MR. IGNATIUS: Welcome to Washington Post Live. I’m David Ignatius, a columnist at The Post. Today on our continuing series, “The Path Forward,” our guest is Brad Smith, President and Vice Chair of Microsoft, and one of the tech industry’s clearest thinkers about problems ahead. Brad had just issued a revised edition of his 2019 book, “Tools and Weapons: The Promise and the Peril of the Digital Age.” It provides an updated roadmap of what we can expect to see in years to come. Brad, thank you so much for joining us today on Washington Post Live.

MR. SMITH: Well, thank you, David. It is always great to be with you, and I am sure we will have another really interesting conversation.

MR. IGNATIUS: Great. Well, let's jump into it. I want to begin with cybersecurity, where you've added a new chapter that focuses on the unprecedented hacking attack that Microsoft and other tech firms started to become aware of in November 2020, that came to be known as the SolarWinds attack, because that was the name of a relatively small tech company that had a piece of software called Orion, whose regular updates got penetrated by an attacker and were sent out to 38,000-odd customers, including this malicious software.

Pick up the story there, if you would, because it's a pretty good detective you are, and a pretty scary one, starting with Yttrium, which is the villain. What is Yttrium?

MR. SMITH: Well, it's the code name used inside Microsoft for the Russian Foreign Intelligence Service. And as you point out, my co-author, Carol Ann Browne, and I decided to update our book, and we wrote this particular new chapter and made it Chapter 1, you know, because as the events unfolded at the end of last year, I do think it was an eye-opening opportunity, frankly, for all of us that live at this intersection of technology and society.

And we first got a call from FireEye, one of the world's leading cybersecurity firms, and they began to realize that they had been hacked. They quickly suspected this hacker. We started working with them. In some ways I do feel like it is a 21st century digital version of sort of classic Sherlock Holmes in terms of following the breadcrumbs, unraveling the mysteries, and ultimately, perhaps most importantly, just recognizing the growing severity and sophistication of the threats that we face and the broadening need for more responses and more effective responses to them.

MR. IGNATIUS: You write, Brad, that you had, I think the number was 500 Microsoft employees who were working full-time to try to find and gather those breadcrumbs. Tell us how big a part of Microsoft's operations this sort of cybersecurity work is now.

MR. SMITH: Well, it is hugely important. We are a big company, so we have around 170,000 employees worldwide. But, you know, it is hard to say that there is much that is more important than cybersecurity, given the issues that it is creating.

And it really, you know, affects us in two very distinct ways, as a business. One is there is the security of our products that we focus on, and then second, we have security products and services, a security business. And, you know, what we specifically did when the SolarWinds events started to play themselves out is we moved engineers from other work so that they could help us identify which customers were being attacked. A lot of this involves, you know, real digital sleuthing, you know, identifying the specific techniques and procedures that an attacker is using. You know, once you have a sense of what your telltale patterns look like you can then scan cloud services, which we could do, and we can identify which of our customers had been penetrated, because we could find those patterns in their particular accounts.

MR. IGNATIUS: You note that you shared information, cooperated with the U.S. government as your forensics people were pursuing this, in particular with the NSA and CISA, the cybersecurity agency that's part of the Department of Homeland Security. Talk about working with those government agencies, sharing information with them, the comfort level that you feel as the president of a big tech company in doing that.

MR. SMITH: I would say a few things. I mean, the first thing is perhaps an obvious one. You cannot solve a problem like cybersecurity if information is captured and held in a lot of different silos, and information is siloed very much in the world today. In the U.S. federal government, you've got the foreign side, with the NSA, you have the domestic side, with CISA, but even more than that you just have a lot of information that is held in tech companies, Microsoft being one of the most prominent in terms of having a very important dataset, but lots of other companies having data as well.

You know, we definitely needed to push ourselves, and we did, to get out and share more information with both the NSA and CISA. You have to do this in a way that protects people's privacy, but I don't think that proved to be a difficult problem. We could identify information about what we were seeing without disclosing information on specific customers, or certainly on anything relating to an individual.

But, you know, more broadly, we felt good. There are good, capable people in government, and I would say just more generally, if there is one thing that gives me encouragement in September of 2021, say, in contrast to where we were in December of 2020, it really is the rapid progress of the Biden administration, the people they have put in place in key positions, the new initiatives they are pursuing. There's a lot more work ahead of us, including, I think, new legislation from Congress.

