Transcript: The Cloud & Digital Transformation – The Washington Post

Sign in
Why?
The Washington Post is providing this news free to all readers as a public service.
Follow this story and more by signing up for national breaking news email alerts.
MS. ZAKRZEWSKI: Hello, and welcome to Washington Post Live. I’m Cat Zakrzewski, a tech policy reporter here at The Washington Post.
I’m joined today by Bret Arsenault, a corporate vice president and chief information security officer at Microsoft.
Bret, thank you so much for joining us.
MR. ARSENAULT: Thank you for having me, Cat. I really appreciate it.
MS. ZAKRZEWSKI: Well, and so I want to begin today with a primer for our audience because we’ve been hearing about the cloud for more than a decade from business leaders but it at times can still feel like a murky tech buzzword. So, just to kick things off, what is the cloud?
MR. ARSENAULT: [Laughs] That’s a really good question, and I appreciate the opportunity to continue to clarify and simplify. Really, when I think about the cloud, if we think about, you know, historically you had data centers and consumer applications, now instead of the cloud being a privately owned entity, you have cloud service providers who now provide capabilities for compute, storage, and network to be able to run your applications, and they’re distributed around the world. And I think the way to think about it is there’s three primary types of cloud services. There’s what’s known as infrastructure as a service, where you basically take whatever you’d run in your data center, virtualized or not, and then move it into one of these cloud centers. There’s platform as a service where you can natively write applications to that cloud service that I think has some big benefits in that, and then there’s software as a service, which are applications that are just full runtime. So, if you think of Office 365 as a software as a service or Salesforce as software as a service, those are really the ways I think about cloud services.
MS. ZAKRZEWSKI: Thank you so much.
And, yeah, I think it’s helpful to lay out how this impacts so many different parts of Microsoft’s business, as you laid out, that you can provide computing power to other companies, perhaps a social network or the apps we access on our phones, but also at the same time provide your own software, so the idea that I can access something in my OneDrive from my phone, tablet, or computer.
And just given the broad range of applications and software that the cloud touches today, I mean, at this point, what critical data isn’t in the cloud?
MR. ARSENAULT: Yeah. It’s interesting. More and more data continues to move to the cloud. There’s cost efficiencies. There’s agility. There’s performance, and there’s elasticity. So imagine some applications if you’re thinking from a business perspective that you only run like some companies run surveys and they run once a year or twice a year. You don’t have to have all that capacity that’s sitting there unused.
And so, to be honest, I think about 90‑‑oh, I think 98 percent right now of the portfolio of the things we run here are actually in the cloud today.
MS. ZAKRZEWSKI: And are you seeing a similar shift among other businesses, especially with the pandemic?
MR. ARSENAULT: Yeah, I think we saw two things. I think you’re seeing it shift as a general part of the digital transformation. Most companies are becoming software companies that maybe traditionally weren’t, and then, certainly, the pandemic accelerated a lot of that work. So, because of the fact that you had people working remotely, the ability to access a cloud service from anywhere, anytime, on any device really became an important part of how people were working, and so it accelerated a lot of the work that people are already doing. It pressurized that system, absolutely.
MS. ZAKRZEWSKI: And we saw that the pandemic created a big boom in business for companies like Microsoft. More recently, the company reported a bit of a slowdown in cloud computing revenue. Do you think this aspect of the business is recession‑proof?
MR. ARSENAULT: Yeah, it’s an interesting question. I mean, I’m not the financial person, here. I’m just the person who operates and protects Microsoft. I’m not on the selling side, but obviously, I care about the business and running it.
I can tell you what the customers I meet with‑‑you know, I think the idea of having a compute experience and that’s cost effective that you can continue to scale and that can for me provide continuity and possess recovery capabilities doesn’t really change, and I think that more and more or at least the trend I’m seeing is what vendors can provide most of the services that I need, because we see so much complexity in that space today. So the more that people can provide, I think, the better off you are to be in the headwinds of recession. The companies that can provide the most capability will be the best served.
MS. ZAKRZEWSKI: And, Bret, because you mentioned your role is really protecting Microsoft, I wanted to bring in a question we got from a viewer about security.
MR. ARSENAULT: Okay.
MS. ZAKRZEWSKI: Beverly Baxter from the United States asks, given the history of security breaches involving the cloud, why should we trust cloud security in the future?
MR. ARSENAULT: Yeah. I’m not sure of the specific instance that we’re referencing here, but I think if we look at‑‑if I look at sort of what I see in the threat landscape and the types of things we see, most of the things that I’m seeing happening are really identity‑based attacks that are happening in this space.
