B (3:51)

That's amazing. I love, and you and I, I think, have talked about this. I have a really good friend who's a patent attorney and with all due respect to patent attorneys, when he starts talking, my eyes do glaze over a little. At a certain point in time I'm like, okay, good, good. I'm glad there are professionals that actually really value being in that field because we need them. Right.

A (4:12)

They're super smart. They're the smartest people I know. I value them so much. But it's a very solitary pursuit for most folks. And it was just, it was not for me.

B (4:24)

Yeah, exactly. And that respect, respect for them, it wouldn't have been for me either. So as you look back over your career, the cyber industry has certainly evolved dramatically. I would love your take on the transformation since it's beginning. What has changed the most? What also do you think has persisted?

A (4:42)

You know, I think one of the things that's changed the most is just how fast we are moving. When I first started our cases, particularly in the digital crimes space, and even with nation state actors, our cases were, and the infrastructure were located in the United States, we would do a disruption action and we would do one case and we would disrupt the actor and it would be in the US we would seize the infrastructure and we would do a full disruption and we would be done and we would identify all the victims and then we would move on to the next case. And that is just not the way it works. Now we have these. The scope and the scale of the networks is much bigger. The disruptions, we call them advanced persistence disruptions. Now there's no way that we are disrupting these networks in totality. We have to think completely differently about how we are working. And this is true not just from a disruption perspective, but it's also true from a network protection perspective. We, we cannot possibly think in the same way that we used to because of the scope and the scale that we have. So I just think we have to be completely different than we, we used to be because of that scope and scale. And so I think that's kind of the difference. What's the same, the same is, is the human element. And I say that from two aspects. One is we still have people involved in cybersecurity. And what I mean by that is social engineering is still one of the biggest problems, one of the biggest ways that cyber criminals and nation state actors get into systems. We still have problems with people clicking on phishing links and they still use that as one of the biggest attack vectors. And human element is still incredibly necessary in our workforce and we still have to make sure that we have the right skills, the right people in place and that we take care of our workforce.

B (7:09)

I think that's exactly right. The global scale of attacks is something that we're certainly seeing increasing, but there always will be a human element in cybersecurity. And we talk a lot about nation state, but cybercrime is actually a higher percentage type attacks and that's very human network oriented and mostly, as you know, for monetary gain. Which brings me to your team generates and I want to give you full credit for this because folks don't always know where it comes from. But your team works very hard to publish the Microsoft Digital Defense Report. We just published the sixth annual edition and this is really a cornerstone for the industry people wait for, for the security thought leadership and the statistics and the metrics and just our overall view of the landscape. Why do you think it's so important for Microsoft to publish this report every year? And what do we hope that the audiences will take away from it?

A (8:07)

Yes, you know, and this, as you mentioned, it's the sixth report. When you do five reports, you're like, this is great. We're so excited to do our fifth report. When you get to the sixth report, you have to actually start to reflect on why are we doing this. Because it's your number six is like, okay, should we really keep going here? And I will tell you, we were really reflective this time on what is the reason that we are doing this report, why is it necessary? And I think for this report we really felt like as AI is advancing, it is more important than ever that people understand that the basics for hardening your system and for being resilient are more important than they have ever been because of the advances that we are seeing. You must take all necessary steps right now. And we have been on such an incredible journey and we are so fortunate as a company to have the investment that we do both really at the corporate level. Our SLT is directly involved in cybersecurity. Really, frankly, on a daily basis. Our board is directly engaged in our security. And so we have the ability to share all of the work we've done over the last several years. And so we come from a. A privileged position. And I think we sat back and thought we need to share all of our learnings. We need to make certain that we kind of distill this into a usable format for everyone because it is more important than it ever has been that everyone be prepared this year. And so I think the top 10 recommendations from the the report are just essential this year. And we tried to streamline it in the past. We've put lots of different information. We've been really creative with the report. I think this year you'll see the report's not that creative and that's purposeful. It is very streamlined, it's very targeted at being active. What can you actively do? What can you take from the report and really use the recommendations? And so my hope for this MDDR is that everyone will take the report, they will use it, and a year from now it'll be like a checklist and I will talk to everyone and they will have done the recommendations, they will use it like a roadmap. And then when we check in again that the data from the report will have changed. So I'm hoping that a year from now we actually see differences in the data and that we see changes and that actually everyone does talk to people at the board level, that we do do have people actively working to defend their perimeter, that we really have people prepare for the regulatory changes that are coming and that really we have the basics done because of the advances that we are seeing in AI.

B (11:29)

That's really comprehensive. Thank you seriously for being so specific in the answer. And I want to keep going for a minute. I want to talk about the landscape from the perspective of international collaboration, Cyber from a practical operational partnership standpoint. Can you give us your point of view on what international collaboration is and why it is so important?