But, you know, as I said at the time, this was sort of a moment of reckoning. It was a call to action. And I do think that societally, both in the government and the private sector, the last seven or eight months in particular have been marked by people heeding the call, and that's good news.

MR. IGNATIUS: I want to come back to your conversations with the Biden administration in a moment, but staying with this attack, which occurred before Biden became President, you say that this seemed to you and your engineers to be something in between espionage--your attacker here is the Russian Intelligence Service, usually very secret in its work--and a broader attack on our infrastructure. Describe just what you think this was, and then maybe you could talk a little bit about how you've tried to talk to Silicon Valley colleagues about the need to work more and more effectively with the government to deal with this kind of thing.

MR. SMITH: Those are two really important questions, and to answer the first, David, I would say this. This was not, in my view, espionage as usual. This was not, you know, a single government trying to infiltrate, for example, another government, through either traditional means or through new digital tactics alone. What it did, instead, was tamper with the entire software supply chain, and by that I mean an update that was being used by SolarWinds to update their Orion software, which was, you know, in use by--the updates were going out to about 18,000 customers worldwide.

And, you know, if there is a principal that you see in international law, in international norms, you know, it is this notion of avoiding indiscriminate harm, especially indiscriminate harm to civilians and civilian infrastructure. And that is precisely what this did. The actor was able to get this out everywhere, and then it could pick and choose, once these organizations were potentially compromised, you know, which doors they wanted to go through again to try to extract further information.

Just think about the role that software updating plays in the world today. It would be almost, I guess, I think, a kid just sort of disrupting or infiltrating the blood supply. Once you tamper with it you put at risk the public's confidence to rely on something of enormous importance.

And so, yeah, I think that--and that is to your second question, this is a broader conversation for all of us in the tech sector, and I think part of it is how we can do more to share information with each other, and with the government. I think this benefits from government leadership, which we are now getting. But yeah, I think any day when we are sitting down and talking about how we can collaborate more closely among companies, that is probably a good day.

And I think, in addition, it really calls on us who see this unfolding before our eyes to use our voice, among other things, to speak up for the importance of international norms, norms that put the software supply chain off limits, norms that put the electoral process or health care off limits, because we have seen all three of these things attacked with new cybersecurity techniques over the last couple of years.

MR. IGNATIUS: You've called, in the past, wrote in the earlier edition of your book, about the need for what you call a "digital Geneva Convention." You mentioned earlier that the rules of war have long regarded attacks on civilians, on hospitals, on basic infrastructure as appropriately being outside of the realm of conflict. You've been pushing this idea, but we are still not really much closer, as near as I can tell, to actually making it happen. And I wonder, Brad, what you see as the obstacles, including the U.S. government, which still seems to be wary of the idea, in trusting in a convention like this, that it's not sure others would obey.

MR. SMITH: Yeah, I think the sobering fact of life is that unfortunately the world typically comes together to do what needs to be done only after it has experienced some kind of natural or human-created disaster. World War II is the classic example, and it is no coincidence that it took that war, and then four years of work, in 1949, to bring the world together and have the Geneva Convention. And the principle to me is both compelling and straightforward, as you mentioned, David. It says even in times of war, governments will take care not to cause harm to civilians. And, you know, to me it's just something we should think about constantly. If we said we won't harm civilians in a time of war, why should we, for a moment, tolerate this kind of harm to civilians in what is supposed to be a time of peace?

Now I gave a speech four years ago, and it wasn't at the end of the equivalent of World War II. So, you know, I would say we have been raising awareness, building support. I do think that it is such an important time for the U.S. government now to lean into this in a bigger way. The Trump administration was an administration that was not enthusiastic about multilateralism, in any form, but multilateralism and multi-stakeholders can move forward. There was the Paris call that was adopted in 2018. Seventy-six governments around the world have signed it, and more than 1,000 organizations have, but not yet the United States government. And I think that would be a good first step for this administration, to say we are rejoining the rest of the world, and then to build from there.

Let's not wait for a disaster before what, frankly, we all recognize, or should recognize needs to be done, and that is to put some of these kinds of attacks off limits.

