[MUSIC PLAYING] (SINGING) When you walk in the room, do you have Sway?
Hi, I’m Kara Swisher, and you’re listening to “Sway.” I’m joined by Brad Smith, President and Chief Legal Officer of Microsoft. He’s been with the company for almost 30 years, longer than Bill Gates was CEO. And he helped the company navigate the aftermath of its landmark antitrust case. Now, he and Microsoft are at the forefront of some of the biggest cybersecurity and regulation issues of our time. And the company’s political action committee is among the most influential in DC. Welcome, Brad.
Well, thank you, Kara. Always great to be with you.
All right. So let’s talk about Microsoft’s political donations. Last month, Microsoft was revealed to be one of the top corporate donors to a group of 147 members of Congress who voted to overturn the results of the presidential election, and some of whom are very active on social media in spreading this lie theory about the election fraud in an attempt to steal Biden’s win, essentially. And records show in the past three election cycles, about $500,000 was donated to this group. So why were you donating to them?
Well. We have strived and actually believe that it is of value to have relationships across the aisle, which means that we’ve had a PAC that supports candidates on a roughly comparable bipartisan basis. We, nonetheless, were dismayed to find that 20% of the people who were members of Congress and who had received our donations had voted against certification of the electoral college. We were supporting that 20% not because we ever anticipated they would vote on something like this the way we did — we obviously did not — but they were working on other issues, issues that were relevant to our business, to technology, to our employees, to immigration issues or the others. And we did this as part of an ongoing exercise of, I will say, democratic practices. Politicians have fundraisers. People attend them. You attend a fundraiser by making a donation.
All right. So let me just push back a little bit. You said you were dismayed, but one of the senators Microsoft donated to Senator Josh Hawley, a big tech thinker, for sure. He was a leading force though in trying to overturn the 2020 presidential election results. And in a statement, you all seem to imply that had you known his stance, you wouldn’t have donated to him. But there are records that show you still donating to him after he started to do this.
Well, I just think we should face facts. We always have a choice. We made the wrong choice on that one. When I learned in January that that donation had been made in the early part of December, it did not bring an enthusiastic beginning to my morning when I woke up and read that email. I personally think the wrong choice was made, that we don’t live in a mistake-free world. We’re best served when we just acknowledge that. There are some things we did, believe me, if we could have done it again, I don’t think it would have been done that way at all.
So when you woke — I want you to describe when you woke up, when you saw that. You we’re not aware of this, or how does this —
No, no. Look, I’m not a member of the PAC steering committee. I don’t participate in the donation decisions. I basically read about them the same time as everybody else when they’re published each month. In that case, somebody knew this was going to be a problem. So literally, I woke up and read the email, and I was a little bit like, oh, how did this happen? When did this happen? Why did this happen? What can we learn? How do we get better?
Well you are the president of Microsoft so you have some power. So will you be paying closer attention to PAC donations going forward?
I think the company is best served if I help put in place a set of principles and processes so that individual decisions can be made well. I don’t think that Microsoft as a whole is going to be best served if I am spending my time making personal decisions on which of 100, 200, or 300 donations are made in a given quarter or year.
Do you look at it as a cost of doing business? I mean, because in normal times, I get that. I get the idea that you all have to sort of pony up to the bar and pay the price it takes to be with those people.
Well, first of all, I think you’re right, Kara, to talk about normal times, and then we should just recognize that that’s not where we are today. And just the whole panoply of political and democratic and regulatory issues are just so extraordinary. But having said that, we’ve long believed that the country would be better served if there was more public funding of elections, if there was less money in elections. We were dismayed by the whole Citizens United decision, which increased the amount of money going into elections. I don’t think any of this is good for democracy. It is the democracy we have today. I think it is a democracy we can reform, but we have participated in the world that exists, even while we seek something better.
You’ve been meeting with Microsoft employees to discuss these donations because it caused a lot of, you know, like, you’re giving money to the guy who did the fist bump to the invaders of the Capitol. You’ve been meeting with Microsoft employees. In one of the meetings, which was publicized, you told employees the actual truth that donations to politicians are — essentially its table stakes. Your reasoning — and I think I’m paraphrasing here — was that donations can help you buy relationships and help from politicians like when you need to call for assistance with green cards or national security or tax issues. What were you trying to say here?
Well, we had a town hall in which I was trying to explain to 165,000 of employees, many of whom live outside the United States, what this thing is that’s called a political action committee, why it exists, how it works, and what people do. Namely, you go to events, you have to write a check to attend a fundraiser, a fundraising breakfast, lunch, you name it. And out of showing up, you do build relationships. And later on, you find in life that relationships are good things to have.
