For Microsoft, cybersecurity has become bigger than business

Written by

Since the cybersecurity firm FireEye hired Microsoft to help investigate a hack at the federal contractor SolarWinds, Microsoft has helped clean up the mess, alerted victims and distributed other details meant to fend off alleged Russian spies.

Microsoft did all of that as it wrestled with its own probe of how hackers infiltrated its systems. Yet the company’s role in the SolarWinds investigation, while significant, represents a fraction of the cybersecurity-focused work Microsoft has done in recent years, including some behind the scenes and some in globe-spanning public relations campaigns.

Once viewed as a traditional tech behemoth, Microsoft has evolved into a firm that fights cybersecurity battles in court, in election administration, in the international sphere, in the marketplace and elsewhere.

The entirety of that perspective gives Microsoft a unique — if imperfect — place in the cybersecurity universe. The size of the company, and its level of visibility into the global internet, is also evidence that one of the most influential firms in the world is dealing with cyber matters much in the way that governments do.

“They certainly have capabilities that are on par or in some cases even much better than some nation-states, and probably the majority of nation-states,” said Cheri McGuire, a former Microsoft vice president who’s now a nonresident scholar with the Cyber Policy Initiative at the Carnegie Endowment for International Peace.

It doesn’t hurt that effective security is also good for business. But that goes hand-in-hand with a dynamic Microsoft has had to contend with for much of its history: For all its considerable focus on cybersecurity, it still remains a frequent hacking target.

The company’s global reach is under the microscope now as Microsoft clients wait on information and updates meant to help them fend off apparent Russian hackers. If those updates are sometimes confusing, as McGuire said, or Microsoft could be more transparent about its cyber work, as observers have noted, the scrutiny highlights the way outsiders expect a major cyber firm to behave.

Said Amit Mital, another former Microsoft exec who’s now CEO of Kernel Labs: “Fundamentally, Microsoft is a core part of the problem, and it’s also a core part of the solution.”

The recent work

The hack of updates to the SolarWinds Orion software — which already ranks among the top cyber-espionage campaigns of all time even as details continue to spill out — has seen Microsoft play multiple roles. Last week, for instance, the company revealed some of the lengths the hackers went to in order to disguise their spying.

Only a few weeks before the SolarWinds breach became public, the company had been spearheading a legal push to take over command and control servers to disrupt the massive botnet called TrickBot, which is one of the biggest networks of zombie computers that can be used to carry out a range of attacks.

Some cyber firms initially doubted the effectiveness of Microsoft’s attempt to disrupt TrickBot, which was aimed at protecting the elections against ransomware. Some of those same firms later said the operation had in fact made a difference. Others noted yet later that TrickBot rebuilt somewhat swiftly.

That TrickBot disruption notably overlapped with a separate U.S. Cyber Command operation, raising questions about why they weren’t coordinated.

Rob Knake, a senior fellow at the Council on Foreign Relations, said Microsoft — while a much-improved company on cybersecurity issues — is still motivated by its worldwide business ambitions, leading it to want to avoid being overly tied to the U.S. government.

Tom Burt, Microsoft’s corporate vice president of security and trust, said the lack of coordination on the TrickBot takedown wasn’t for lack of trying. Microsoft had focused on TrickBot for years, and reached out to the U.S. government from the beginning. Again just before Microsoft went to court, the company said, “‘If you want to come in with us, we would love to work with you,’” according to Burt. “We didn’t get a lot of interest in that particular one,” he said, although Microsoft had better luck with European governments.

While Burt said there are some similarities between how Microsoft and governments operate in cyberspace, there are also key differences: Microsoft doesn’t launch offensive cyberattacks, nor does it have some of the same legal authorities to investigate hackers nor establish law or regulation.

How Microsoft evolved

Microsoft’s evolution from a late-1990s/early-2000s “Big Tech” villain into a cybersecurity powerhouse has myriad motivations, some of which stem from lessons learned during that time about the value of being seen as a good corporate citizen. The U.S. government filed a lawsuit against Microsoft in 1998 alleging that it held an illegal monopoly in the personal computer market, following a contentious hearing on Capitol Hill that featured then-CEO Bill Gates testifying alongside industry rivals.

President Brad Smith and Tom Burt, corporate vice president for security and trust — whose portfolio includes many of Microsoft’s cybersecurity roles — were both at the company during those antitrust battles and their immediate aftermaths, and played prominently in them.

“Did we, as a company and corporate culture, learn from those experiences?” Burt said. “Oh, boy, we sure did.”

McGuire pointed out that Smith came up to the president role from general counsel as opposed to a more typical product-oriented position, giving him an inclination toward reckoning with larger policy issues.