MR. IGNATIUS: Let me ask you one more question about these recent hacks, and then I want to turn to your conversations with the Biden administration. Both in the SVR hack, that we call SolarWinds, and in one that was revealed soon after by Chinese intelligence operation, that you call HAFNIUM--I love these code names that Microsoft gives to foreign actors--there was the same concern that the cloud, which is supposed to be much more secure, was supposed to be the place that people can trust for protection of information, had been compromised.

And I want to ask you about that issue, about the vulnerability of the cloud to these very sophisticated hacking efforts, and why you've argued, as you did in the case of this Chinese hack, that the proper response is really to go even further in the cloud as a source of security. Just walk us through that, the vulnerability of the cloud and then why you think even so it is still safe.

MR. SMITH: Well, I think both episodes illustrate the issues of the day very clearly. In the SolarWinds incident, the attack was focused on on-premise servers, not in the cloud. Specifically, the SolarWinds update was installed on servers of organizations around the world, both governmental and business, and the like.

Once the on-premise servers were compromised, then what the attackers did, among other things, was look for the authentication keys, say the passwords, of network administrators, that could then be used to move from the on-premise server up to the cloud, to, you know, see what a customer was storing there.

Now the sobering reminder is a very pragmatic one for organizations--please make sure that your network administrators store their passwords and authentication keys in a secure location, and don't necessarily give one person the keys to the entire kingdom. Give them access to just a part of the network that they need to take care of.

But the good news from that is when they moved to the cloud we could see who was compromised. We should all assume today that we do not know today, and we probably will never know in the future, every organization that was compromised, because if they haven't moved to the cloud and they haven't identified the penetration themselves then it may well be continuing.

Now Hafnium was another episode that in a way illustrates a very closely related phenomenon. It too was the penetration of an on-premise service. In that case it was servers that were running Microsoft Exchange server. And, to me, the great sobering reminder from that experience was we put out a patch but then customers had to install it themselves, because if you run your own server you have to install a patch. If it is in the cloud, then your cloud service provider will install it for you.

And what we specifically experienced in the Hafnium incident was some customers were very slow, especially smaller businesses and the like. Especially if they had gone two or three years without installing a patch, they had a lot of catching up to do.

So, you know, the cloud constantly needs our work as well, to strengthen security, but there are two extraordinary lessons from this. One is if your data is in the cloud we can see when you are penetrated, and second, if you are relying on servers in the cloud other companies will update and patch your servers so you don't have to. Both are extremely implementation in a pragmatic way.

MR. IGNATIUS: Let's talk, Brad, about your recent conversations with the Biden White House about cybersecurity and other issues. About a month ago, major tech executives came to the White House for conversations. I am curious what came out of that specifically that you can share with us, and why you feel that these issues of cybersecurity affecting big tech are on a better path now with the Biden administration than they were?

MR. SMITH: Well, first of all, I think that the cybersecurity summit that took place at the end of August at the White House was a significant step forward. It was a step forward, in part, because the White House brought together a variety of different groups. There were a half a dozen tech companies, a half a dozen sort of insurance and financial services companies, a similar number of companies in the energy and critical infrastructure space, and a similar number of organizations from the education space. And the first thing that should tell us is what is so clearly the case. If we are going to strengthen cybersecurity it will require a whole-of-society effort that brings us all together.

I do think that when you look beyond that, there are three other things that I would note. Number one, we, in the tech sector, can and should and will do more, invest more, and collaborate more to strengthen cybersecurity. A number of us announced new commitments. We were encouraged, spurred, even slightly prodded by the White House in a very healthy and constructive way to do more to help the nation and the world address cybersecurity. You saw us, at Microsoft, announce that we invest $20 billion over the next five years. We are bringing to the table $150 million of short-term engineering services just to help the government modernize.

The second thing that I thought was really interesting and important was, frankly, the focus on insurance, because when you think about the world today, whenever you have a problem and you need consumers or organizations to do more, insurance plays a significant role in helping make those risks economically sensible for organizations to address. Think of us all as drivers of cars. We know that if we avoid getting speeding tickets we'll keep our insurance rates down, so you have this financial incentive. Well, part of what we need today is to encourage more organizations to adopt all of the cybersecurity best practices that have been created, and I think we are recognizing that the insurance industry has a role to play.

And finally, the education sector is of vital importance. We face a very substantial shortage of cybersecurity professionals in the United States. I think that is one of the reasons that organizations are not moving faster to implement best practices. And so clearly that there is a real opportunity for us to work together, for community colleges to do more, for businesses to do more to train their people, for tech companies to lean in, and I think the summit helped point the way. You're going to see more action in the weeks and months ahead on that front, as well.