Yeah. But do you need to show up with a check? You don’t get to just show — Brad doesn’t get to come to breakfast and get a free croissant, right?
No. The basic point it’s like a lot of things in life. Any fundraiser, whether it’s for a politician or a charitable cause, you don’t get in the door unless you make a donation. But when things went the way they did on January 6, we said we’re suspending our donations. We’re now going to take stock. We listened to our employees. And really the feedback that we got was consistent with where we thought we needed to go, which was namely to decide as we have that we will now resume donations to people who didn’t vote because they weren’t a member of Congress, say, or who voted to certify the election. But we will suspend for the duration of this electoral cycle all donations, all contributions to any member of Congress who voted against the certification of the electoral college, to any state legislator who did the same, to any party organization that opposed the certification of the electoral college. And we decided we will take additional steps — and this is really based on feedback from employees — to create what we’re calling a “Democracy Forward Initiative,” an opportunity for people if they want, instead of donating to a particular candidates through the PAC, to just say I just want to support organizations that are trying to advance campaign finance reform or voting rights protection or expanding public transparency. And so those were the two broad decisions that came out of the meetings with our employees. We said we want to sit down, we want to work with business organizations, other companies because we think that companies can play a role in promoting the protection of democracy, more broadly. And if that’s something that comes out of this, that is at least one good step.
Right. So talk about what the other changes you’re making, then. It’s obviously targeting these particular congresspeople. This is a backwards-looking thing. We’re not going to give money for how long to these people?
We said for the duration of this electoral cycle, which means the next two years.
Right. So in two years, you would forgive them or what?
Well. I think that what we’re going to be focused on is, I would imagine, refining the factors that we use so that the PAC includes this in determining who will donate to. Today, the PAC makes donations based on four factors. Namely, there is somebody in a part of the country where we have a lot of employees or a presence. Are they in a role where they’re dealing with technology issues? Are they advancing positions that are good in our view for what we’re trying to accomplish as a company? And are they good on values like diversity and inclusion? And let’s face it, we did not have in the past — are they good for democracy, or are they advancing what feels like authoritarianism and disruption? That is, in all likelihood, something that we’re going to have to continue to focus on as long as these issues remain in public discussion. I mean, I just don’t see how we can avoid that.
What do you do about something like Marjorie Taylor Greene, because she’s getting a lot of donations obviously from individuals, but what does a corporation do? Walk me through someone like that who is so offensive on so many levels?
Well, I think we always do try to make decisions from a point of principle. I think if we have a principle that talks about the promotion and preservation, the protection of democracy, I don’t think it’s likely that she would get a donation, given the application of that principle. I think we can safely assume she would not.
And when you have this PAC group, and it has a governing body, presumably of who’s going to be doing this, but how do they make the decisions about the changes? Does it come from you? You’re like, enough, we gave Josh Hawley money, now I’m going to take the reins kind of thing.
Well, there is a steering committee that makes the decisions. The PAC steering committee also created an employee advisory committee, and I think that will be expanding that advisory committee. And I think that the criteria undoubtedly will evolve as life goes on. When you just think about the other issues of the day, issues like security, issues like privacy, those are big issues that are moving into the Congress. We need to have guardrails to avoid a recurrence of what we saw. But then within those guardrails, I would expect that the PAC will probably focus even more on these issues that frankly are just so important to us as a company and, I think, the tech sector.
One of the issues is these companies have lots of different people in them, And there’s a lot of partisanship happening. Have you ever considered becoming apolitical? I mean, I know — it’s interesting because I remember having a meeting with Bill Gates in the mid ‘90s. And he was like, ugh, do we have a lobbyist? I don’t even know. You know what I mean? He was sort of like, I think he’s got an office in Rockville, Maryland, which was way outside the Beltway. And he was very, why do we want to bother with these people, in the early days. Do you think about that?
Well, there’s two different questions I think you are, in effect, asking, Kara. The first is, do we ever think about whether we really need to have a PAC? And I absolutely ask myself that from time to time. I ask other people. I think we have one for good reasons. The bigger question — and I think it’s the right question, it’s the one you’re asking — should we become apolitical? Well, another way you could phrase that — you virtually did — should we simply withdraw from the world of politics? And I would say, absolutely not because the issues that connect technology to the world of politics are of such fundamental importance for the future. It is the future of privacy protection, the future of cybersecurity of digital safety, of antitrust and competition regulation. I think this is where the future of technology increasingly is going to be decided in the world of politics.
Right. But it has to be monetary relationship? Because it sort of takes these incentives and complicates them rather than here’s the good policy. I guess you have no other lever.