And it’s funny. On the intro reel, I saw the comment about 6.3 trillion events a day. I think that was probably 18 months ago, and today we’re at 43 trillion events per day. And so one of the best tools, one of the best tools you have to protect yourself is to have really good fidelity in intelligence that lets you see the trends and patterns that are happening. So we continue to see this identity‑based attack, regardless of where–location it’s at, and so you’ll see‑‑like in the last year alone, we’ve seen a 60 percent increase, where we’re seeing over 920 password attacks per second, where we saw just under 600 last year. And so you want to be able to have the signal that you see, predict, and protect you from those kinds of situations.
That honestly can really only be done at cloud scale, and so I think that ability to have signal and then to act on that signal‑‑and I see it repeatedly in our environment‑‑is really changing the game for us.
MS. ZAKRZEWSKI: What do you think is driving that massive increase in threats that you just laid out?
MR. ARSENAULT: Well, I think there’s a couple of things. I think that we’ve seen basically the pace and the sophistication of the attack vectors and the financial models continue to evolve, and so there’s just opportunity for bad people to continue to do bad things and end up having reward at their reputations, but more importantly, financially, the actual‑‑if you look at, you know, identity, as I mentioned, or the ransomware attack models and the financial models that are trending for that, it has a pretty big growth trajectory. It’s an economy all of its own, and so while there’s opportunity for that to happen, you’ll continue to see that threat landscape evolve.
And this has been going on long before. I mean, to be honest, when we created the mail system, mail fraud came about. When we, you know, created the telecommunications system, telecommunications fraud came about. So it’s not surprising that when you have internet and internet services, you would see bad things happen, and the question is, how do you anticipate, predict, and protect yourself from those?
MS. ZAKRZEWSKI: It’s interesting you mention the sophistication of actors because we often hear victims of cyberattacks talk about that, but recently, there have also been some breaches again and again where we’ve seen actually teenagers being able to breach major companies. I’m thinking of Uber and Twitter and others. So why do you think these less sophisticated attackers are still able to break through?
MR. ARSENAULT: It’s a really good question, and I have a teenager, and I still think she’s more sophisticated than I am. So I won’t use ageism in the response.
But I will say, interestingly, you still see a massive attack surface of people not doing the brilliant basics, and so when you think about those types of scenarios, like I mentioned in the password scenario and even in the cases you just mentioned, the ability to engineer or get someone’s password makes it reasonably a straightforward model to go do. And so it’s an enterprise. The question is, you know, why are you having any passwords at all? Why are you not using 2FA? Because that’s like the fundamental thing.
You’re 20 times, 20 times more likely to be compromised if you use password versus multifactor authentication, and so it’s abundantly available. We continue as an industry‑‑this isn’t a Microsoft statement. And so we were on the journey to get rid of passwords years ago, and so you still see a lot of entities coming on board and doing those things and just doing the brilliant basics. Make sure you have multifactor authentication. Only allow access from certifiably healthy devices, and ensure you’re collecting the telemetry that lets you look for anomalies and/or detect these things as they happen at cloud scale.
And so I think that, you know, the whole industry has to evolve into that model, but there’s some basics that I think we still aren’t getting right as an industry.
MS. ZAKRZEWSKI: And you’ve previously said‑‑Microsoft has said that all employees would be password‑less by 2021. So how many Microsoft employees are still using passwords today?
MR. ARSENAULT: Nobody.
MS. ZAKRZEWSKI: Wow. And so when you say that using multifactor‑‑
MR. ARSENAULT: Something I should‑‑
MS. ZAKRZEWSKI: Oh, sorry. Go ahead.
MR. ARSENAULT: Let me clarify it. So the first thing we do is get rid of the users to ever have to know anything about a password in the system, and that anything in application you talk to requires multifactor authentication.
And so we’re at 100 percent of that for the systems today, and we’ll continue to evolve that journey and evolve that journey on the back end as well. But, yeah, today I have no idea. Like we don’t‑‑I have no idea what my password would be.
MS. ZAKRZEWSKI: And what does multifactor authentication look like at Microsoft? I know different companies use different techniques to verify.
