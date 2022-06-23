Placeholder while article actions load

MR. IGNATIUS: Good morning, and welcome to Washington Post Live. I’m David Ignatius, a columnist at the Post. Today we're joined by Brad Smith, who's president and vice chair of Microsoft, which has just released a new report on Russian cyber warfare, actions against Ukraine and against countries around the world. We're going to talk in detail about that report.

Brad, welcome back to Washington Post Live.

MR. SMITH: Thank you, David. Good to be with you.

MR. IGNATIUS: So the report‑‑I've got a copy here‑‑is called "Defending Ukraine: Early Lessons from the Cyber War." In part, it reads like a spy novel, and I say that as a spy novelist. It's pretty interesting stuff.

Brad, I want to ask you to begin our conversation this morning, the way you begin in your introduction to the book, by telling our viewers what happened the night before the war started on February 23 when Microsoft noticed some unusual activity. Explain what you saw and what you did about it.

MR. SMITH: Well, I think, in part, David, the answer to that question explains why a tech company is writing a report like this in the first place.

You know, when governments send code into battle, they literally move around the world at the speed of light, and they're detected, in some cases, halfway around the world. And, indeed, the Microsoft Threat Intelligence Center, which monitors all of our signals coming into all of our data centers, coming from Windows and other devices, on the 23rd of February really lit up with evidence of new offensive attacks.

It was a weapon, a specific weapon. We gave it a name, called "FoxBlade." It was designed to penetrate a network of, say, a ministry in, in fact, a number of different parts of the Ukrainian government. It was malware that was then designed to spread to other computers, and it's what we call "wiper software." We call it wiper software because it's architected to wipe clean the hard disks of every computer it touches, and by "wiping clean," it really means destroy all the data, destroy the applications, render that computer, in effect, useless, except as a paperweight, so to speak.

And so our team then responded. What we do when we see these kinds of things is we develop what we call a "signature," something that is able to identify that malware on to her computers. Within three hours, we distributed that signature to devices that were connected to our services across Ukraine and in other countries to thwart and really counter that malware to identify it and stop it, and all of that, in so many ways, began to play out before the first cruise missile was launched.

MR. IGNATIUS: One striking thing that I discovered this week in my own reporting is that on that night of February 23, your information was more current than anything the U.S. government and the White House had. It was Microsoft, through its endpoint detection abilities, that was able to see this. That's a striking sign of the times.

I want to ask you about working with the government but ask you first to continue your story about what happened in Ukraine. You say in this report that Russian activity has three prongs, essentially: attacks directly on Ukrainian networks; attacks on broader networks outside Ukraine; and then, finally, influence operations. We'll talk about all three, but start with Ukraine.

Beyond the initial FoxBlade attack, what did you see, and how did you help Ukraine to deal with that threat?

MR. SMITH: What we saw was really a succession of waves of attacks using this type of destructive malware, eight different families of malware, if you will, all approaching Ukraine the same way, all designed to destroy hard disks in Ukraine.

Importantly and interestingly, this was all architected from a software perspective to spread across a single network domain, say, the WashingtonPost.com, but not jump into other domains, and that, I think, is of real significance. It's different from the NotPetya attack that Russia launched against Ukraine in 2017. That ended up moving around the world, and I think you could infer quite possibly that the Russians decided they wanted to confine their attacks to Ukraine itself so the conflict wouldn't spread.

As time went on, we and others deployed these kinds of defensive technologies to thwart this. We've seen the Russians, in some respects, alter their tactics or adapt their tactics, especially to a longer conventional war.

So, for example, we've seen them combine cyberattacks and conventional weapons. They, on one day in March, sought to enter and take down the network domain for a nuclear power plant, and then the next day, the troops sought and successfully did take over that nuclear power plant.

We expanded the impact of our endpoint protection across Ukraine. We worked with the Ukrainian government. I think it was sort of a classic wartime innovation. One of the things we saw the Russians do was take advantage of certain settings that could be changed if a network administrator for the Ukrainian government would, say, sit down at a computer or access it and then turn on certain additional protections. The problem with that is it would have been laborious, especially in the chaos of war, for IT administrators across Ukraine to do that. So the Ukrainian government passed two laws authorizing Microsoft to do all of that remotely, and by doing that remotely, I think we were able to substantially strengthen Ukraine's defenses.

Other companies have done good and even critical work as well, and I think you've really seen the tech sector rally in a variety of similar ways to add to the protection of Ukraine.

MR. IGNATIUS: Brad, I have two questions I need to ask you. First, did you ever imagine that as president of Microsoft, you'd be involved in these kinds of, essentially, war consulting operations; and second, how do you decide which countries Microsoft is going to help that are facing attack? I assume that if Russia was being attacked by Ukraine, you wouldn't have a similar response, but tell us.