Well, actually, we have lots of other levers. I mean, I think we shouldn’t over-pivot, to be honest, on the PAC. First, we should just recognize that only 3% political donations in the United States come from political action committees in companies. And then we should recognize that actually most of the political currents of our day around these issues are flowing fastest outside the United States. And these are countries that don’t have this system. These are countries where we obviously therefore don’t participate in that way, but we do participate every day in sharing our ideas and advocating for them on certain days.
So when you’re thinking about big tech’s political contributions, obviously, it runs right into regulating big tech. And a lot of the things you’re talking about in the future — cybersecurity, health care, autonomous vehicles, facial recognition, transportation, everything has regulatory elements. But you haven’t been in the spotlight in the way that Facebook, Apple, Google, and Amazon have been when it comes to regulation. Why do you think that is?
I think one way to understand what’s going on is to look specifically at the way regulators in Brussels are starting to frame the issue. They’re really focused increasingly on one specific category of technology companies, what they call gatekeepers. Amazon is a gatekeeper, Google with search, with YouTube is a gatekeeper, Facebook. Apple is a gatekeeper, with something like the App Store. Microsoft is a gatekeeper, as well with Windows and with Bing, our search service. But mostly, we are not. That’s not our business. When you look at what we’re doing in the enterprise and for organizations, including non-profits and governments, we are creating and providing the digital infrastructure on which they run themselves. But they’re not having to go through us in that way to reach the people they’re dealing with us. They use us almost as a factor of production, an ingredient, if you will, or component. So we’re doing different things in a different way. But still, when you come to many other issues like cybersecurity, we’re much more front and center. But when you get to these antitrust issues, we’re not serving the same function they are.
So their focus has changed because 20 years ago is a different story. Back then, you were the center of attention during this massive Justice Department antitrust suit. Ultimately it did not end up in the breakup of Microsoft, but did prevent the company from exclusively dealing with PC manufacturers and required Microsoft to provide other software makers access to elements of your code. You were not involved in this case at all, correct?
I was connected to the DOJ case. I dealt with the international implications of it at Microsoft at the time. But what I would say, Kara, is this — actually, Windows was and Windows is a gatekeeper the way the Europeans are defining it. In many ways, the issues that were pushed against Microsoft in the 1990s were very similar to those that are being advanced today. There were concerns that if you created a browser, you couldn’t get it to consumers unless you could get it through Microsoft. And one of the interesting things, in my opinion, is we changed. We changed largely because the government required that we change. And then we changed more because we realized that we were better served to adapt. And so when we look at the regulations that are being crafted in Brussels, we actually comply with them, because we have made changes that in many ways others today are resisting.
One of the things, too, people make the argument is the case slowed Microsoft down, and it allowed that opportunity for other companies to assert themselves. How do you assess that?
I think one lesson I’ve learned is that if you’re at a big tech company, maybe any company, there are almost like the five or six stages of antitrust grief.
[LAUGHS] OK. Let’s go through these.
Yeah. Stage one, the government doesn’t understand technology. Stage two, they just don’t appreciate all the good things that we do. Stage three, we will win in court. Stage four, maybe we can settle this thing without having to do anything very painful. Stage five, oh, boy, I guess this is going to be painful after all. Stage six, wow, there is life after all of this after all, and it’s not a bad life. There are restrictions on what you do. It gives you the opportunity to exercise, I would argue, a greater sense of responsibility. We made it to stage six. A lot of people right now are in sort of stages two and three.
You’re going to have to then put the companies in. Where’s Google? What stage is Google in?
Well, look, they’ve been sued, and they’re saying they’re going to win in court. So they’re in stage three.
OK. What about Facebook?
Facebook’s been sued. They say they’re going to win in court. They’re in stage three.
I think they’re still in stage one.
There’s a special victim stage for them. Like, how dare we insult them in any way? Amazon, where are they in the stages?
They’re probably still in stage two.
Apple is probably more in stage two, but they’re like, look, you don’t appreciate what we do. This App Store is really a wonderful thing.
Uh-huh. OK. When you get to stage seven? Or six or seven?
Six. Six is the other end of the tunnel.
Six. One of the things just for people who want to go to read to the end of the book, Microsoft’s now one of the most top five valuable companies in the world, usually around one or two. So it turned out OK for you guys. It turned out just fine.
And I think that’s the point. First of all, the reason you’re so valuable is you happen to be in the right industry at the right time. You know, you can’t be a grocery store and be one of the five most valuable companies in the world right now. But it doesn’t actually matter what industry you’re in. You have the opportunity to make your own future. Regulation puts a certain set of limits on what you can do. But the road is still wide, and more importantly, it’s long. There’s a distance ahead. And if you can just focus on moving forward, rather than arguing about where the guardrails should be, I personally believe that is a better recipe for success for yourself and serving your customers in the public.
