“Your code will be attacked.”
That warning, so obvious today, was a blunt wake-up call 20 years ago for many of the software developers reading the book Writing Secure Code, by Microsoft security engineering leaders Michael Howard and David LeBlanc.
Bill Gates was one. He absorbed the 477-page technical tome in one weekend and returned to Redmond ready to change how Microsoft made software — prioritizing security and reliability over new features.
“Eventually” Gates wrote, “our software should be so fundamentally secure that customers never even worry about it.”
Two decades later, that line from the Microsoft co-founder’s Trustworthy Computing memo would seem quaint if the reality weren’t so terrifying: ransomware, software supply chain attacks, privacy breaches, nation-state hacks, malware, worms, and adversarial machine learning are just a few of the looming threats.
And the security of Microsoft’s software is still falling well short of Gates’ vision. Last month, on the anniversary of the landmark memo, Microsoft patched nearly 120 holes in Windows and other products. Nine were critical. One was “wormable,” letting attacks spread between computers without human involvement.
Charlie Bell is known to love big engineering challenges. He appears to have found the perfect job, because it would be hard to imagine one bigger than this.
The former Amazon Web Services executive, whose departure for Microsoft last fall was the subject of weeks of negotiations between the Seattle-area tech giants, is now almost four months into his role as a Microsoft executive vice president, leading a new Security, Compliance, Identity, and Management organization.
Bringing together existing groups from across the company, the new organization numbers 10,000 people including existing and open positions, representing more than 5% of the tech giant’s nearly 200,000 employees.
Its primary focus will be developing and delivering security products and services, not the core security of the company’s individual products, which is the purview of security groups inside product teams.
But people inside and outside Microsoft hope Bell can spark meaningful change for the company and cybersecurity writ large, as a respected leader coming in with fresh eyes and a mandate from Microsoft CEO Satya Nadella.
“The next big challenge for our company and our industry is securing digital technology platforms, devices, and clouds in our customers’ heterogenous environments,” wrote Nadella in an internal memo announcing Bell’s position. “This is a bold ambition we are going after and is what attracted Charlie to Microsoft.”
In a LinkedIn post about his new job, Bell wrote that he was inspired to join Microsoft to “take on one of the greatest challenges of our time,” trying to take the world from “digital medievalism” to “digital civilization.”
Microsoft, he wrote, is “the only company in a position to deliver this.”
‘A lot of customer frustration’
One reason, others point out, is Microsoft’s own role in the problem.
“Microsoft is at the root of tons and tons of the issues these days. There’s a lot of customer frustration, and people saying, ‘Just fix this.’ ” said Alex Gounares, founder and CEO at Bellevue, Wash.-based security tech company Polyverse, who worked in the role of technical advisor to Gates at Microsoft from 2003 to 2006.
Gounares said he believes Microsoft already has much of the technology it needs to address many of the core challenges in cybersecurity. Back in the day, he said, Gates was a forcing function internally to bring Microsoft’s disparate efforts together in the interest of the greater whole. Bell could now play a similar role in marshaling the company’s cybersecurity initiatives.
“Charlie is well-known as a get-stuff-done kind of guy,” Gounares said. “I think it’s a really good move on Microsoft’s part to get somebody of his talent and stature to drive fundamental improvements.”
But there’s a big difference from the days of Bill Gates. The company isn’t merely trying to write secure code anymore. The security threats are much larger, and so are Microsoft’s aspirations to address them. The company wants to build a large line of business by offering security and software to protect its customers, no matter whose software or services they’re using at any given moment.
In fact, this business is already booming. As part of its record-setting earnings report last week, the company said revenue from security products in the prior 12 months surpassed $15 billion, up 45% year over year.
That’s more than 8% of Microsoft’s total revenue for that time period, and three times the annual revenue of Palo Alto Networks, the largest publicly traded standalone IT security company by market value.
This quest to delivery security across many devices, platforms and clouds is the focus of Bell’s job leading Microsoft’s new security engineering organization.