MR. ARSENAULT: Yeah. That’s a really good point, and for us, you know, we sort of‑‑you know, a little bit of maybe sharing our journey and our learning‑‑and it’s not saying it’s the right one, but it’s the journey we use‑‑as the person who ran around saying 2FA everywhere, which was the previous way we’d say two‑factor authentication‑‑and originally, like many companies, we only use 2FA for our VPN perimeter outside‑in access, and we sort of flipped it on our head and said instead of saying 2FA everywhere, which meant having a smartcard or some other component, we said what if we could just get rid of passwords, and that became a design change principle for the way we did things.
And for one, it wasn’t like me forcing 2FA on people. Our users actually loved it. So I created a system that users loved and the IT department trusted, and so getting to that model, it seemed simple in words, but it was a big mindset shift‑‑a mindset shift for us. And the important thing on 2FA was not to be so prescriptive that you would only allow one type of multifactor authentication. It’s not a very inclusive way to go do something.
So we built native capabilities in Windows Hello that could be fingerprint sensing, iris, facial, because remember a doctor is in a different scenario, as an example. With a face mask, glasses, and gloves, what are you going to go do? And there’s lots of other biometric cryptographically secure ways to go do that.
And so for us, we use Windows Hello as an integrated part of what we go do, and so I just walk up to my PC. It recognizes. In this particular case, the one I have here is based on facial. It recognizes me. It logs‑‑logs up, comes in, and it’s running. It’s secure. It’s a faster login. It’s a great experience.
I don’t run all Windows. I think people are confused. I’m like the fifth largest Mac shop in the world. So I have Mac, Linux, iOS, and Android. So, for that platform, we use the Microsoft as your authenticator, which is a Autobahn multifactor authenticator we use from your mobile device. And so the key was go from know something, know something, password, password, to not know something, have something, which is 2FA and a smartcard. It was know something, be something, right, some part of you that you’re the key. And so that was really‑‑that’s what we did for us inside at Microsoft, if that makes sense.
MS. ZAKRZEWSKI: And I wanted to ask, do you see in the future us going completely password‑less, even for consumers of technology, too, outside of business?
MR. ARSENAULT: Yeah. I think this is a‑‑sorry to be so personal. This the‑‑this is the‑‑my wife asked me why I can’t do the same thing for our house that I can do for work, and so, you know, why do I go to my TV and need to login to an internet streaming service, and I can’t just have it auto‑do that, that component.
So, yeah, I believe there’s a lot of great work we can do with the identity capabilities we’re building, but it will take a little bit longer to do it in the consumer space. It absolutely will.
MS. ZAKRZEWSKI: And I wanted to ask you. I recently‑‑
MR. ARSENAULT: I’m confident we can do it now. Sorry. I am confident we can do it.
MS. ZAKRZEWSKI: And I recently heard the term “MFA fatigue,” which I had previously heard in the context of passwords, and we’ve seen this with some breaches like the Uber breach we referenced earlier where, you know, the hackers just send so many, you know, MFA notifications that a person gets overwhelmed and might click okay to one of them. How are you thinking about that threat in designing this approach for Microsoft?
MR. ARSENAULT: Yeah. It’s a really good‑‑it’s a really good point, and it’s a real issue. I mean, it is‑‑you know, like I said, everything will evolve. You do passwords. Then you do MFA, and then someone will figure out how to get someone to do something around MFA. So there’s a number of things we’re working on in that space.
One is to actually create the‑‑it’s called “token binding,” which is a really good thing to do go, where even if someone was to get your MFA credential, which is the software component of it, it can only be replayed from the same device. It’s not exportable. It can’t be played from any other device. So, even if someone could do it, they can’t run it from anywhere else. So that’s work we’ve been working on, that we’re actually talking to our partner
groups today here in Redmond about that.
Additionally, it’s to create better processes for in‑person proofing and confirmation of who you are so that you don’t get the fatigue process, so that you remove the social engineering, because it’s really a social engineering experiment in what they’re doing. And so how do you make it simpler but not allow people to go do that and that we can start filtering out? There’s capabilities in our cloud service, again, where we can see multiple attempts to MFA from a specific area. We can actually suppress those and put that in as a high‑risk action and take automatic action for you on that, which is a very amazing thing to go do. It’s an adaptive risk model we have.
MS. ZAKRZEWSKI: And I wanted to go back to in our intro video. We showed a quote of yours saying, “Businesses are grappling with the most complex and fast‑paced threat landscape we’ve ever seen.” Microsoft hasn’t been immune to those threats. Microsoft itself was hit by the SolarWinds gang, which has been attributed to Russian foreign intelligence, and yet the company initially said it didn’t see an impact. Why did it take so long to find out or admit that they had removed source code?