A (11:51)

Yes, I mean, I think there's so many ways that it's so important. But I think I'll start with an example or a few examples from the Digital Crimes Unit. So for the listeners that don't know, Microsoft's Digital Crimes Unit has been around for more than a decade. And the Digital Crimes Unit actually proactively brings cases to seize criminal infrastructure. So to basically take the servers to take the domains in order to identify victims. But they can't do everything and they can't do it alone. And so they oftentimes partner with law enforcement around the world. And so it's one of the most important things that we do. And so most recently they partnered with a Japan cybercrime control center and with the Indian federal law enforcement. And they were able to disrupt a widespread tech support scam that originated from Indian call centers. And this one is really important because it targets older individuals in Japan. And there's nothing worse, I think, than going after the most vulnerable populations. Where we had the generative AI was used to impersonate Microsoft and mass produce malicious popups. And they specifically profiled older victims who would be more susceptible to this. And it translated the content into Japanese. And really we're seeing this happen more often where it used to be limited to English language, we're seeing it in other languages, we're seeing the mass generation of this content. And I think the digital crimes unit looking for creative ways to partner with law enforcement and to look for ways to protect the most vulnerable is incredibly important. So in May of this year there were six arrests which we can't do on our own. The shutdown of two illegal call centers and the takedown of a fraud center and the repatriation of $1.3 million which can be given back to victims. So with statistics like that and those partnerships, I think that's a great example of how we can help to protect those victims and those cross border operations.

B (14:21)

So that's great. Particularly the ability to recapture funds and the ability to have this kind of impact with holding people accountable. And it's evident that private sector like Microsoft is playing a really meaningful role. But what more do you think that private sector, not just Microsoft, but what more do you think private sector in general can do to help close the gaps in international cybersecurity collaboration?

A (14:46)

Yeah, I mean, I think private sector is so important and not just Microsoft, as you say. So we work with private sector in many different ways and one of the best ways to do that is with collective groups. So like the HEALTHCARE isac. And we worked recently with the Healthcare ISAC to dismantle a phishing platform. It has an interesting name. They called it Raccoon O365. It is a phishing platform. It's used to facilitate all manner of cybercrime. We worked with the HEALTHCARE ISAC because there were lots of different hospitals that were victimized and we seized the malicious infrastructure. In addition to the HEALTHCARE isac, we also cooperated with cloudflare. Cloudflare Flare was hosting some of that malicious infrastructure. And as soon as they were notified that they had that malicious infrastructure, they immediately cooperated with us to help seize that infrastructure as well as Chain analysis, because chain analysis knew that they were able to help us understand the fact that funding mechanisms, one of the best things that we can do is identify the funding that these cyber criminals have, going after the money and so working with chainalysis to find that money and to help identify it for law enforcement as well. So I think you're right, Ann. Anytime we can cooperate with other private sector companies in the digital crimes space. So I think we are always looking for. And so I'll just kind of. Actually this is like a advertisement for me. If you are a private sector company and you are looking to partner in any way with the digital crimes unit, we are always looking for global partners.

B (16:34)

We will definitely, as we do the promotion for the episode, Amy, we will include that in our LinkedIn and social posts, etc. Might as well, right?

A (16:43)

That's right. More partners, the better.

B (16:46)

So can you talk about cyber diplomacy? I don't think that a lot of our listeners are that familiar with that term. I know your team is heavily engaged. What role does the private sector play in the term cyber diplomacy? And what does cyber diplomacy actually mean?

A (17:03)

Yeah, so it's interesting. I don't think we spend enough time talking about cyber diplomacy and I think it's incredibly important in this digital age. As nations operate in the digital space and as we see nation state actors increasingly using the digital space both for, I think espionage and potentially for pre positioning in the event of a kinetic war, as we saw in Ukraine, we need to think about what kind of rules and norms that we should have because we have to make sure that we have a stable and secure operating system. The private sector holds the vast amount of critical infrastructure. And so we need to make sure that we are preventing conflict online in the same way that you would use traditional diplomacy to prevent conflict on land. And so we want to try to work, and this is, I think relatively unusual for the private sector to start to engage in talking about how do we agree to make sure that we are not attacking critical infrastructure, how do we make sure that we are protecting things in peacetime and how do we build that trust among countries and bring nations together to strengthen their cyber defenses? Because we hold so much of that critical infrastructure. And I think the importance of setting those norms and the reason why it is critical, why we must have norms, is because where there is an absence of norms, you end up with negative behavior. We do not want to have negative norms. Where you have a permissive environment, it does end up kind of creating a place where we have bad behavior and no one wants that. We all want to make sure we have create a good place because that creates a trustful environment and that means we can all be in a digital space and a place where we trust. And so we've worked, I think a lot to create good initiatives in this space. So initiatives like the Paris Call and really working in the UN and places where you don't think the private sector will show up. And we are not the only private sector to do this. So Amazon, Google, others are in the same places and largely for the same reasons. I think we'll continue to see Microsoft in these spaces as we work to try to make sure we secure critical infrastructure and that we kind of create that trustful environment for individual users, for countries. And as we continue to kind of grow globally in this area, that's super clear.