MR. SMITH: Well, first of all, David, to answer your question, clearly, if this were a decade ago, no, I would not have imagined this kind of role for us or any other tech company.

I do think that over the last few years, we've realized that especially our role as a company is fundamentally to provide the digital infrastructure that every person and company and country really relies on for its economy and for its national security. I think one of the things that helped us in recent months is we started thinking about that responsibility and what it meant in a more robust way a few years ago. So we developed a set of principles. We came together with now more than 150 companies from 24 countries around the world. It's called the "Tech Accord," and the first principle is that we have a responsibility to defend countries. We won't help governments attack others, especially innocent civilians, but we do have this defensive responsibility.

Now, we had not really thought about that in the precise type of wartime conditions that we face today, and I think our responsibility is not a difficult one to address when we're talking about Ukraine. We're talking about a democratically elected country that is being unjustly invaded‑‑I would say unlawfully invaded‑‑by Russia acting as a hostile aggressor.

I will say at the same time, we recognize that if you take the principles of the Geneva Convention, principles that call for the protection of all civilians on both sides, on every side in a time of war, we've been consistent in also saying that we're not going to take away our downloads, for example, that are publicly available across the internet for hospitals in Russia or medical clinics and the like. And so I think we're all in new territory together, but for us, I think it is grounded fundamentally in the role we play for the United States, for the democracies of the world, for NATO, but also as a defensive protector and especially for innocent civilians around the world.

MR. IGNATIUS: One striking thing, Brad, is that the great Russian cyber offensive that we all feared in the months before the war hasn't really been successful, and it's not for the lack of Russia trying. In an earlier Microsoft report published in April, you noted more than 40 Russian attacks against Ukrainian targets, but they haven't been successful in shutting Ukraine down. Explain that resilience. How is it that Ukraine working with your company and other companies has been effective in fending off this onslaught?

MR. SMITH: Well, first, I think it's a great tribute to the government of Ukraine, the people of Ukraine, all of the people who work in the tech sector, many of whom work for the government itself in Ukraine. I think they've scrambled, and they have exceeded what most people would have expected if we were having this conversation, say, in January or early February.

I do think it is a testament to the state of digital defenses today and the advances that have been made over the past five years, especially in two areas. The first is threat intelligence, this ability to detect these kinds of attacks more quickly and effectively, certainly not exhaustively or with 100 percent accuracy. That's just not possible yet today, but using artificial intelligence, in part, we're able to detect things much more quickly. And then the second is this endpoint protection, this notion of distributing code that, in effect, will intercept these kinds of attacks.

One of the analogies we use in the report we published yesterday, an analogy that makes sense to me, is really to think back to the Battle of Britain in 1940. The Germans sent a military technological innovation, the bomber, you know, something that didn't exist with that capacity in World War I, 25 years earlier. They sent bombers to attack England.

The United Kingdom fundamentally had two defensive responses, and they both reflected technological innovations, more advanced fighters, the British Spitfire and radar. Radar was perhaps the most important innovation. It detected the bombers, and it directed the fighters to intercept them.

Bombs got dropped on London, on other parts of England. That was a tactical success for the German air force, but strategically, the defense helped. The Germans were unable to establish air supremacy and invade England.

Now think about 2022. The Russians do have attacks that get through. They do disable some computers. They do take down, say, an electrical grid in a defined area for a limited period of time, but from a broader strategic perspective in terms of taking down and disrupting and stopping the Ukrainian government from working or if the goal is to disable the digital infrastructure of Ukraine working, at a strategic level, the defenses so far have held.

I would just hasten to add, that's a snapshot. This is a motion picture, if you will. It's an ongoing war. Undoubtedly, there will be a need for innovation on the defensive side because we have to assume that there will be innovation and offensive capabilities and tactics as well.

MR. IGNATIUS: So, Brad, we know that Russia has been attacking Ukraine. One of the striking numbers in this new report that you just have published, you note that Microsoft has identified Russian operations against 128 organizations in 42 different countries with, your engineers note, a 29 percent success rate. That sounds high, but when you read into the story, it turns out that the successes tend to be in certain kind of networks on premises. Explain the importance of getting computing resources out of the premises and into the cloud in terms of protection.

MR. SMITH: Well, the reality is when companies move from what is called an "on‑premise server," say a server that they own, that they have to maintain, that is in, say, a closet, a server room, maybe a government data center, then they can tap into technology from, say, software companies, tech companies, but they're responsible for every upgrade, every update, every aspect of maintenance.

When you move to the cloud, whether it's with Microsoft or somebody else, then fundamentally, you're relying on a tech company whose core competency is to do all of the things I've just described, and not only do we then take on the responsibility to keep everything up to date with the most modern technology, with the constant updating of the hardware, we also have more visibility because it's in our data center. So we're able to identify threats more quickly. We're able to access the network logs and identify others who might be attacked using the same tactics. We're able to do just a more effective job, in our view, and the same is true of others in the industry when customers move to the cloud.