Revenue vs. responsibility
But in the larger scheme of the company, the initiative raises a natural question: How can Microsoft justify making so much money on security when it’s still routinely patching critical holes in its software?
Deutsche Bank analyst Brad Zelnick raised this issue on Microsoft’s earnings call, asking Nadella to explain “the extent to which Microsoft sees cybersecurity as its responsibility, versus it being a commercial opportunity that you can continue to monetize.”
Nadella acknowledged that one of Microsoft’s “fundamental responsibilities” is to build security into its products. The company is “going to be very, very mindful of our responsibility,” he said.
“At the same time,” he added, “we think we have a security opportunity in being able to secure the entire heterogeneous digital estate of our customers.”
“Our monetization is about really recognizing that the real world is not some homogenous Microsoft infrastructure world. It is a multi-cloud, multi-platform world,” Nadella said. “And we will definitely monetize those aspects [where] we have best-of-breed solutions and suites and offerings.”
Microsoft had more than 715,000 corporate customers using its security solutions as of its most recent quarter, and Nadella said they save 60% compared to companies that implement solutions from multiple vendors.
The company declined to make Bell available for an interview. Microsoft’s security team, in a detailed response to GeekWire’s questions, outlined the company’s wide-ranging investments in technology, tools and teams, including a pledge to boost spending to $20 billion on security protections for customers over five years.
Microsoft says it’s fighting “an asymmetric battle in unprecedented times.”
In addition to the SolarWinds software supply chain attacks that first emerged in late 2020, the company says it saw increases of 150% in ransomware and more than 600% in phishing last year, plus password attacks at a rate of 579 per second.
“The attack landscape is very sophisticated. It’s very frequent. And we have our jobs cut out for us,” said Vasu Jakkal, Microsoft corporate vice president for security, compliance, identity and privacy.
The company listed these key priorities for its security initiatives:
- Making its software, cloud services, firmware and hardware secure by design.
- Using a “zero trust” approach that defaults to minimum required access and explicitly verifies users, starting by assuming that any activity is a breach.
- Protecting customers across multiple clouds, platforms and third party apps.
- Using AI and automation to monitor and analyze threats, processing trillions of signals daily.
- Working closely with other security vendors and partners on cybersecurity.
Microsoft also has a Digital Crimes Unit with an extensive track record of identifying, pursuing and taking down botnets, ransomware rings and other criminal networks online. The company also works on election integrity.
While Microsoft is far from alone in dealing with vulnerabilities in its software, its technology has long been foundational for many businesses. The company has extended that role into a new era by making the transition to the cloud. The resurgence of the PC market has made the company all the more relevant.
Microsoft acknowledges that it’s unique in delivering both software and security products. Some competitors believe that dual role amounts to playing both sides of the fence.
“[W]ith one hand, the company ships vulnerabilities and hosts malware, and with the other, it charges to ‘protect’ users from those same vulnerabilities and threats,” wrote Ryan Kalember, a National Cyber Security Alliance board member and executive vice president with Proofpoint, which competes with Microsoft in enterprise security. “Add in the world’s most extensive incident response practice, and Microsoft is the arsonist, the fire department, and the building inspector all rolled into one.”
Another issue is Microsoft’s practice of putting advanced security solutions into its costliest enterprise licensing tiers.
“We’ve gotten to this point now where you have to pay a premium to get security features, which is honestly very unfortunate,” said Wes Miller, research analyst at the independent Directions on Microsoft research firm. “So customers who either are unwilling or unable to pay that premium for the security features get left out in the cold.”
Miller, who was working at Microsoft as a Windows program manager when Gates issued his memo, said he sees a disconnect in the company’s recent announcements touting its security revenue growth.
“The reality is, you shouldn’t be gloating about the money you’re making,” considering the larger security issues, he said. “Regardless of what’s in Windows 11, the company is not doing enough to fight ransomware. They are not.”
The company’s role in the ransomware problem was documented in a detailed post last year by Kevin Beaumont, a former Microsoft senior threat intelligence analyst. For one, Beaumont wrote, many people underestimate the burden that patching software vulnerabilities puts on IT departments.