MR. ARSENAULT: Well, I think that’s a different‑‑that means you have to rephrase the question because I think I may be misunderstanding what you’re saying.
MS. ZAKRZEWSKI: So I just wanted to understand basically in the aftermath of the SolarWinds attack, there was kind of a delay between when we learned of SolarWinds and then learning that, you know, the gang had actually accessed Microsoft source code. Why did it take so long to find out?
MR. ARSENAULT: Oh, yeah, yeah, yeah, yeah. So two things we should comments. So, one, most of these investigations are always really long running, right, because you have a massive system you’re looking through, and as soon as we understand and note and understand something, we share that immediately when we understand what the impact has been, including, well, a lot of the work you did with Mandiant and other companies to share the IOCs that will let other people detect and find out if they had those things. So we’re always proactively and transparently communicating when we know things.
In the fog of war while you’re looking for it, though, it doesn’t mean you necessarily see it right away. So that was just‑‑as soon as we were able to confirm and understand what was there, we did notify people that happened. I don’t feel great about it. But I think it’s another thing that’s really important to be kept here, which is we don’t believe in‑‑today it’s our view that the ability to read source code‑‑like, I run the transparency centers where customers can come look at our source code, including governments and enterprise customers. We don’t believe in a security obscurity model around source code. So the fact that they had it, I don’t like it because it’s not what I want them to go do, but it’s not, from my perspective, the thing I’d be most worried about in that scenario, right, because we have this model about allowing people to look at source and the things that we do in that space.
But it’s totally a fair question. You know, I’d love to have said we could have done it sooner.
MS. ZAKRZEWSKI: And on that point, I mean, SolarWinds, then the exchange hack, all the wakeup calls for industry, how did it change security practices at Microsoft?
MR. ARSENAULT: Yeah, I think it changed for us many things, like it changed other companies in this space. I think the examples you allude‑‑you’re using are this example of how vulnerable are you to your supply chain and how do you entrance‑‑how do you ensure‑‑I refer to sort of the five things I’m thinking about right now are ransomware regulations, Russia remote work, and supply‑‑supply chain, and how do you ensure that your supply chain is consistent? And I think there’s a lot of things going on with regulation around this, like the SBOM, for the software bill of materials and other things, that help provide a level of transparency in the components you take in.
But just‑‑and then also, frankly, thinking about how I see a massive trend, I have 140 top security officers coming here that I’m hosting from 30 countries for a few days where we’re talking about trends and patterns. One of the biggest things we’re seeing is the complexity of the security space and how do you simplify all the security solutions you have, reduce the footprint so that you have less seam so you can, one, act more effectively, more quickly, and more importantly take advantage of the skill shortages that we’re all facing. And so we see that as a really important part, and that’s some of the learnings we took out of this is how do you think about supply chain, how do you think about your workforce, and how do you think about being not just effective but being efficient, particularly now with the recessionary headwinds we’re talking about.
MS. ZAKRZEWSKI: And we just have a minute before our break, but I wanted to ask you, you know, given those supply chain challenges that you laid out and the fact that you’re going up in some of these instances against nation state actors, I mean, what do you think the most effective thing the federal government‑‑what is the most effective move the federal government could make to help companies like Microsoft facing these threats?
MR. ARSENAULT: Well, I think it‑‑to be honest, I think the work we’re doing, you know, with both DHS and CISA and the sharing that we’re doing, like even in the scenario where we talked about the defending Ukraine and the early lessons from the cyberwar, I think the transparent sharing of what we’re seeing from an industry perspective across not just government but also with financial services, health care, retail, being able to share the intelligence, both on actor intelligence and signal intelligence, and then providing that as guidance to customers to go implement and do is awesome.
The more, though, that I can do that automatically in the cloud as opposed to saying here’s guidance, go implement this, as opposed to I can just protect you from this, like in the exchange scenario, if it’s in our cloud service, it was not impacted at all. It was on‑prem systems.
So our ability to actually take that and go implement that right away, it would be great, and then I think the government’s role in this‑‑and I think CISA has done a good job in this‑‑is continue to provide guidance on the areas that we’re seeing the largest footprints, and what are the protected actions and protective actions you can take relative to that? I think that relationship and the work we’re doing there is much improved in the last five years based on a lot of work between the entities working on that today.
And not just the‑‑by the way, it’s not just the U.S. government. Like we have to think about this globally. We have the same issue around the world.