B (20:00)

I think that everyone will both understand what cyber diplomacy is, but also why it's necessary and the role that private sector must play, play in. Also ties it a little bit to the other question I wanted to ask you, which is about regulation. Regulatory expectations are shifting fast. We're seeing a, I don't know if it's a rapid increase, but we're certainly seeing a lot of activity, particularly in the EU but also in other places globally. I want to unpack it for a minute. We've heard from customers that vast regulations are complex, they're not harmonized. We talk a lot about regulatory harmonization. Can you just help contextualize today's environment? What does the complexity look like? What are you thinking about and how are we helping customers?

A (20:49)

This one, you know, it's kind of a mess out there. Like, I don't know how to describe it any other way. And I always feel, I feel terrible for customers because we're really, we're big and we have a lot of resources and, and we can work hard and we can comply. We've long in cyber been a standards based compliance regime and that's not where we are anymore. We are, we are moving to a regulatory based compliance regime and that's a big change for us. And so looking across all the, you know, hundred plus regulations that we either have in place now or will be in place in the next three to five years. And how do we harmonize those regulations? Because they are not harmonized right now and you're navigating overlapping and sometimes conflicting requirements. So how do you create the appropriate high watermark for compliance? What do you do in order to help customers? And it is really, really challenging. And I think it's challenging in three ways. And this I think is really difficult for just about everyone. The first is the volume and the velocity of new regulation.

B (22:23)

Right.

A (22:23)

They're emerging faster than ever and there's shorter implementation time. The second is, is that they're just fragmented. Every region defines critical infrastructure differently. There's a unique set of reporting windows, they use different security baselines. And the last is an accountability shift. So regulators are moving from kind of check the box compliance to personal accountability for executives and for boards. And this is, means that the stakes are different for your governance and your transparency. And this is one of the reasons why in addition to the, I said the mddr, it was really important to get your house in order from a governance perspective and from a threat perspective because of the age of AI. But it's also important to, from a regulatory perspective. And I think we talk a little bit about that in the report as well. And so for customers and for us at Microsoft, it really means that you have to build compliance into the fabric of your operations. And so it's about how do you harmonize your controls, how do you automate your reporting, how do you engage early with regulators to practically shape implementation and how do you take a risk based approach? And it's challenging. There's nothing I can say differently. It's just very difficult. And I sit in a position, like I said in the beginning of privilege, we are very big. I have incredibly talented people across the company, incredibly talented people legal on the legal team, incredibly talented people on the policy team, incredibly talented compliance managers, incredibly talented engineers to implement this work. We have a fantastic formalized governance structure with our CISO, our deputy CISOs. We have a formal relationship with our board and with our corporate slt. And still it is going to be challenging for us to implement these regulations.

B (24:40)

I think that's right. And I think that our push, and I'm not going to spend too much more time on it here, but our push towards regulatory harmonization is something that a lot of companies have gotten behind because obviously there's a need for some regulation. But if every government around the world is asking corporations that work globally to adapt to every regulation, you're going to have a tremendous amount of conflicts. Just makes your job harder.

A (25:08)

Yeah, so many conflicts. And so that's why I said how do we find that kind of high water mark and how do we engage early with regulators to try to make sure that they understand what we are doing and that they are able to accept where we are going and they understand the technology that's really the Education piece I think is incredibly important as well. And we've been doing work as part of the Cyber Resilience Working Group in Europe to do just that. And I think we'll continue doing that work around the world as well.

B (25:46)

Well, with that, let's just talk a little bit about you, your role, your team at Microsoft. I work, I have the pleasure, I would say, of working with your team. I find your team to be very pragmatic. They give excellent advice, they separate for me what is business versus legal decision. Even if they may have some input on the business decision, they're really clear this is your decision. And to me that's a great partnership. What from your perspective does the partnership look like between legal and cybersecurity teams and what characteristics demonstrate a well functioning partnership between the teams?

