Microsoft President Brad Smith warns that U.S. is repeating a key Sept. 11 mistake in digital era

Microsoft President Brad Smith discusses his book, Tools and Weapons, at a 2019 event in Seattle. A new paperback edition includes three new chapters. (GeekWire File Photo / Kevin Lisota)

Microsoft President Brad Smith says the U.S. government appears to be repeating, in the digital realm, one of the key missteps that preceded the Sept. 11 attacks.

Tightly controlled silos of information about cyberattacks persist among U.S. government agencies, Smith writes in a new update to his book, Tools and Weapons: The Promise and the Peril of the Digital Age, originally published two years ago.

“It’s impossible to avoid the grave conclusion that the sharing of cybersecurity threat intelligence today is even more challenged than it was for terrorist threats before 9/11,” writes Smith, with co-author Carol Ann Browne, in one of three new chapters in the paperback edition of the book, released Tuesday.

One anecdote illustrates the challenge from Microsoft’s perspective:

“Repeatedly in late 2020 we found people in federal agencies asking us about information in other parts of the government, because it was easier to get it from us than directly from other federal employees. A culture of holding information tightly is so ingrained in the government that even its contracts with us forbid us from letting one part of the government know that another part has been attacked.”

That gets to the larger takeaway from the updated book: we’ve all still got a lot to learn in the digital age — Microsoft and other big tech companies included — and the lessons are hitting us faster than we ever imagined.

SolarWinds attack: Nowhere is that more evident than in the fallout from the SolarWinds attack, which is the subject of a new opening chapter of the book.

Smith details Microsoft’s response to the attack, believed to be launched by a Russian hacking group, saying the company assigned more than 500 employees “to work full-time on every aspect of the attack” in the early days. Microsoft CEO Satya Nadella convened a daily meeting with the company’s top security experts.

Microsoft’s own investigation found evidence of malicious code on its own network, but Smith reiterates the company’s past statements that the attackers were not able to change source code, access customer data or production services, or use Microsoft’s systems to attack others.

Smith explains that the attackers “shrewdly used American data centers to help cloak the attacks,” hosting the command-and-control servers at GoDaddy and Amazon Web Services in an apparent attempt to avoid raising the suspicions of the National Security Agency, which has the authority to scan foreign but not domestic online activity.

Microsoft took control of one of the servers from GoDaddy, and security teams were able to activate a kill switch in the malware, limiting the attacks, he writes.

He also underscores the importance of more information sharing by companies about security breaches, which was a focus of a recent White House summit.

Software and the cloud: In other situations, Microsoft’s own software has been part of the problem, including an attack by a Chinese-sponsored group exploiting vulnerabilities in the company’s Exchange Server software.

Big picture, one of Smith’s proposed solutions is to move more software to the cloud, taking the responsibility for implementing patches away from individual people and companies — which he concedes isn’t a surprising position from an executive at a major cloud technology company.

“As I acknowledged to the Senate Intelligence Committee, there’s always the danger that a hammer will see everything as a nail,” he writes. “But from our perspective, these episodes clearly told us that it’s far better for most customers to modernize their technology infrastructure by migrating to the cloud and relying on the cybersecurity expertise of companies that make this part of their core competency.”

Pence’s miscalculation: Under normal circumstances, a tech company would welcome a U.S. vice president encouraging organizations to use its software for some high-profile purpose.

But Microsoft executives “virtually fell off our chairs” when they saw a letter from then-Vice President Mike Pence directing individual hospitals across the country to send daily reports to the White House using an Excel spreadsheet, Smith writes.

“It not only failed to use the right data-analytics tools,” Smith writes, “but sought to collect at a national level data that was far easier to ask the counties and states to collect, for eventual national aggregation.”

Technology in the pandemic: One new chapter focuses on the impact of COVID-19 on work and life around the globe. Smith draws insights from the aftermath of World War II to caution against believing “overly exuberant” predictions of a wholesale shift to virtual work, for example.

The reality, he says, is somewhere in between.

“When we step back and consider technology trends more broadly, it is apparent that people will have more choices about how to live their lives,” he writes. “This means that people will have the flexibility to choose among the best of both online and in-person interaction, blending different experiences to meet different needs.”

Microsoft Brad smith Carol ann browne Cybersecurity Tools and weapons