Now, a lot of people in Silicon Valley would say don’t give in, which is an old Microsoft trope, really. What advice would you have for a Zuckerberg or Sundar Pichai?
My advice is simple — get to stage six as fast as you can. But you need to recognize that there is no such thing as a stage six that doesn’t involve change that you will regard as painful. It’s easy to spend a lot of time in that stage four. That’s the stage where you say, you know what? We’ll settle as long as it’s not painful. In the 2000s, I had to personally go out and negotiate like umpteen of these settlements with governments and other companies. And eventually we reached a moment in time when we looked at each other and we said, you’re not actually close to getting a deal done until it starts to hurt. That’s one of the things we learned. And so change will be painful, but the pain is worth it.
How did you get Bill Gates and Steve Ballmer, who definitely doesn’t — he likes to inflict pain, perhaps. I’m teasing. How did you get them to change that attitude? Because a lot of these founders are like that. They’re very like, I know best, you know, frequently wrong, but never in doubt kind of attitude.
Well, Bill and Steve are both, as you know, incredibly bright people. By the time we got to stage four, they encountered a lot of bumps on the road in stages one, two, and three. They were like, we get it. We’re going to have to change. It didn’t mean that there weren’t days when they looked at me and said, wait, you didn’t tell us it was going to be this painful. But I always felt that they were willing to listen. Sometimes they would debate. We would have some pretty lively discussions about all of this. I always felt that I benefited from the fact that they had my back, and I knew it. And I knew it in part because when they interviewed internally for the job I was given, as general counsel of the company in 2002, I was very direct with them. I said I believe it is time to make peace as a company. That is the strategy I would pursue if given this job. If that is not the strategy you want to pursue, I’m actually the wrong guy for the job.
You’re not the wartime consigliere, I guess.
Yeah, yeah. And so, because they had chosen me after that conversation, I didn’t need to spend two years or three years asking myself, well gosh, I wonder if they’ll listen to this?
Let’s talk specifically about Google, for example. It’s currently at war with the Australian government, which I think Microsoft might become involved here, over news media bargaining code, which is basically a law that says tech companies need to pay news organizations for their content. Google threatened to stop providing search completely in Australia if they were forced to comply with a law. And then you all said if Google does drop, you would step in and fill the gap with your search engine. You just happen to have a search engine, Bing. Are you actively working with the Australian government to do this, or is this an opportunity if these companies sort of — you know, I’m going to take my toys and go home?
We have have actively reached out to the Australian government. Satya Nadella and I last week spoke with the prime minister. I actually think this might emerge as one of the more important developments of the year for technology, especially in the world of regulation. First of all, look, I just think this addresses one of the most important problems in the world today. This is a time where democracies are less healthy, and it’s in part because of these two technology developments — the spread of disinformation and the decline of traditional news. The Australians have actually fashioned a path to solve part of this. Their message to Google and Facebook is very simple — if you want to be in Australia, you have to share more of your very profitable service’s revenue with traditional news. Google’s answer was, if you make us do this, we will leave. We will quit the country. And we stepped forward and said, we are there. We will stay. We’re not going to threaten to leave any country. But especially with respect to this, we believe we can run a successful search service. It will not be as profitable as Google’s is today. But it will be less profitable because we are prepared to share our revenue with news publishers. Now, interestingly, Google seems to be re-entering the conversation. Within 24 hours of my going public and being on Australian television and saying, we will stay, we will pay news publishers, Sundar called the prime minister. So what does this tell us? Well, number one, it tells us that search isn’t as competitive as it should be. It tells us that Google isn’t prepared in an uncompetitive market to share revenue the way news publishers believe it should, the way I believe democracy would benefit from having search revenues shared. It shows that if there is a credible competitive alternative subject to real regulatory rules, this can be changed. It will require additional steps, but this is something that is relevant in Australia, but the Canadians are watching. The Europeans are watching. And when you look at the world of regulation today, it actually starts in one country, it spreads around the world, and this is starting to spread, and it should.
In this case, obviously Rupert Murdoch has a big say. And he’s had a bee in his bonnet about Google since he’s had a bee in his bonnet, which is always there. But Google and Facebook use people’s content and benefit from it in a way these publishers don’t. So they’re essentially taking their content and monetizing that without giving them a piece of it.
Yeah. And I think that the concern that has developed is that when Google has been told to go negotiate with publishers, they will, but they don’t offer as much as the publishers think they deserve. What made the Australian proposal different is they developed a solution. They said, you have to go negotiate. If you cannot reach an agreement, we will have an arbitral panel engaged in baseball arbitration, meaning, you’ll each put your best and final offer forward, and we will pick one of them. And suddenly, that means that the publisher’s choice could win. So that’s a game changer.