Now, interestingly, if you look in the United States, across Europe, in Ukraine, or around the world, there's a phenomenon that one basically sees everywhere. The private sector has been moving more quickly than governments to the cloud, and that's true even in the United States with the U.S. government. It's even more true where I think the progress has been more uneven in Europe. So, frankly, we see more governments still running through what we call these "on‑premise servers" than in the cloud, and one of the concerns we have when it comes to cybersecurity protection or just opportunities to put technology to work is that if governments would move to the cloud more quickly, they would be more secure. I think they would frankly be able to be more effective in using technology to deliver services to their citizens.

MR. IGNATIUS: I said early in our conversation that this report reads like a spy novel, and some of the threat vectors you've given real James Bond names to. Strontium, Iridium, Nobelium, Actinium, and Krypton are some of the signatures of these threats, as you've termed them, but interestingly, the ones I mentioned are part of six that came directly from Russia's three most important intelligence agencies, the GRU, the SVR, and the FSB.

Obviously, with this level of intelligence service activity, this is something directed by the Kremlin. There's no doubt in your mind about that, is there?

MR. SMITH: Well, first, I would say, David, anybody who did better in high school chemistry than me would recognize those names and say, oh, they call came from the periodic table, because that's what our threat intelligence team does. And the reason that we have assigned those names is because we have identified a series of attacks coming from a specific and discrete group, and yes, you are correct. We have concluded that those specific groups are connected with the Russian government and with different parts of the Russian government, and one of the points that we make in the report is we really see a coordinated, strategic effort across the government to deploy these efforts together.

Like any organization, they may be better coordinated on some days than others. That's true everywhere. But the Russian government is extraordinarily sophisticated in terms of a variety of cyber capabilities, and so we do see these destructive attacks in Ukraine. We see these network penetration and espionage efforts in 42 countries, as you mentioned, and we see cyber influence operations. And we see them conduced by the same parts of the government, albeit with different organizations having different roles and responsibilities.

MR. IGNATIUS: One of lessons of this war, so far to me, certainly, is that we overestimated Russia's ability to conduct what the military calls "combined arms operations," complex, interacting operations, and from what some people have told me, that's true of their cyber operations, that the Ukrainians can scramble and respond and the Russians don't have the follow‑through that you might expect to exploit initial openings. Would you make that same judgment? And, overall, give us your assessment of Russian cyber capabilities as you've watched them so closely during these months.

MR. SMITH: Well, the first observation I would offer‑‑and, obviously, I offer it as someone who doesn't come from the national security establishment or the military, so I don't claim to have the same level of expertise in this field. But just step back and I would just say it's a matter of common sense that when a war begins, what you're really doing is comparing the offensive capabilities of one side, in this case, with the defensive capabilities of another. So perhaps we should ask two questions: Did we overestimate the offensive capabilities of the Russians, or did we all underestimate the defensive capabilities of Ukraine? Or perhaps it was some of both.

I'm not convinced myself that we necessarily overestimated the Russian cyber capabilities. I think those cyber capabilities remain very sophisticated. You could ask whether they used every weapon in their arsenal. The answer is no. They did not use wormable software like they did in 2017 because I think one would fairly conclude they wanted to confine their attacks to Ukraine itself, just as they have not used every conventional or nuclear weapon, thank goodness, in their arsenal.

But I think maybe more than that, we underestimated both the defensive state of technology today and the defensive technology capabilities of Ukraine, and then we should recognize, once again, this is a moment in time. This will constantly be changing. So what may have appeared true in March could be different in June. We should definitely assume that what is the case in June may not be the case in September. So this is going to require constant vigilance.

MR. IGNATIUS: One of the striking things about the story you tell in the new report is the way in which Microsoft and other leading technology companies have worked closely with the U.S. government. I'll just quote something that you said in your April report on the war in Ukraine, quote, "We have kept the U.S. government advised of relevant information and have established communications with NATO and EU officials to communicate any evidence of threat actor activity spreading beyond Ukraine." In other words, there really is a kind of government‑public company interaction here, cooperation, which would have been hard to imagine in the years immediately after the Snowden revelations in 2013 when tech companies really pulled back from the government. That era really is over. We are now in an era of greater willingness to cooperate with the government, including the intelligence community, if I'm not mistaken.

MR. SMITH: I think it's a good point, and I would qualify it a bit, David, because I think that there were lessons learned from the Snowden revelations that have been internalized and applied. They certainly had been internalized and applied at companies like Microsoft and Google and Meta and others, and I think in my experience, they're internalized and applied at the government most days as well, which is we need to protect the privacy of individuals. We need to have clear rules and safeguards in place so that one government isn't trying to use its process to access the data that belongs to, say, another allied or democratic government. So I wouldn't want to leave anyone with the impression that suddenly all of those critical lessons have been cast aside. I think they're just as important in 2022 as they were, say, in 2013.