A (26:20)

Yeah, that's such a great question. You know, it is such a pleasure to work with you and with the rest of the, the deputy CISOs and the engineering organization across Microsoft. One of the things I think is the most important and I think that the team does well is listening and understanding the technology. It is impossible to give good advice if you do not spend the time to understand the facts. And I think the team just, we look for people who enjoy the technology, the work and really learning what's going on on a day to day basis. Everybody here just loves the kind of understanding the underlying engineering. They love understanding the threat actors and what the threat actors are doing. They love understanding how we're working to improve our systems. They love understanding how the network works across Microsoft. Like we really are a bunch of technology nerds at heart over in this, in this cyber division. And I think that's part of what it is. And the connection between the technology and the law. Law gets people excited around here. And I think that that's one of the things that's great. The other part is we all like each other a lot. I mean, I think there's a real kind of friendship and camaraderie amongst all of us that work together, which is good because we spend a lot of time together. And as you know, Anne, there's a lot of work to be done and there's a lot of long hours and a lot of travel around the world. And so I think it's important that we, we all get along well and even when we don't get along well, we make up easily. So that's good too.

B (28:28)

Well, yeah, it's healthy conflict. Right. We may disagree, but everybody is very respectful in saying, look, I don't agree with this perspective, we also. I'll speak for myself, and I'm pretty sure I'm speaking for my peers. We know we're not lawyers, so we're smart enough to know when we lead true legal advice and when to bring our lawyers in.

A (28:46)

And I think we're smart enough to know when we're like, we have no idea what's going on technically anymore. You've lost us completely.

B (28:53)

Yeah. I would love to hear the personal reflections that inspire our listeners. And I think I want to know from you what is the best career advice you've ever received and what advice would you give younger in career or older or career changing? Anyone who's aspiring to be in cybersecurity?

A (29:14)

Yeah, I would say any opportunity that you are given, take it. Every time someone has asked me if I want to do something, and I mean this big and small, I have said yes unless there was an actual reason to say no. So every training, someone has offered me every job, even if it didn't seem like it was something that I necessarily wanted to do or thought was the right, was kind of a linear path. I have said yes to. I spent 18 months working in privacy compliance in the run up to the gdpr. Anyone who knows me knows that I did not know anything about privacy. And I'm not the ideal compliance lawyer either. And so I probably had no business being in privacy compliance in the most important 18 months of privacy and compliance. But I was asked if I wanted to do the job and I said yes. And I have never learned more, more about Microsoft's engineering business, about privacy. And I regret not a single day of that job. And I'm so glad I said yes. And I've said yes to just about every single opportunity that someone has offered me unless I absolutely had to say no. And I've never, ever regretted saying yes. And so that's what I would say to anyone who's young in career. You'll never have the chance again because as you get older, you get, there's more reasons you have to say no. You get more bogged down with obligations. And so when you're young, you, you're, you're freer to say more yeses. So take them all and say yes to everything.

B (31:22)

I, I couldn't agree more. There's actually a. Can't remember the song now. It's a, there's a great country song that describes it. But as you get older, you have more mortgages and kids in college and car payments and all of the other obligations in your life. That keep you from taking as many risks?

A (31:39)

Yeah, absolutely. So do it all. All the yeses,

B (31:45)

Amy. I close every afternoon Cyber Tea with optimism. I call myself a cyber optimist because I know for everything that makes the headlines, there's thousands of things we have blocked, detected a block. With that in mind, considering everything we've even talked about today, I'd love to hear what you. You were optimistic about when it comes to the future of cybersecurity.

A (32:05)

You know, I am so optimistic for two reasons. One, I am so optimistic because of the people that I work with every single day. That the talent that we have here and that I see in my travels around the world, it just makes me incredibly optimistic. And I am so optimistic because I see that talent being used with the innovation with the age of AI. It is just incredible. The combination of those two things, I just think makes me incredibly optimistic, and I am so. We might have a lot of regulation that seems like it's bogging us down. Our MDDR might show you lots of different threat actors, and we may have lots of different cyber criminals that we're going after in the digital crimes unit. And none of that changes the fact that the combination of the talent and the innovation I see in the AI space makes me incredibly optimistic.

B (33:15)

That's fantastic. It's wonderful to hear. I really appreciate you joining us today, Amy. You always have such great advice. You're wonderful to talk to, and I appreciate. I know how busy you are, so I appreciate you making the time.

A (33:28)

This was great, Anne. Thank you so much. I love being here, and many thanks

B (33:33)

to our audience for tuning in. Join us next time on Afternoon Cyber Tea. So sitting down with Amy Hogan Bernie was really was enjoyable. She has such a wealth of knowledge. She's incredibly influential in cybersecurity, and she brings so much perspective to the conversation. I invited her to the podcast. I wanted to hear her perspective. It's a very unique perspective, and I know our listeners are going to really enjoy it.