Beaumont also cited the enterprise licensing issue.
“Basic secure usage of Microsoft’s products, which currently helps fuel a worldwide criminal network in ransomware gangs, shouldn’t have a security poverty line. That is a key element these groups are exploiting,” he wrote.
He added, “Microsoft can lead the security market and still make money by driving product change in its own offerings, and genuinely changing both the security industry and technology risk landscape of the world.”
In an interview with GeekWire last fall, Microsoft President Brad Smith said the company’s licensing approach is driven by a desire to give enterprise customers the choice to use Microsoft’s security solutions or others. That’s especially important in enterprise security, he said, given the extreme diversity of legacy IT infrastructure.
“There’s a level of complexity that we need to think through,” Smith said. “The lines will probably shift over time. … I think Charlie Bell can help us figure that out. And that will be good not just for Microsoft and our customers; it will be good for the country and the world.”
Walking to work in a safety jacket
Bell, 64, is a native of Irvine, Calif., who graduated from California State University, Fullerton. Early in his career, he worked at Boeing as a Space Shuttle flight interface engineer. He joined Amazon in 1998 when it acquired Server Technologies Group, an e-commerce software company that he founded in 1996 after leaving Oracle.
He talked about his history and focus at Amazon in this 2020 conversation at the IEEE conference on Computer Vision and Pattern Recognition.
Bell worked at Amazon for more than 23 years, including 15 as a top AWS executive. He reported to Andy Jassy, the longtime AWS CEO, before Jassy became Amazon CEO. Once considered a potential successor to Jassy at AWS, Bell took the Microsoft job after Amazon brought Adam Selipsky back from Tableau to AWS as CEO.
Longtime colleagues describe Bell as a down-to-Earth leader with a pragmatic streak. During his Amazon tenure, he could often be spotted walking from his home through the city to Amazon’s campus, wearing a bright yellow safety jacket.
Bell is the husband of Nadia Shouraboura, an entrepreneur who was previously an Amazon vice president and founder and CEO of Seattle-based robot-powered apparel startup Hointer.
A consummate engineer, Bell is also a quintessential Seattleite, the kind of person who would be as comfortable leading a multinational corporation as he might be chatting about Puget Sound’s J Pod endangered southern resident orcas, said a former AWS colleague, Brian Hall.
“He’s fascinated with problems and opportunities, and how to engineer solutions,” Hall said.
Jakkal said she and Bell bonded over a shared interest science fiction and quantum physics, and a Star Trek analogy that explains the security engineering group’s vision: giving Microsoft customers the same level of visibility into the security landscape as a captain of the Enterprise would have into deep space from the bridge.
“I’m confident he’s going to help us build that,” Jakkal said.
Microsoft executives and teams now reporting to Bell are:
- Bret Arsenault, chief information security officer; who previously reported to Scott Guthrie, executive vice president of Cloud + AI;
- Joy Chik, corporate vice president for Microsoft Identity, who reported previously to Guthrie.
- Bharat Shah, corporate vice president for cloud security, who also reported previously to Guthrie.
The language in Bell’s LinkedIn post was, in some ways, reminiscent of Gates’ memo.
“As digital services have become an integral part of our lives, we’re outstripping our ability to provide security and safety,” he wrote. “It’s constantly highlighted in the headlines we see every day: fraud, theft, ransomware attacks, public exposure of private data, and even attacks against physical infrastructure.”
He added, “This has been weighing on my mind and the best way I can think to describe it is ‘digital medievalism,’ where organizations and individuals each depend on the walls of their castles and the strength of their citizens against bad actors who can simply retreat to their own castle with the spoils of an attack.”
“We all want a world where safety is an invariant, something that is always true, and we can constantly prove we have,” he wrote. “We all want digital civilization.”
Updates: Added information on Microsoft’s Digital Crimes unit and related activities. Corrected to remove reference to Harv Bhela, who had been one of Bell’s direct reports but recently left to become NetApp’s chief product officer.