my photo

John Z Black

Brunswick, ME • (207) 245-1010 • contact@johnzblack.com

Microsoft's Security Theater, Two Acts

John Z Black Apr 10, 2026 Policy, Law & Governance #microsoft #fedramp #gcc-high #wireguard #veracrypt #government-cloud #open-source-security #security-theater

Two Microsoft stories dropped this week. On the surface they look unrelated. They’re not.

Act one: ProPublica published findings on GCC High, Microsoft’s cloud platform for federal agencies handling sensitive data. Justice Department. Department of Energy. Defense contractors. FedRAMP reviewed it over five years, more than 480 hours, 18 deep dives. The reviewers couldn’t assess the platform’s overall security posture. Basic documentation was missing. Data flow diagrams. Fundamental stuff. One reviewer called the submission “a pile of shit.”

FedRAMP authorized it anyway, in an unusual move that attached a formal buyer-beware caveat to the official record. Bruce Schneier called it security theater. That’s about right.

This is happening in the same period that the Cyber Safety Review Board described Microsoft’s security culture as “inadequate” in response to the Storm-0558 breach that hit multiple US government agencies. The CSRB is a federal body. “Inadequate” is unusually direct language for government writing.

Act two: Jason Donenfeld, the lead developer of WireGuard, had his Microsoft developer account suspended with no notification. Zero emails. His account was just gone. No signed drivers means WireGuard can’t ship updates for Windows. WireGuard is the VPN protocol running under Mullvad, Proton, Tailscale, and most serious privacy-focused products.

Mounir Idrassi, who maintains VeraCrypt, is facing a certificate expiry from the same lockout. VeraCrypt handles full-disk encryption. A certificate expiry can mean Windows refusing to boot. Windscribe VPN was also locked out. “Support is non-existent,” they said, after more than a month.

When the story went public, a Microsoft rep posted on X: “All being fixed as we speak.”

That’s the self-correction mechanism. Not a monitoring system. Not an escalation queue. A tweet.

The failure is identical in both cases. The process ran. Forms were filed, programs were executed, reviewers raised concerns. And in both cases, the actual goal of the process wasn’t achieved. Nobody inside caught either problem before it became one. The WireGuard lockout required public embarrassment to fix. The GCC High situation has no equivalent fix in sight; the contracts are already signed.

Microsoft knows what the problem is. The CSRB said it plainly. The reviewers said it too. Knowing and fixing are different things.

The full story on both failures, what they have in common, and why the gap between knowing and fixing is where the risk lives