United States Senator Ron Wyden (D-OR) has called for an investigation of Microsoft, claiming the company enabled the Ascension Hospital ransomware incident. Wyden further alleges that “dangerous, insecure software” has been delivered by Microsoft to the U.S. government as well as critical infrastructure entities. 

In a letter from Wyden to FTC Chairman Andrew Ferguson, Wyden states, “Without timely action, Microsoft’s culture of negligent cybersecurity, combined with its de facto monopolization of the enterprise operating system market, poses a serious national security threat and makes additional hacks inevitable.”

Ensar Seker, CISO at SOCRadar, comments, “The letter underscores a long-standing tension in enterprise cybersecurity, the balance between legacy system support and secure-by-default design. What happened at Ascension isn’t just about one bad click or an old cipher. It’s about systemic risk inherited from default configurations and the architectural complexity of widely adopted software ecosystems like Microsoft’s. When a single vendor becomes foundational to national infrastructure, their security design decisions, or lack thereof, can have cascading consequences.

“From a technical standpoint, allowing deprecated encryption like RC4 to remain enabled by default, even at 0.1% usage, introduces avoidable exposure. The challenge is that many organizations still rely on legacy applications that can break when more secure defaults are enforced. Vendors are often reluctant to force those changes out of fear of business disruption, but in security, inertia can be dangerous.

“This incident also reinforces the importance of zero-trust segmentation and endpoint detection. A single compromised contractor laptop should never have been able to reach Active Directory in the first place. That speaks to deeper gaps in lateral movement defenses, privilege boundaries, and user behavior monitoring, not just a software flaw.

“Ultimately, this isn’t about blaming one company. It’s about recognizing that national security is now tightly coupled with the configuration defaults of dominant IT platforms. Enterprises and public sector agencies alike need to demand more secure-by-design defaults and be ready to adapt when they’re offered.”

This is not the first time that Wyden has called for the company to be held accountable for such negligence. In July 2023, Wyden requested an investigation into the organization after allegedly “lax cybersecurity practices” enabled Chinese espionage.