So would a similar thing happen in the U.S. if Google is broken up as a result of their antitrust case? I mean, that case is going to go on — what would you estimate?
Most antitrust cases take a long time, which is why I think you’re seeing regulators increasingly turn to new regulations and laws and not just cases. But I think the real connection to the U.S. is this — the U.S. Department of Justice has concluded that Google has built up its search share through an unlawful agreement with Apple, done on an exclusive basis to set the default setting on the iPhone so that the search traffic goes to Google. And Google, says we’re going to win in court. And we’ll all see. I’m not expressing an opinion here on who’s right and who’s wrong. But you don’t actually need to bring a case to, in effect, accomplish the same thing. What you can do is you can say there needs to be a new form of profit sharing with news, and there needs to be more competition. And you can create competition by sort of skipping ahead, if you will, to a legislative or regulatory remedy so that instead of having all of the defaults set in a way that serve searches to Google, you spread searches around. And then you let people decide who they really want to use.
Right. So, but it would be an opportunity for Bing. I personally think Apple’s going to get in the search space pretty soon.
Well, and what we should want is a world where anybody can get in the search service if they want. And we are in it, so obviously we would benefit from a world that makes competition easier.
So you see this playing out not just in Australia, but around the world.
Well, the Canadians last week were making a point that news deserts are spreading around the world.
Yeah. And they have a new tech regulator’s position, which will oversee platforms.
And so does the British government.
Yeah. Do you think the U.S. should have one? And I think I should be it. What do you think? [LAUGHTER] They’d go crazy.
I’ll offer no opinion on the second part.
Come on, Brad! Get behind me!
Bing! No, I’m sorry. Remember when Ballmer did that?
Yeah. I do. No. Look, I do think we’re going to have a world where there are going to be regulators in each country with more responsibility for technology. Interestingly, perhaps ironically, the U.S. may be the laggard, not the forward leaner. And there’s so many questions that would have to be sorted out, including where would you put this person. Is it in the FTC? Is it in the FCC? Is it in some new agency? But regulation is coming. And within the next two years, it’s so clearly arriving in many countries, especially the European Union, India, other places. It will come to our own shores, too.
I say a cabinet position. I’m going big, Brad.
It’s going to happen. It’ll be so fun.
I will keep my eyes peeled.
I’ve always thought there should be an agency, a separate agency. I think the FTC is overwhelmed and understaffed. And it has to deal with like, meat processors and everything else.
Well, the one thing I have often thought about and said is look, had this had been in the 1930s or the ‘40s or even the ‘60s, there would have been a regulatory agency created for technology, because the last 20 years, a quarter of a century, have been defined by more gridlock, less agility, we don’t. And we’ll see what it takes to change that.
Yeah. We’ll see. Secretary Swisher sounds great. I hear you’re also a fan of Europe’s General Data Protection Regulation which limits how companies can access and share user data in the EU, but the law hasn’t really been enforced mainly due to lack of funding and resources and also due to stalling from tech companies. Do you still think it’s important to have these laws, even if companies can find loopholes anyway, and big companies can sort of sidle out of it?
Well, I would say two things. First, we need privacy laws. And two, everybody needs to follow them. We shouldn’t have a world where there are laws that small companies follow and big companies get around. But let’s first start with the proposition, do we need strong privacy laws around the world? Yes. We do. I actually am optimistic that you’ll see this Congress this year or next enact a national privacy law.
Facebook and Apple are in a privacy battle right now. Apple is trying to warn users about Facebook tracking their data with a new part of their operating system. Facebook is trying to beat Apple in lots of ways, including antitrust threats and things like that. I’m just curious. Someone said now government has never been able to do a good privacy bill. It looks like Tim Cook’s going to do it for them — and really cause an existential threat to Facebook. I’m curious what you think is happening here, because that’s been something Apple used as a brand thing? And also I think they really do believe it. I actually do think it’s been a long time — it’s a good thing for Apple to use the privacy cudgel.
Look, I think Apple has every right to create the characteristics, the attributes, for its brand and its products. And then it needs to follow the law itself. We have issues with Apple around its App Store. But fundamentally, if Apple wants to say we want the people who buy an iPhone to buy it with confidence, that this is how their data is going to be used, that’s their prerogative. And other companies can make other choices. And if there is competition in the market, consumers can decide what they prefer.
And what do you think of Facebook’s reaction? He drives them crazy. Tim Cook drives Mark Zuckerberg personally crazy I think.
Yeah. That’s a food fight that I try to avoid getting in the middle of. So I’ll just stop where I have come.
OK. Well, you sort of were like, Apple’s doing the thing it needs to do. Are there any good arguments from Facebook? And I know there’s the App Store issue, which I think will get settled eventually by some sort of agreement or decree or consent kind of thing, not anything bigger than that.