MS. ZAKRZEWSKI: Well, and on that point, I’m looking to dig into some of the more global and international questions in just a few minutes. Thank you so much. We have lots more to discuss, and we’ll be back in a moment with more from Bret Arsenault. Stay with us.
[Video plays]MS. KELLY: Hello and welcome. I’m Cipher Brief’s CEO and publisher, Suzanne Kelly. The Cipher Brief is a media organization that puts issues vital to national security and cybersecurity in the forefront, and I’m delighted today to be talking about how cloud computing is really reshaping the way that companies around the world are both operating and innovating.
And joining me to talk about this are Ragu Rajaram, global cloud consulting leader, and Andrew Lowe, technology transformation leader, both with the EY organization. Gentlemen, welcome.
MR. LOWE: Thank you.
MS. KELLY: I think it’s safe to say that more businesses are coming to the realization that the cloud really is the future. Ragu, I’m curious. As you work with your clients on their business transformation objectives, what are they most looking to accomplish?
MR. RAJARAM: Well, the key exam questions our clients ask are how do we launch new products in weeks instead of months, how do we innovate through new business models, and how do we fundamentally change the customer and employee experience.
Our clients are finding ways to solve for these questions, while at the same time addressing their ability pressures or the threats from the competition. These drivers require them to ID, enable, and operate at speed. This is where they’re embarking on business transformations through cloud and looking for the positive value outcomes.
The results they are looking for has fundamentally changed from a traditional cost take‑out function to more into agility, ability to innovate, and resiliency in whatever they do.
MS. KELLY: I’m really interested as well to kind of understand what some of the core tenets are when it comes to successful cloud transformation.
MR. RAJARAM: The core tenets that we practice in driving transformative value through cloud are by putting humans at center, technology at speed, and innovation at scale.
Let me explain to you what that means. First to start developing a human‑centered mindset and a culture that we put our customers and people first, right from ambition to market impact. This is what we call as putting humans at center. Next to move from a highly customized monolithic architecture to a cloud linked to composable business capability and thereby creating and curating experience as part of our customers, which we call this “technology at speed.” And finally to develop an ecosystem‑based mindset that crosses organizational boundaries when delivering value to our customers and employees, which we call this “innovation at scale.” We believe these three core tenets will drive true value through cloud.
MS. KELLY: You mentioned something there, an ecosystem‑based mindset, that I want to touch on just a little bit more. I think it’s important.
Andrew, let’s talk about the concept of ecosystems. What are they, and how are they driving innovation?
MR. LOWE: I mean, for us, ecosystems expand both on the go‑to‑market side of an organization, the inside of an organization, across the organizational boundaries, and into the supply chain on the back end of an organization in terms of how they deliver with their delivery partners.
But executing a significant business transformation through the cloud is a complex undertaking. Particularly in the context when uncertainty is high, business needs are continuously changing, and organizations are becoming multi‑cloud. It’s nearly impossible for any organization to have everything that’s required to successfully deliver transformation all by themselves and realize the positive outcomes from the cloud.
This is where ecosystem business models are becoming ubiquitous in terms of companies seeking to optimize the capital they deploy and create new forms of value at a much higher pace.
MS. KELLY: So let me ask you, then, how does ecosystem integration really help drive value in business transformation in the cloud?
MR. LOWE: So to set up and succeed an ecosystem business model and using that to transform through the cloud, organizations need to put the customer at the center, adopt that infinite mindset that extends beyond their organizational boundaries and co‑creating, fulfilling customer and employee experiences through integrated ecosystems.
These integrated ecosystems for cloud transformation will drive through new joint propositions, access to new geographies, proactively address regulatory changes, and challenge sets of boundaries while helping deliver an optimal cost proposition.
In addition, from a talent and skill set perspective, ecosystems provide access to the right assets, talent, and expertise that can be flexed at any time. EY teams believe having a solid cloud ecosystem integration will drive successful business transformation, then enhance its performance, accelerates innovation, and mitigates those unforeseen circumstances, and drives that transformational growth organizations are looking for.
MS. KELLY: I think as we’re better understanding how technology is going to impact our future, your concept of putting the human at the center is critically important. So I’m glad both of you talked about that.
I’m wondering if you have any closing thoughts on what leaders can do maybe today to help move toward this model. Ragu, can I start with you?
MR. RAJARAM: Absolutely. I would wrap up by saying if you are now embarking on a cloud transformation project, define your business outcomes. Stick to it. Drive your program through it. Go cloud and make‑‑and think ecosystems.