While leadership at Microsoft may genuinely seem to care about security issues, as many people interviewed for this story suggested, there’s little question that interest is no doubt jointly motivated by profit, according to Eli Sugarman, director of the cyber initiative at the William and Flora Hewlett Foundation.

“It’s bad for business in many respects when their customers are harmed and hurt and money is stolen,” said Sugarman, who worked with Microsoft on the CyberPeace Institute to promote rules of conduct in cyberspace. “The flip side of that is when you draw attention to harms and challenges and problems, they also offer products and services that can help secure you, and in theory, keep you safe from those harms.”

Burt said no executives above him have ever cited making money as the reason they want him to do something. But he also doesn’t doubt that the company wouldn’t give him the money and people to do his work if it didn’t make the company look good. And he thinks his title having “trust” in it is key to the kind of cybersecurity initiatives he nurtures.

“We don’t build that trust through things that are artificial,” he said. “We build those trust through serious efforts that make an impact. And it takes forever to earn trust, especially in a skeptical world. And then you have to maintain it.”

McGuire said the 2002 “Code Red” worm for which Microsoft took heat inspired the company to take cybersecurity more seriously for its products, after hackers exploited a Microsoft vulnerability that caused billions of dollars worth of damage, disrupted government operations and slowed Internet traffic. Mital said another inspiration was customer demand to make cybersecurity a priority that rose toward the close of the decade.

Where it plays and where it doesn’t

In some areas, though, there’s little profit motive. Matt Masterson, who until recently worked as a top election security adviser at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, said Microsoft doesn’t make much money defending elections.

In its work there, Microsoft leveraged its role as a service provider in defending candidates, campaigns and think tanks whereas CISA focused more on state and local election officials, allowing Microsoft to help “fill a hole” that hackers previously exploited in 2016 when they hacked the Hillary Clinton campaign’s emails, Masterson said.

The sheer volume of data it looks at gives it a perspective few can provide. The company claims to examine 8 trillion signals daily from its products and services. As of this summer, it was seeing upwards of 12 million attacks every day, though how those numbers compare to other firms remains unclear (a Microsoft spokesperson said they didn’t know about other companies’ figures).

That big picture view, though, gives Microsoft a sense of the gravest threats to its customers and where it can make a difference, Burt said — which is why it has pursued court actions to not only take over command and control servers for TrickBot, but also to take over domains used by hacker groups affiliated with China, Iran, North Korea and Russia. Some of its work is behind the scenes, such as helping build and refer cases with law enforcement, he added.

For all its diplomatic initiatives in cybersecurity, some of Microsoft’s organizations haven’t become “self-sustaining efforts,” Knake said. Smith’s idea for a Digital Geneva Convention, for instance — which would cement binding rules on governments to protect civilians on the internet — has not become reality since he proposed it in 2017.

There have been signs of progress, according to Burt, such as some of its organizations like the Cybersecurity Tech Accord growing from dozens of companies to more than 100. But Microsoft knew its various bids to establish global rules of behavior in cyberspace wouldn’t be a “months-long process,” Burt said, adding, “we’re nothing if not determined.”

And while some of the results aren’t immediately visible, it doesn’t mean there isn’t advancement. The deputy director of the German Marshall Fund’s Alliance for Security Democracy, David Salvo, said his organization, Microsoft and Canada have worked on a series of private events with the notion of publishing a document in the spring on how to push back against foreign and domestic threats against the integrity of elections.

That planned publication stems from the 2018 Paris Call for Trust and Security in Cyberspace, which Microsoft had a role in developing alongside the French government. The U.S. notably didn’t sign on to that initiative under President Donald Trump — because, according to sources this reporter spoke to at the time, Trump was feuding with France. On the lack of a U.S. signature, “I have a feeling that will change soon,” Burt said.

What’s next

Looking ahead, Burt said he sees a place for Microsoft to make yet more of a difference in election administration. Its ElectionGuard technology is designed to allow each voter to track their vote in an encrypted way. When it started developing that software kit over the past couple years, it didn’t anticipate how the 2020 election was going to play out.

“We didn’t know it was going to be about completely unsupported, crazy conspiracy theories about fraud that would dominate and actually capture the belief of so many Americans,” he said. “It can maintain that absolute privacy of the vote. But it can still confirm for every voter that their vote was actually counted and not changed.”

“And it gets a lot harder to believe in these fraudulent conspiracy theories when not just you, but the guy in the bar you’re arguing with, and your neighbors down the street can all just check and say, ‘Oh, my vote got counted. Your vote got counted? Her vote got counted. Where’s the fraud?’” Burt said. Time will tell if conspiracy theorists come to trust Microsoft’s technology to do what it is advertised to do.

Wherever it goes next, Microsoft’s cybersecurity journey to date has been “a really interesting evolutionary tale,” Sugarman said.