First of all, that that’s sort of an invitation to say, hey, Brad, why don’t re-enter that food fight?
No. I’m not —
See, I’m very sly, Brad. [LAUGHTER]
I know you well.
No. I do think that you will see regulation of app stores. I think you’re going to see it in Europe, to begin with. And I do think that there will be a set of rules. And it may not be a lawsuit or anything. I think one of the things we should all recognize is regulation moves faster, an outcome moves faster if a government pursues a regulatory proposal than a lawsuit or a competition case. And we may see all of these things happen. But I think the world of app atores is going to change.
Yeah, agree. I agree with that. I don’t think this is be quite as dramatic as some of the other things.
Well, that’s true. The thing that people sometimes like or dislike about lawsuits is they make for dramatic controversy. Regulatory proposals are more likely to be entertaining to lawyers than to people who want to watch dramatic productions.
Yeah. I actually also think Apple’s a lot smarter than the other two. They’re starting to already look like they’re being cooperative. You know what I mean? The little rules they’ve changed. And I think eventually they’ll be way out in front of this, comparatively. And they’re not going to stamp their feet, except maybe on encryption things, like that.
Any day that Apple makes board changes in its App Store policies, I think is a good day. [MUSIC PLAYING]
We’ll be back in a minute. If you like this interview and want to hear others, hit subscribe. You’ll be able to catch up on “Sway” episodes you may have missed, like my conversation with Reddit CEO Steve Huffman. And you’ll get new ones delivered directly to you. More with Brad Smith after the break. [MUSIC PLAYING] Microsoft was one of the victims of the 2020 Russian hack, also known as the SolarWinds hack. The attack affected an estimated 250 government agencies and companies by targeting their supply chain, rather than the organizations themselves. Talk a little about when you first learned of the attack.
Well, we first learned of the attack when we were contacted by FireEye.
This is a private company.
Yeah. FireEye is clearly one of the world’s strongest cybersecurity firms. They realized they had been targeted and been attacked, and they called us and asked us to come work with them to identify what was going on. And that put us on a path where we ended up doing a lot of work. This was really around the beginning of December, and that’s continued to this day. And it is worth pausing, I just think, for a minute and just to recognize how sophisticated this attack was, because you basically had an attacker that put malware into the update of a company, SolarWinds, network management company. That update with that malware went out to organizations around the world. So it was a massive disruption of the software supply chain. What that malware did, in effect, was create a back door. Think of it like a back door in a house. This attacker was very sophisticated. It then knew where it had back doors, and then it decided which houses to enter — as you said, by some estimates, roughly 250. In those houses, it went in the back door, and the first thing it did was find a way to create a second point of entry, call it a window. And then they closed the back door because they knew the back door would be found, but the window was less likely. Now they had a way to communicate through another command and control server, typically in a U.S.-based data center. A lot of it was through AWS, but it could have been anybody. And they now have the ability to go through the window and walk around the house.
Without being detected.
Exactly. And so they used the kinds of tools that hackers use to find their way around the house. And what they really looked for was accounts that would have elevated privileges, that would get them into more things. So in some cases, they then found things that were valuable in the house. In FireEye, they found these security tools. And so they then absconded with copies of the security tools. In other cases, they looked for ways to, in effect, find the keys to get back into the cloud services of the organizations they had penetrated, including things like Office 365. So they looked for the keys to get into Office, as well as other, say, email or documents and data and the like. They were incredibly persistent, incredibly sophisticated. I think it was one of the, unfortunately, best-engineered cybersecurity attacks that we or anyone has ever seen. And I think it quite rightly has raised concerns about how we protect against this kind of attack.
Yeah. Especially not just government agencies. And there’s been little bits and pieces of this in corporations. How did you first find out that Microsoft had been affected?
[CHUCKLES] This time, it came from a phone call rather than an email. And it was just a —
Josh Hawley and the nefarious hackers.
Something goes wrong every week, Kara.
Yeah. I bet.
It’s just matter of how you find out. And in this case, it was literally a call shortly after we had been contacted by FireEye. And this was potentially a very serious attack. We had no idea at that point that they had been targeting Microsoft. We knew only that it was FireEye. But what really got our attention was the likely attacker, which, as people have said, the suspicion very quickly was the Russian Foreign Intelligence Agency.
How do you think you all missed this then? Saying they’re sophisticated is one thing, but you all are also sophisticated.