MS. KELLY: Excellent. Andrew, what are your thoughts on what we can do maybe today to start moving closer to this model?
MR. LOWE: I think collaboration, collaboration with the ecosystem, collaboration with your partners, and more importantly, put in the humans and employees at the center of what you’re trying to achieve, and therefore being mindful and purposeful in both the technology and the way in which you go about your transformation. Those are going to be clear differentiators in most organizations.
MS. KELLY: Yeah. And a lot of common sense there. I really appreciate your time today, gentlemen. Ragu Rajaram is global cloud consulting leader and Andrew Lowe is technology transformation leader with EY organization. Thank you so much for your time.
MR. RAJARAM: Thank you.
MR. LOWE: Thank you.
MS. KELLY: I’m Cipher Brief CEO and publisher, Suzanne Kelly. Now back to my colleagues at The Washington Post.
MS. ZAKRZEWSKI: Hello again. I’m Cat Zakrzewski, a tech policy reporter here at the Post, and I’m joined by Bret Arsenault, a corporate vice president and chief information security officer at Microsoft.
So, Bret, where we just left off, we were talking about some of the global challenges with cybersecurity. As far back as 2017, you detected attacks on Ukraine and told your team, quote, “Shut the networks down. I want Ukraine completely isolated from everything we do.” Can you walk us through what it was like to make that decision and what you learned from it that’s informing how Microsoft is approaching the threats we’re seeing today amid the war there?
MR. ARSENAULT: Yeah. And so one for context for everyone who is aware, this was the shutdown for our internal use and the internal systems that we run, which is where my‑‑so I didn’t‑‑it wasn’t impacting customers or any of that component.
But, yeah, I remember painfully well that evening when that happened, and it was just, you know, one of our alerting systems. And, at that time, I mean, my eventing was in the billions, not trillions. But we had got good eventing, had suggested there may be something nefarious happening, and the team just was calling to give me a heads‑up in case there was a problem. And then I said okay. It was four‑something in the morning. I was sleeping on my phone. My daughter couldn’t sleep at that time. So I was in her room just trying to help her be able to sleep, and then I thought about it for a second, judging on what the indicators or compromise might have been‑‑they weren’t confirmed at that time‑‑and then called back and just did an analysis in my head of what business did we run there, how much business do you run there, where were we in terms of, you know, processing, selling, and closing components of the system.
And then, you know, this is about informed intuition. This isn’t a pure hundred‑‑there was data to drive the suspicion, but it was an informed intuition discussion. This is the downside of the CISO role. I mean, I made the call and said we should shut it down, and it’s one of those things if I impact business, then I’m probably looking for a new job the next day, and if I don’t, then‑‑and in this case, it protected us from a pretty bad attack that we saw happen to, you know, Merck and some other people. And then you just get a “Yeah, you did your job.”
And so it was a set of here’s the data, here’s the informed intuition, here’s the risk analysis, and based on that, shut it down, and then if it plays out in the next four hours, it was just deciding to take the more cautious path in the fog of war in that scenario.
MS. ZAKRZEWSKI: That makes sense. Obvious‑‑
MR. ARSENAULT: And so I’m sorry. You asked‑‑go ahead.
MS. ZAKRZEWSKI: Oh, no, I was just going to follow up. I mean, obviously, it underscored, you know, some of the geopolitical risks that you race as a company like Microsoft, so just curious, you know. Were there any lessons from that experience that have informed how you’re thinking about cybersecurity now amid the war?
MR. ARSENAULT: Yeah. And, at that time, we weren’t thinking of it as a testing ground for some other attack that might happen years later. At that time, we were just looking purely at the impact, and frankly, it was back to supply chain. You’re going after a required taxation piece of software to operate in that company you have to run with, and so it gave you a wonderful footprint into anything running in the area.
It did change a bunch of things, though, from my perspective in that, one, what kind of signals do we need to have them look at? So you go from data driven to, you know, this informed intuition. How do you drive more and more data into that process, number one?
Number two, in my space, I’m responsible for crisis management and disaster recovery inside of the organization, and so we started doing tabletop drills around that to ensure that we had the legal teams involved, the financial teams because we did do financial reporting there, as well as the engineering and operational teams, continue to‑‑to continue to test and understand what we would do in the scenario if it was worse and it would happen in this case or if the learning is post that event, because that’s one of the biggest things we learned from other companies that are impacted. What would you do? How do you isolate? How do you isolate in a way that doesn’t impact your operations but more importantly that doesn’t impact our customers?