But, at the same time, the reality is that cyber is, as people say, the fourth plane of war." There's land. There's sea. There's air. Now there's cyberspace. But cyberspace is, first of all, a human creation. It's not an element of nature, and it's a human creation that by definition is owned, it's operated, and it's protected, in part, by the private sector, in part, by tech companies. And so we have a role that I will say is not only indispensable. It's unavoidable.

You know, the first response of a business when a war breaks out is typically to leave the battle and get as far away as possible, and yet if we're going to do what we strive to do in our mission as a company, which is to provide the infrastructure on which everyone relies, it needs to protect countries in times of war and in times of peace.

And so, as we say in the report, in effect, this is not a war just between Russia and Ukraine. It is a war between Russia and Ukraine that involves an alliance of countries that are supporting Ukraine and an alliance of tech companies and I would say NGOs. The Cyber Peace Institute in Geneva last week issued another important report, and I think that is the present. That's probably as far as I can see in the future, what we'll have to really internalize as part of the rest of our lives and then fulfill this role very, very well.

MR. IGNATIUS: Brad, you mentioned getting out of the line of fire and how difficult that is in this digital context, but you have operations still in Russia. You've said you're scaling them down, but you still have some people there. I'm worried about whether you're taking any special efforts to protect them.

You also have pretty extensive operations in China, and I wonder, since China is a country that seeks to control using tools of technology, its population, whether you're having second thoughts about your level of involvement there.

MR. SMITH: Well, first, when it comes to Russia, we, like everyone else, are basically seeing our business narrow and narrow and narrow and narrow until, eventually, there's barely or there may be nothing there. We do want to take care of the people who work for our company, and we're trying to be mindful of how to provide them with the kind of support I think they need and deserve because they're not the ones who started this war.

But, at the same time, there's a clear path forward. They have to follow Russian law, and they're not the ones who are making the decisions that we're talking about in our report yesterday. Those were made by people outside of Russia. They were made by people in the United States.

When we think about China, we have to think every day about similar sophisticated, complicated, and sometimes even challenging questions. There's critical work that is being done, including for American multinationals that operate in China. We want American companies that do business in China to be able to run on our cloud services. We don't want to force them to go run on a Chinese cloud service instead.

There's important humanitarian work. There's other work that is done in China, and we don't want to see those humanitarian principles sacrificed as we work through all of this, but there are many limits. There are very substantial differences, and that's, frankly, just part of the complexity of the world that we're having to manage through in 2022, a world that feels as lot more complicated than it did a decade ago.

MR. IGNATIUS: So, Brad, in the remaining time we have‑‑it's only a couple of minutes‑‑I want to ask you about the final strand of your report, which is disinformation, where we began. Just tell our audience briefly about what Advance Persistent Manipulator teams are in Russia, what they do, and what you're trying to do to stop them.

MR. SMITH: Well, the KGB and the Soviet Union really mastered, in many ways, the art of what we're calling "influence operations." We point in the report to just one of enumerable examples where they planted a story in an Indian newspaper claiming that the U.S. was exporting AIDS in the 1980s to India via Pakistan. Well, digital technology has made that much more powerful as a threat, including a threat to the United States.

So today we're seeing cyber influence operations. We're seeing teams in the Russian government operate in this way. We highlight in this report the increase that we can now use technology and AI and data to measure an 82 percent increase in the spread of Russian propaganda through their sites in the month after this war began.

We document the efforts that we see the Russian government having pursued in, say, New Zealand and Canada to use false narratives, to address COVID and vaccines, and really, I think, contribute to what made it more difficult for those democratic governments to sustain their policies.

The bottom line here is just as we become more sophisticated in addressing other forms of cyberthreats, we need to address with urgency, perhaps even greater urgency, this new cyberthreat as well because, in many ways, it's really directed at the core of our democracy.

MR. IGNATIUS: So this has been an eye‑opening report. I would urge our viewers to see if they can find a copy of "Defending Ukraine: Early Lessons from the Cyber War," which has all the information that Brad Smith has been sharing with us and a lot more and is a useful baseline document.

Brad, thank you so much for coming back, joining us on Washington Post Live for such an interesting discussion of this war that is a focus for the whole world. Thank you.

MR. SMITH: Well, thank you, David, and it's easy to find. It's on the internet. You can look for it through a search. You can find it on Google. You can find it on Bing from Microsoft as well.

[Laughter]

MR. IGNATIUS: So thanks again to Brad Smith. Thanks to all of you for joining us. To look at the programming we’ve got coming up on Washington Post Live, go to our website, WashingtonPostLive.com, to register for the programs that interest you. We’ll be back soon. Thanks for joining us this morning.

[End recorded session]