MR. IGNATIUS: So you have lauded the Biden administration for doing more and better, but you also expressed in your new book worries about continued silos of information in the federal government and in the private sector. We have, at the White House, Ann Neuberger, formerly of the NSA, as the Deputy National Security Advisor overseeing these issues. We have a Director of CISA at Department of Homeland Security. But we don't really have a government-wide cyber czar, as near as I can tell, who really has the kind of authority to absolutely drive policy everywhere.

Does the federal government need to do more if it's really going to face up to the seriousness of this threat, to break down the silos?

MR. SMITH: Well, I think we're going to need a government that can work as a single, well-coordinated team, and the team is going to need to include participants in an appropriate way from the private sector as well. I'm hopeful, encouraged, and I would dare say even optimistic, but as you say, there's a lot of work ahead for all of us.

I know Congress included, in the National Defense Authorization Act last year, a provision that required the administration to put in place someone closer, David, to what you described, and Chris Inglis, who is highly respected, is in that job. You do, obviously, then have Jen Easterly at CISA, and you have Ann Neuberger in the White House. You know, we have the NSA. Things are moving in the right direction.

You know, we do have this challenge as a government because we look at the foreign side and then we look at the domestic side. They are in different parts of the government. And yet what we see at Microsoft, because we have a global company, we have data centers around the world, ultimately do need a globally integrated data capability. That doesn't mean that you necessarily need to bring all of the data together in a single dataset, but you have to find ways to federate data so you can identify the patterns as they are emerging. I think the government recognizes this, Ann Neuberger recognizes this as well, and more work ahead.

But I will say I feel that things are going in the right direction and at a fast pace. That's encouraging.

MR. IGNATIUS: Let me switch course a bit in our remaining few minutes, Brad, and ask you about the attacks on big tech that you read in a lot of publications, that you hear from members of Congress, that are clearly out there. People are angry at big technology companies, that they feel that they're so powerful they can be abusive. Your company, Microsoft, famously was sued in the 1990s, in a huge antitrust case that was kind of a foundational moment for your company.

What do you say to the people who feel that Facebook, Google, the social media companies are too big, too arrogant, have too much information, and are not behaving responsibly, because we are on the verge of major new regulation of your sector?

MR. SMITH: I think there are two things that are worth thinking about. Microsoft was the first graduate of what I call the school of hard knocks with our antitrust experience that started in the 1990s, and I was part of the company team and read a lot of the work in the 2000s, you know, to really, to some degree, pursue a reform agenda in terms of how we were working with governments.

And, you know, if there's a single lesson that I've always taken away, you know, I've never encountered a problem that a little humility can't help us solve. You know, I think it's natural in any big organization, whether you're talking about a tech company or a government or a media enterprise, or newspaper for that matter, that, you know, maybe people could spend a little bit too much time seeing what they want to see in the mirror when they look at themselves and not enough of what other people see in them instead.

And so I think that the step forward always has to start by thinking more broadly, being more introspective, being open to criticism, and then using that to pursue some real change.

The second thing I would say is the topic that we address very directly in our book, including the chapter on social media, which we substantially revised. The truth is if you look at the history of any communications-oriented technology, it starts out with a euphoria. This is like magic. But as we saw, for example, with radio and being right about this, by the third decade of technology there is a revolt. People see the negative impacts of its ubiquitous application across society, and the time comes, frankly, when the creators of the technology need to step up and do more. They need to act with greater responsibility, and government needs to do more. And that is exactly what we are seeing. I sometimes say we will see, in the 2020s, for technology what the 1930s brought to banks. We will become a somewhat perhaps even significantly regulated part of the economy. There are many parts of the economy that are innovative and vibrant and regulated in important ways. We need to find the right path for technology to join those ranks.

MR. IGNATIUS: So, Brad Smith, I want to thank you for joining us today. Another terrific conversation. The book "Tools and Weapons." I recommend it. The new chapters take us into some very challenging issues. Brad, thank you for joining us today.

MR. SMITH: Thank you.

MR. IGNATIUS: So please join us for future programming. Thanks for being here for today’s interview. Head to WashingtonPostLive.com to register for the programs we have and find out more information about them. Thank you so much for being with us today.

[End recorded session.]