By AJ Vicens

(Reuters) -U.S. Democratic Senator Ron Wyden on Wednesday requested the Federal Trade Commission "investigate and hold Microsoft responsible" for its role in a string of high-profile cybersecurity incidents in recent years, saying the company's approach to security "continues to threaten U.S. national security."

Wyden wrote in a September 10 letter to FTC Chairman Andrew Ferguson that the tech giant's "gross cybersecurity negligence" has resulted in ransomware attacks against critical infrastructure, including U.S. health care organizations at least in part due to default configurations in the Windows operating system.

"At this point, Microsoft has become like an arsonist selling firefighting services to their victims," Wyden wrote, and government agencies and other companies have "no choice" but to use the company's products due to its "near-monopoly over enterprise IT."

An FTC spokesperson acknowledged that the agency had received the letter but declined to comment further.

Widen said a prime example was the May 2024 ransomware attack on hospital operator Ascension, which according to the company exposed private medical and insurance data of nearly 5.6 million people. 

Wyden wrote that the hospital operator told his staff that a contractor using an Ascension laptop clicked on a malicious link served up by Microsoft's Bing search engine, which then allowed the hackers to gain access to the company's network and ultimately the organization's Microsoft Active Directory server, which is used to manage user accounts.

Microsoft's support for outdated encryption technology and default configuration settings set up by Microsoft allowed for the attack approach in the Ascension case, according to Wyden, and Microsoft has not done enough to educate companies about how to mitigate the threat.

A Microsoft spokesperson said Wednesday that RC4, the encryption standard referenced by Wyden, is old and makes up "less than .1% of our traffic," and that the company discourages customers from using it. 

"However, disabling its use completely would break many customer systems," the spokesperson said, and the company is gradually reducing the extent to which customers can use it while trying to provide warnings and guidance on the safest way to use it. 

RC4 will be disabled by default in certain Windows products starting the first quarter of 2026, and the company will include "additional mitigations" for existing deployments, the spokesperson said. 

Wyden has previously pushed for U.S. government investigation and review of Microsoft's role in cyberattacks, including after revelations in July 2023 that Chinese-linked hackers stole thousands of U.S. officials' emails.