His statements underscore the unique and enviable position that Microsoft finds itself in compared with its counterparts.
Microsoft has dodged the bruising that its peers have taken this year. Executives from Facebook, Google and Twitter have testified before Congress, pressed to explain their privacy practices and the exploitation of their platforms by Russian operatives. Google found itself in the spotlight again on Monday after revealing that it had discovered a flaw in its Google+ product that exposed the data of hundreds of thousands of users. Apple and Amazon are the targets of attacks from President Trump.
But Microsoft, which runs the world’s largest corporate email program and one of the biggest cloud computing businesses, has not only escaped the negative attention of its industry peers but has turned potential attacks on its systems into an asset.
In August, Microsoft said it had disrupted attempts by a group affiliated with Russia’s foreign intelligence service to create phony websites mimicking the U.S. Senate, as well as a prominent conservative public policy organization. The announcement, which demonstrated the aggressive role Russian operatives are playing ahead of the U.S. midterms, was also surprising in that Microsoft had so far been relatively silent on the issue of foreign interference.
Microsoft paired the Russia disclosure with the launch of a new security monitoring service that offers heightened threat protection that it will provide free of charge to government officials, candidates, campaigns and other political entities that are Microsoft clients. The company says more than two dozen officials and organizations have signed up for its AccountGuard product, giving the firm’s security engineers even greater visibility into potential targets of foreign attacks and positioning Microsoft’s technology as safer than its rivals. More than 400 million emails pass through the company’s malware filters each day.
The announcement appeared to prompt competitors to create copycat offerings. Facebook, in the throes of its own security troubles, launched a pilot to protect the accounts of political candidates shortly after.
Nadella, who has described security as “the most pressing issue of our time,” contrasted the hard lessons that younger firms like Facebook are learning this year with Microsoft’s own challenges.
Founded in 1975, Microsoft is a generation or two older than Google and Facebook. Nadella said the company’s “big moment” in terms of a major security wake-up call took place around 2000, when Windows XP and other products suffered embarrassing cyberattacks that affected many of its large government customers, long before the aftermath of the 2016 election, when the Russian threat became more salient and threw Google, Facebook and Twitter into the spotlight.
The scare prompted then-CEO Bill Gates to issue a companywide edict, known internally as the Trustworthy Computing Initiative, that changed how Microsoft viewed security. From then on, Microsoft began to design such features into all its products from the ground up, Nadella said. For example, they delayed the launch of Windows Vista to follow new security protocols, such as threat modeling and reducing the number of people who have access to a system.
New threats accompanied the explosive growth of the Internet and the rise of smartphones, leading to the creation of the Digital Crimes Unit, a division whose goal was to go after botnets, or groups of computers that infect other computers to steal banking and other personal data. Staffed by former prosecutors, the group adopted a novel legal strategy of obtaining secret injunctions that enabled it to seize computers and Web domains affiliated with the botnets. They brought the suits on the grounds that the fake emails used to spread malware violated Microsoft’s trademarks. The secrecy enabled them to shut down the domains without spooking or tipping off bad actors.
Since 2016, the Digital Crimes Unit has turned its focus to nation-state actors including Russia, China, North Korea and Iran and is tracking roughly 70 commercial and nation-state threat groups, according to the company. Each group gets a code name after an element on the periodic table. The Russian intelligence agency, or GRU, is called Strontium. The DCU has also extended the legal strategy to the nation-states. It has obtained three secret injunctions from U.S. courts to go after Strontium-controlled domains, including six used in the attack the company disrupted in August, according to the company.
While consumer companies were just waking up to a new array of security challenges, Nadella said that because Microsoft has been responsible for securing the data of large corporations, “I’ve lived in what I think is high scrutiny all [my] life,” he said. “It could be that some companies that are predominantly consumer companies are realizing that even consumers are going to be very discriminate ... in terms of their technology use and their demands of technology vendors. ... So I say, welcome to the club.”
In the interview, Nadella, who has been CEO for nearly five years since the departure of Steve Ballmer, expressed concerns about device addiction. He said he limits screen time for this three children — “anything overdone is always a problem” — and uses Microsoft’s AI software to remind him not to email his staff on the weekends (“a classic overuse of power”).
But Nadella, exhibiting his tempered personality, avoided taking sides in spats between tech CEOs over whether the advertising business model employed by Facebook and Google had gone too far by turning customers into a product. “I think users will choose” what business model works for them, Nadella said. “Everything has a place. Anything overdone is a problem.”
Nadella stressed that Microsoft has a “first-class software problem” of building products that are used by and between institutions, as opposed to Facebook, which seeks adoption directly from its users. “The way to protect our democracy is by protecting the institutions that make up our democracy,” he said. “I wish I could make some simplistic assumptions about one worldwide community with two billion people. No, I don’t. We live in what is a heterogeneous, complicated world.”