Well, I think that there are two things here. First of all, as time has gone by, we have identified more than one attack vector. There was SolarWinds, and there were other ways that they have sought to attack typically governments, government contractors, tech companies, some think tanks, and the like. But the one thing that has been consistently in common is they don’t attack through the cloud service. They attack through an on-premise server. And I think they do that for two reasons. One is they look for something that isn’t as secure, that is easier to exploit. And second, they do it on-prem because they know that we and others are not able to detect that. We can detect it when it moves to the cloud, but we cannot detect it when it remains on-prem. Now, the second reason that I think it took more time to detect is, unfortunately, these people are very good.
So one of the ways that Microsoft targeted was through your resellers. Have you changed your relationship or implemented new security measures with resellers and others — because this is one of the way Microsoft does business — and other software companies avoid cybersecurity threats?
We identified and spoke out publicly — basically, one tactic that we have seen emerge in the world of cybersecurity is, they look to people who, in effect, you’ll say, have a password and access to your network. And what they’ve started to recognize is a company, the New York Times, the United States government, you name it — you may have done more at this point to put in place good protection around what your own employees are doing, and you may not be doing as much for other people that you trust, and that may be a reseller. But I think it’d be a big mistake to think that this is just about resellers. It could be a management consultant. It could be any kind of person. The specific thing that I believe we need to address and are is to ensure that we can go immediately to any customer because that is our policy. And in this instance, what we had to do was go to these resellers and say, we think you’re being attacked. We think these customers of yours may be subject to this attack. And we had to push them to go where they did. But what I really think we need to continue to advance is the effective execution of the policy in which we deeply believe. Whenever we see a Microsoft customer who is being attacked, regardless of how, we let them know. But I also think there’s a broader question for the tech sector and for customers. This is not a uniform practice across the tech sector.
Well, I think that should be a law.
Yes. And your point, I think, is something that connects with another aspect that is deeply important for the United States and other countries. Nobody wants to, say, impose a law that makes me do something. But if we want to protect the security of the United States, I think we need a law that does create some kind of responsible, well-crafted obligation for us to tell someone in the United States government in an appropriate way, in a discreet way, in a way that protects against the disclosure of private personal information. But today, we live in this world where all of this information about attacks, what we call threat intelligence, is in separate silos, and even the government itself cannot scan the horizon from left to right.
Right. So this hack was so widespread and really showed how blurry — which you just were talking about — the line between private and public sector is. And you’ve been very vocal about the U.S. government’s failure to track and communicate cybersecurity threats to the private sector. Can you explain your position on that, and how did they fail you and others?
Well, interestingly, I think there are some parts of the U.S. government that do a really superlative job.
The N.S.A., the National Security Agency. If you look at their track record over the last few years, it is an impressive track record for their ability to protect the country, for what they do. In this case, I think one of the single best public statements that really describe to the cybersecurity professionals of the world the nature of this attack based on SolarWinds and how to protect against it was published by the N.S.A. They published it to the world. But one of the things that we need to recognize is that the N.S.A only has legal authority to scan the international horizon. And I think that people have realized that. I think that is in all probability why these particular attacks were really launched by using U.S. software and then command and control servers in U.S. data centers. So we have the other parts of the U.S. Government where you have in the Department of Homeland Security a much newer, younger agency. We have other authority that’s vested in the F.B.I. And I think whenever you have multiple agencies sharing responsibility, the risk is that you create multiple silos of data that are not getting shared across the government. And then you don’t get as much sharing between the public and private sectors in an appropriate way.
There is certainly, if you’re having one. Many times, there have been an idea of having one central information authority like this, and it’s always been shut down, you know, the one spot where all the information is.
And I’m not advocating necessarily that there should be a singular agency for the entire United States government. What speaks to me in the most compelling way is when I went back after this and reread the 9/11 Commission’s report, because that, too, was an attack. And that’s the number one conclusion of the 9/11 Commission. It said that all of this data about the threats existed, but it was trapped in silos. And then they specifically talked about the need to change the culture of information sharing. That before 9/11, the culture was information was shared with people only if they had a need to know, and instead, the government needed to create a culture that fostered a need to share. And we know that not everything should be shared, but I do think that we would benefit if more is shared in some additional ways.
So speaking of sharing, do you believe the U.S government — what do you believe they need to do to remedy its relationship with the private sector and tech companies for further attacks? I mean, I think the Edward Snowden, speaking of going back, those revelations still are reverberating between tech and government and the cooperative relationship.
I do think that the Snowden revelations continue to reverberate, and they reverberate around the world. But I think one should separate two different issues. One is what techniques should the United States government use to gather intelligence? The Obama reforms set new limits on the way intelligence was gathered. This is a different issue, I would argue. This is how to share the intelligence that has been gathered in an appropriate way. And I think that frankly this is an area where we all need to change. I’m not going to say that only the government needs to change. I think that we in the tech sector need to change. I think we can and should take more proactive steps ourselves to share information in new ways. I think that we need to find more ways to share information across the tech sector and with the government. And we would benefit if the government were to fashion a new, and I’ll just say, clear policy that will help us understand when they’ll share information back.
