Criminal Hacking Is on the Rise. Microsoft’s President Says This Is How to Fight It.
Russia’s recent cyberattack on U.S. companies came without warning, but not without precedent.
In 2017, an attack that the U.S. government said was launched by the Russian military wreaked havoc on Ukraine. In 2020, hackers used the same tactics to scramble systems in the West, including those of
(ticker: (MSFT)) and other tech companies. The White House would later confirm that the perpetrators were associated with the Russian Foreign Intelligence Service, or SVR, which slipped malicious software into the network of
(SWI), a company that provides information-technology software for other organizations. The breach gave the hackers access to as many as 18,000 other targets in business and government.
It was a moment of reckoning, says Microsoft President Brad Smith, who testified before Congress about the company’s response to cybersecurity attacks and has emerged as its top geopolitical strategist.
Although the SolarWinds hack caused substantial disruptions for the businesses affected, the hackers showed an element of restraint that kept the public outcry muted. “If the incident in Ukraine had happened in the U.S., it would have been completely different,” Smith told Barron’s, citing the damage suffered by Ukraine: “10% of a country’s computers going down, people losing their ability to access their bank accounts, use their credit cards, watch the news.”
The U.S. has yet to see a cyberattack of such proportions, but it could be coming. When hackers broke into Colonial Pipeline’s system earlier this year, demanding ransom, the fuel-transport company shut down gas supplies, causing shortages at the pump. “It impacted people’s daily lives in a way they never expected,” Smith says.
That Colonial serves the region encompassing Washington, D.C., also was relevant: People in government felt the impact firsthand, lending a new urgency to the problem. The Biden administration is closely focused on the issue, Smith says.
Smith, 62, is the longest-serving member of Microsoft’s senior leadership team. On Tuesday, he became vice chair of the board. A Wisconsin native and lawyer by training, he joined the tech giant in the 1990s. In 2002, he became general counsel, in the aftermath of a decadelong antitrust suit that nearly broke up the company. Back then, his job was to make peace with the governments that had battled Microsoft. Now he helps the company navigate a world that he describes as a “few steps short of war [but] more difficult than a genuine time of peace.”
In his 2019 book, Tools and Weapons: The Promise and the Peril of the Digital Age, co-written with his chief of staff, Carol Ann Browne, Smith argued that companies and governments need to come to grips with the dangers of technology. This month, Smith and Browne released an updated version reflecting more recent developments.
Microsoft has come to occupy a central role in the increasingly urgent business of cybersecurity. The company, in Smith’s words, is a “singular global institution” that isn’t confined by territorial borders “the way governments are.”
With the Microsoft Windows computer operating system installed in every corner of the globe, the company’s intelligence-gathering capability is formidable. “I’ve had people in the U.S. government tell me that they think we have a unique data set,” Smith says.
For example, Microsoft saw the Colonial Pipeline attack unfold “almost immediately,” he says.
Cybersecurity fixes will require action from the government and the private sector—and not just the tech sector, he says. Some cybersecurity experts say insurance companies have inadvertently encouraged ransomware attacks by making it easier for companies to pay ransom. Addressing the issue is one reason that insurers were invited to a recent White House cybersecurity summit, Smith says. The U.S. also has a serious shortage of cybersecurity workers. Making companies fully disclose their cybersecurity problems will require an act of Congress, he says.
The problem isn’t just Russia. In March, Microsoft acknowledged that China had hacked the software of its customers’ Microsoft Exchange email servers. Criminal gangs, too, have turned to hacking to acquire sensitive data. Smith argues that governments need to establish “deterrence” against such criminal activity; in other words, they need to hack the hackers, although he says private companies should avoid such vigilantism.
The continuing trade conflict between the U.S. and China has obscured the need for a reckoning on cross-border data traffic, but Microsoft and other companies are working on the issue. Both the U.S. and China are trying to limit technology transfers to each other, but there hasn’t yet emerged “the kind of specific clarity” needed to understand the situation in practical terms, Smith says. Microsoft’s fruitless effort last year to buy TikTok, the Chinese social-media service that the Trump administration sought to ban in the U.S., illustrates the policy mess.
“The fundamental question is, can we put in place privacy protections, security protections, and protections against disinformation that would give the U.S. government more comfort with certain Chinese technologies in the U.S.?” Smith says.
The cybersecurity conflict only complicates the picture, insuring that Smith and his Microsoft colleagues have plenty of work to do.
Write to Matt Peterson at [email protected]