And so we have a pretty simple crisis plan that has three simple principles: number one, life safety first; number two, customer; number three, Microsoft. And so those three things always have to be in the process of everything we do, whether it’s a hurricane, whether it’s an earthquake, whether it’s a cyberattack, whether it’s a pandemic. Those same principles apply in every type of response we ever do.
MS. ZAKRZEWSKI: And think about that response, I also wanted to ask you‑‑you know, I was one of the reporters along with Joe Menn and Elizabeth Dwoskin who wrote about the recent security problems at Twitter, and, you know, one of the things that has come up in our reporting there was around the former chief security officer‑‑the former security leads’ allegations that the company had foreign agents on its payroll and that the engineers at the company didn’t have the tools and policies necessary to track them effectively.
I wanted to ask, you know, given your global footprint, how is Microsoft, you know, keeping track of such insider threats and monitoring internal access to its code base and other sensitive data?
MR. ARSENAULT: I’m just trying to parse through everything you just said, actually. You’re referring to Mudge, I assume, in this scenario?
MS. ZAKRZEWSKI: Yes. That’s correct. Peiter Zatko.
MR. ARSENAULT: Yeah. Yeah. So I think it’s a different‑‑I think the question was‑‑if I understood, was what do we do to ensure we’re doing the right processes and we have a check‑and‑balances system for insider threats, and then how do we make sure that we have all the right programs and tools and space that we’re‑‑you know, we’re not in the same situation that they found themselves in. Is that correct?
MS. ZAKRZEWSKI: Correct.
MR. ARSENAULT: Yeah, yeah. So, luckily, you know, this is part of a‑‑this is part of our reporting process and what we do. So we have a‑‑we have a very interesting insider threat program, I think a good insider threat program. We have‑‑you know, there are always‑‑always things you want to do more of and everything else we all want to go do, but the inside threat program that I built here and then becoming a product, which is our insider threat product that customers can go use as well to track insider threat scenarios, but between that and our research teams‑‑so we have an amazing research team‑‑actually two, two research teams now, one that does all the human intelligence and then the disinformation group we just acquired that’s doing that work, so that we actually have cards for all the actors. We’ve shared those. Like, this is the MSTIC blogs and things that people have seen before, and then my team has a signal intelligence. How do we then go distribute all that intelligence across all of our systems?
And so from a perspective of‑‑you know, we always are looking and tracking those systems as part of that and getting notifications and working with both HR and [unclear] that’s in every area we work, and they operate differently.
Then we also do a regular review with the leadership team on where we are with our programs and processes. Do we feel‑‑I mean, that’s part of the responsibility and what we report to the leadership team and the board, like where are we in terms of our investments relative to the things we’re trying to go do.
So I feel like we have a good check‑and‑balance system. Our chief auditor does an amazing job as well at validating anything that I’m doing to make sure it’s on task, and like I said, I think that’s‑‑I feel good about the Insider Risk program, and I’m always adding more and more capability to the risk program because the risks keep changing every week.
This is where, again, having the signal is super helpful, right, because we have profiles, and we’ve been very public about the profiles on, I think, 43 actors that we’re tracking and monitoring at all times on what the IOCs are and what their behavioral patterns are. And when we see anything come up from that, we actually can apply that not just to protect ourselves but also to immediately protect our customers.
We just had a situation like that that recently happened with a piece of software called the Raccoon Stealer.
MS. ZAKRZEWSKI: And it’s interesting you mentioned so many checks and balances, because in our reporting, we didn’t find that those were in place at Twitter. It seemed, you know, there were allegations that the company was misleading the board and regulators about these types of issues. I mean, as someone who is a security professional, what was your reaction to the allegations about Twitter and the internal chaos at the company?
MR. ARSENAULT: Yeah. You know, it would probably be better for me not to comment on other people’s business. You know, I think it’s been an interesting year regarding those kinds of things, and we just continue to do the best work we can and continue to look for the right checks and balances.
I think professionally this is a comment that’s‑‑I know this is going to be a topic of discussion this week with a lot of the CISOs around what does that mean and how does that work, but do our best work, make sure we have check and balance. And, you know, like I said, I can’t comment on what happened there. That’s their issue, not that I’m not‑‑
MS. ZAKRZEWSKI: I’m wondering‑‑
MR. ARSENAULT: ‑‑empathetic, and I can appreciate the issue. I just don’t‑‑it’s not my space.
