At each and every one of them, the App Store was always disabled by policy. None of the thousands of PCs have access to store apps.</p><p><br></p><p>That said, you have to get the information from somewhere and AdDuplex is about the only way you can do it, other than registering website visits, but that, again, is the same problem, I’ve never visited any of the sites the major metrics companies monitor and I have most tracking domains blocked at the DNS level at home, so even if I visited one of those sites, the metrics companies would never notice.</p><p><br></p><p>At the end of the day, you have to use what data is available and try and extrapolate from there.</p>
<p>Agree with you that AdDuplex numbers don’t represent the real world. Our enterprise (70,000 devices) does use the Store for Business, but not the public store. Of course Store for Business is being turned off by Microsoft soon. And as a consumer at home I don’t use the store for much either. I got Photoshop Elements from there, but I can’t think of any other store app I’ve installed. Not sure WHO AdDuplex is representative of, but the numbers are definitely not worth using.</p>
<p>Their survey is a farce. I work for the government in IT and cannot picture how exactly Google would make anything more secure. As for Google’s productivity apps, no thanks. I would rather use Libre Office, but am quite happy with O365.</p>
<p>While there is some truth in that a monoculture (compared to multiple tech/vendors) means a vulnerability could spread across everything, it’s also more difficult to properly secure multiple vendors systems rather than just one.</p><p><br></p><p>As Paul’s said, this is self-serving nonsense from Google.</p>
<p>This campaign smells a lot like the Scroogled campaign that Microsoft ran. Lacking on facts and self-serving. At the time I was the only windows person complaining about it. Disappointing then and disappointing now</p>
<p>As my father would say "Figures don’t lie, but liars figure"</p>
<p>"Less secure", "More vulnerable" ….. than what? ?</p>
<p>Oh that’s for sure an objective claim /s</p>
<p>Hard truth here.</p><p>Microsoft is a technology & Software Developer; Google is an Advertising & Data-gathering company which uses its various "Tools" (Productivity & otherwise) to accumulate data & use it for commercial purposes.</p><p><br></p><p>Choosing which Company to use for which purpose should not be hard & no number of fictitious "surveys" will change that.</p>