So when you’re looking back at the Trump administration, how would you assess their efforts in this area?
Well, interestingly enough, I think the Trump administration got off to a pretty good start in addressing cybersecurity challenges. This was in 2017 and early 2018. There was a public attribution of the WannaCry attack and then the NotPetya attack. One was about North Korea; the other was about Russia. And then unfortunately, I think we saw less continuous momentum. We saw more vacancies at times then I think we would have been best served as a country. There just weren’t as many of the right people in the right jobs. So I think we lost momentum. And interestingly, I think we should give the administration, including C.I.S.A. and the Department of Homeland Security, high marks for work they did to secure the elections in 2020. So there were some important areas of progress, but there’s more we need to do. There’s more we all need to do, including at Microsoft and across the tech sector just because the threat landscape is continuing to become more serious. But that’s the way I would look back at the last four years.
How do you look back on the TikTok? That was a threat landscape. [LAUGHS] What happened?
Well, TikTok was —
This was that China was spying on our teens, essentially. It was all a circus as far as I was concerned — about a credible threat, by the way, from China incursions in other areas.
I think that TikTok is an example of the kind of issue that deserves some serious conversation. It is an example of the kinds of policy issues that will become more important in the next four years, and I think you’ll see the Biden administration address in a sustained way. And it obviously relates to when should Chinese technology come into the United States. How do we think about export controls? Do we want all American technology to go to China? These are big issues. What does it mean for our relationship across the Atlantic? And the best way to deal with these I think is to step back from the individual companies and cases, whether it’s TikTok or somebody else, and just start to ask, what is it that we want to do? How do we secure supply chains for hardware and software? And how do we think about the implications of technology, even for the protection of fundamental human rights? All of these, I think, are top priority issues.
It was directionally correct and freakshow-ishly executed. It had everything to do with giving Larry Ellison control over teenagers’ dance styles. I didn’t even understand what it was about. This is the Oracle founder. Yeah.
That is not a sentence I’ve ever uttered. It’s fascinating to think about.
Think about it. Just think about it. You could have been in charge of that, Brad. Microsoft was right in there. Anyway, you hope the Biden administration will do better in working with the private sector?
I am hopeful and optimistic about the next four years. I think that we’re really all well-served as a country by the appointment of a significant number of really capable people who, in some cases, I think have quite a sophisticated understanding of these issues. I do think we’re going to live in a time when action through Congress is going to be a challenge just because we basically have virtually a 50-50 split in both houses. But I think when it comes to foreign policy, when it comes to executive orders, and perhaps even to legislation itself, we should all hope that we can ensure that technology is used much more as a tool and less as a weapon.
Yeah. Well, anyway, last time I talked to you, I said you should be the CEO of Facebook. As you know, I’ve been pushing you for that job for quite a long time. I still think you’d be an excellent CEO of Facebook and would possibly solve their problems there. But now I’m wondering, do you have any interest in working for the government?
No. I really like where I am. I love the fact — first of all, I’m at the company I want to be at. It’s called Microsoft. I think that I am in a position working with somebody like Satya and our team, where we get to work on all of these big problems. We get to do it on a global basis. We get to do it in a principled way. And every day or week, something goes wrong, but that’s sort of the nature of working at a place where things are important.
All right. So no government. But you still don’t want to be the CEO of Facebook?
I definitely do not want to.
What would be the first thing you did if you were, say?
I’m not going to go there. [LAUGHTER]
All right. I can’t get you a new job. I failed in my efforts. Thank you so much, Brad. I really appreciate it. It’s always a substantive and interesting conversation with you.
Well, thank you. I feel the same way. And I always appreciate your personal interest in my career development.
Any time, any time.
I’m just trying to make you some money, Brad. [LAUGHTER]
Thank you very much, Kara. [MUSIC PLAYING]
“Sway” is a production of New York Times Opinion. It’s produced by Nayeema Raza, Heba Elorbany, Matt Kwang, and Vishakha Darbha, edited by Paula Szuchman, with original music by Isaac Jones, mixing by Erick Gomez, and fact-checking by Kate Sinclair and Michelle Harris. Special Thanks to Shannon Busta and Liriel Higa. If you’re in a podcast app already, you know how to subscribe to our podcast. So subscribe to this one. If you’re listening on the Times website and want to get each new episode of “Sway” delivered to you faster than a Russian hacker can break into your network, download your favorite podcast app, then search for “Sway” and hit “subscribe.” We release every Monday and Thursday. And by the way, I should be internet czar. [MUSIC PLAYING]