Microsoft has the US Navy over a barrel, as the service admits it can’t separate its custom-built cloud environment from Azure infrastructure without a complete rebuild “from the ground up.”
The Naval Sea Systems Command (NAVSEA) published a sole-source justification letter on Tuesday (with award amounts redacted, naturally) explaining how it can’t transition its custom cloud platform to a higher Department of Defense (DoD) security level without Microsoft.
Per the justification letter, NAVSEA Cloud was built with total dependency on services like Azure Data Transfer, Azure Kubernetes Service, Azure SQL PaaS, and others.
“Without the use of these services, the NAVSEA Cloud Program mission systems would be unable to provide critical mission capabilities,” the letter argued. “It is infeasible to modify Microsoft’s unique applications to work within another cloud service provider’s environment.”
NAVSEA says moving the environment to another cloud provider would require a ground-up rebuild and delay the program by at least 36 months. Not only that, but the Navy would also be duplicating its costs by keeping NAVSEA Cloud running on Azure “while refactoring it on another platform, none of which would meet the Government’s minimum need.”
That’s not to say NAVSEA didn’t attempt to solicit ideas from the other cloud providers who are part of the Defense Department’s Joint Warfighting Cloud Capability program (i.e., AWS, Google, and Oracle). It claimed to have spoken to all of them, and each “confirmed their lack of ability to support the full NAVSEA Cloud requirement in its current configuration or timeframe.”
“Only Microsoft confirmed service parity with the current environment and the ability to meet mission needs without introducing unacceptable operational risk,” NAVSEA explained in the justification letter.
Microsoft has done an excellent job of making itself indispensable to the US government, which continues to pay it bundles of cash despite a number of high-profile cybersecurity failures at the Windows giant that have affected Uncle Sam directly.
In a couple of examples, both Russia and China broke into Microsoft systems in recent years, with the latter case seeing Sino spies snatch emails belonging to high-ranking government officials. A SharePoint vulnerability was also exploited to target an unnamed Western government over the summer,
Earlier this year, Redmond was exposed for using Chinese-based employees to support DoD cloud services. Microsoft said it ended the practice and the Pentagon then launched a review and later banned it.
It’s not clear if NAVSEA Cloud was among those Chinese-managed systems, but it’s still surprising to see Microsoft being rewarded yet again for its failure to secure government systems. Then again, if there’s nowhere for them to go without spending inordinate amounts of money, those security failures don’t matter so much.
NAVSEA said it plans to structure future cloud infrastructure deals so they use open containerization standards not tied to a single cloud service provider. As for why the Navy let NAVSEA Cloud be built this way in the first place, we won’t know without an explanation, and we didn’t hear back from any PR-savvy sailors.
We didn’t hear back from Microsoft, either. ®