MS. ZAKRZEWSKI: Got it. And, you know, we just have time for one more question, and I wanted to go back to the topic of the cloud broadly. UK regulators recently opened an investigation into Microsoft, Amazon, and Google saying these three companies make up 80 percent of the public cloud market in the country. Should we be worried that just a handful of companies have so much power over the cloud?
MR. ARSENAULT: Yeah. [Laughs] I’m not actually even familiar with that issue. I’m sorry. I’m not trying to deflect that. I’m just not‑‑not even familiar with the issue. I think, honestly, though, Dan Geer wrote a paper like this 20 years ago around mono–monoculture.
So I would just say that‑‑that, you know, the entities‑‑in many ways, I think the entities that have the capability, the telemetry, and the systems and people‑‑most importantly the people to help protect people on other people’s behalf is actually, in my opinion, a good thing. I feel good about that. I feel great that there’s 8,500 people trying to protect everyone who don’t have the staffs that are fortunate enough like myself to have a security team, and so I think we can continue to help many entities in that space use that, and I‑‑and so I think that’s probably the way I would think about it.
Then I’d comment on one last thing because it’s probably just more near and dear to my heart. Part of the thing about companies like this and the thing I love about it is we just have this massive shortage of talent, right? If for every three jobs, one security job is left open, that means somebody is not able to go protect themselves. So how do we make sure we have the right security people, not just in cloud providers but also like the work that we’re doing to go make sure we are doing like we’ve committed to having 250,000 skilled people by 2025? I’m so proud of the work we’re doing there, and the fact that we’re not making it part of prestigious university foo or bar, it’s actually, you know, go through the community colleges. Get people engaged. 180 community colleges are on board. The–using policy‑‑you know, you mentioned about government and private sector. Using the policies that were just released last week around helping this cyber skill shortage through community colleges, which by the way is also for me personally helpful because not everyone has the opportunity to go to great schools. And so you create a much more diverse and inclusive workforce and create a supply chain of these people at the same time as you’re‑‑you know, you’re creating a big skills gap problem, which I think is an awesome opportunity.
So, for me, that’s a part of things that are amazing about these companies, and we work together and try to make those things happen along with governments around the world.
MS. ZAKRZEWSKI: We have time for just one last question, and so I wanted to ask you, you know, on that topic of the cyber skills shortage, what’s one thing that the United States could do in the next 10 years to really boost the workforce?
MR. ARSENAULT: Yeah. I think the things we were just talking about regarding this, this new bill that we‑‑you know, we just‑‑it just got released this week‑‑around trying to create this shortage‑‑2.5 million jobs will go vacant in the U.S., and I think you can’t just assume, one, it’s all engineering people, two, that it all is coming from four‑year programs and institutions, and three, that you have a model that doesn’t just work on that‑‑like use the community colleges and the big colleges and continue to make the content available.
So when you look at these institutions that are accredited to teach teachers how to do cyber, keep making that material available. And so we continue to invest in that, and then working with other companies and the government, provide scholarships for kids to get into these programs. And so, again, you create content, you create capability in the teachers, and then you create opportunity for students so that you can get the whole flywheel spinning.
And I love your comment. It’s a 10‑year thing. Like, getting the 250,000 skilled people by 2025 is a big goal. You’re asking about, you know, 20‑‑what year is it now? 2032. So just imagine if we had millions of people by that time. It would be just fantastic.
So I think that work in the U.S. would be the first place I would start, and then outside the U.S., I think of working with NGOs and I think of working, like, with WiCyS, which is the, you know, women in cybersecurity stuff. There’s a bunch of efforts we’re doing there that I think will really help us in that space, because it’s not just creating talent for me. It’s creating opportunity for a more diverse, inclusive workforce. I really believe we can do that by changing where we do it.
Like, I‑‑to be honest, I go all the way back to high school and before high school, but, you know, [unclear] still talking about that, but we still‑‑I’ll start with community college and be happy that’s a good beginning place.
MS. ZAKRZEWSKI: Well, we’ll have to have you back in a couple years to see where we are and where we need to go on that front. Unfortunately, we’re out of time. So we’ll have to leave it there. Thanks so much for joining us, Bret Arsenault.
MR. ARSENAULT: Thanks so much, Cat. Have a great day.
MS. ZAKRZEWSKI: And thanks to all of you for joining us. To check out what interviews we have coming up, please head to WashingtonPostLive.com to find out more information about our upcoming programs.
I’m Cat Zakrzewski, and again, thanks for watching.
[End recorded session]

source