Microsoft Subnet An independent Microsoft community View more

Microsoft says Google made 'misleading security claims to the government'

Google sued the U.S. government for buying Microsoft instead of Google based on claims

An attorney for Microsoft has all but called Google a liar. Google bragged that its cloud offering for the government had achieved a top federal security certification when it hadn't, unsealed court documents reveal. Based on this claimed security certification, Google filed a lawsuit against the government last year. Google sued after the

Google Apps for Government FISMA
Department of the Interior awarded a five-year contract worth up to $59.3 million to Microsoft for its Business Productivity Online Standard Suite (BPOS) cloud, which offers Exchange e-mail and SharePoint as a service.

Have a laugh: Steve Ballmer vs. e-mail emoticons

Central to Google's lawsuit argument was that Google's competitive offering, Google Apps for Government, had achieved Federal Information Security Management Act (FISMA) certification when BPOS had not. But, it was another cloud app, Google Apps Premier, that had really earned the FISMA standard of approval. Google Apps for Government didn't even exist at the point when the Department of the Interior was investigating its cloud e-mail options. Indeed, Google was still working its way through the FISMA certification process for the offering when Google sued, and didn't have it even a month later, when these court documents on the case were filed. Microsoft's federal BPOS has since been granted the FISMA seal of approval.

Today, Microsoft lawyer David Howard, called Google out in a blog post called Google’s misleading security claims to the government raise serious questions. He wrote:

"I’ll be the first to grant that FISMA certification amounts to something. ...So imagine my surprise on Friday afternoon when, after some delay, some of the court papers were unsealed, at least in part. There for all to see was a statement by the Department of Justice contradicting Google on one of its basic FISMA claims. The DOJ’s brief says (on page 13) 'On December 16, 2010, counsel for the Government learned that, notwithstanding Google’s representations to the public at large, its counsel, the GAO and this Court, it appears that Google’s Google Apps for Government does not have FISMA certification.'

What was Google's rationale for claiming Google Apps for Government had earned FISMA? The company was adding more security to it than was present in the Premier version, ergo, it figured FISMA certification was an eventual no-brainer. The lack of an actual FISMA certification was a mere technicality, a San Francisco Chronicle column claims. The government's lawyers who penned the brief in December further note that:

"However, Google intends to offer Google Apps for Government as a more restrictive version of its product and Google is currently in the process of finishing its application for FISMA certification for its Google Apps for Government. To be clear, in the view of the GSA, the agency that certified Google’s Google Apps Premier, Google does not have FISMA certification for Google Apps for Government."

Problem is, Google would be adding the wrong-kind of extra security to make its Government offering "more restrictive." Lawyers defending the Department of the Interior claim that their IT folks did look at Google Apps, but FISMA or not, it missed one of their big requirements: dedicated hardware. On top of that, the supposedly more secure Google Apps for Government is more of the same, the brief states:

"More importantly, even if [the Department of Interior] had considered Google Apps for Government, its conclusion would not have changed: it is undisputed that Google Apps for Government is not a private cloud, but rather a multi-tenant cloud that hosts Federal, state, and local entities. Moreover, Google‟s refusal to provide a physically isolated server violates DOI‟s requirements for a dedicated server and violates the requirement that any and all information stored in the cloud be located in a data center within the continental United States," the lawyers defending the government said in a brief filed in December. [PDF of the full brief]

At once point, it was somewhat trendy to sue a government when it granted yet another contract to Microsoft. In 2009, Red Hat sued the Swiss government for granting a no-bid contract to Microsoft for desktop software, forcing the Swiss to open bids to open source vendors. That was a fight worth fighting. But given the newly-revealed circumstances of Google's lawsuit, the circumstances are far from the same. Microsoft's Howard has gone so far as to accuse that Google Apps for Government still isn't FISMA certified despite Googl'es claims all over its Websit that it is (take accusation with a grain of salt).

The bigger issue is how these big companies, with big legal departments compete. Firing off a lawsuit when the government fails to buy your product sounds vaguely like blackmail. False claims are bad, but false lawsuits that must be defended with taxpayer money are even worse. What's next? Suing any company when an IT department awards a big contract to a competitor?

Like this? Here's more:

Microsoft warns of hack attempt on Windows Live, Google, Yahoo, Skype, Mozilla

Japanese earthquake as seen by YouTube Citizen journalism

Absolutely brilliant: Windows upgrades through the years

Windows Live Mesh goes live without support for Linux

Microsoft pooh-poohs Google Cloud Connect

Steve Ballmer as emoticons

Follow me on Twitter @Julie188

Insider Shootout: Best security tools for small business
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies