Risky Bulletin: Srsly Risky Biz
Episode: "Microsoft forgoes its secure future"
Date: February 12, 2026
Host: Amberly Jack
Guest: Tom Urian (Policy and Intelligence Editor)
Episode Overview
In this episode, Amberly Jack and Tom Urian break down key cybersecurity developments featured in the latest Seriously Risky Biz newsletter. Most notably, they unpack Microsoft’s shifting priorities with the departure of security head Charlie Bell, discuss China's increasingly overt preparations for disruptive cyberattacks in the region, and analyze recent use cases of cyber operations within conventional military strategies. The conversation spotlights how organizations and nation-states are balancing (or failing to balance) security imperatives against business or strategic drivers, with memorable insights and candid commentary from both hosts.
Key Discussion Points and Insights
1. Microsoft Security: A Cycle of Neglect and Response
Departure of Charlie Bell and Implications
- Charlie Bell, brought in from AWS to bolster Microsoft’s security posture, is stepping aside; Hayet Galo will become the new Executive VP of Security.
- Tom observes that Bell’s tenure demonstrates Microsoft only prioritizes security in response to major incidents or public criticism, not as an embedded, continuous value.
Historic Parallels and the Gates Memo
- Reference to Bill Gates’s 2002 memo, a pivotal “security above all else” moment, showing Microsoft can improve security—but only under pressure.
- Tom notes Bell “saying all the right words” but lacking executive backing initially, until state-level hacks (notably by China) forced action.
Fundamental Missteps and the Corporate Response
- Flaws, such as expired signing keys still functioning, highlighted a lack of basic diligence and culture of security.
- The Cyber Safety Review Board’s scathing report finally prompted Satya Nadella to echo the "security above all else" mantra, empowering Bell for a short-lived period.
A Return to Old Habits
- With political pressure fading (notably attributed to a new U.S. administration), Microsoft pivots from a security-focused to a profit-centric approach.
- Tom’s reading: Bell’s impact window closed as “politically, that time is gone,” prompting his exit.
Repeated Corporate Amnesia
- Amberly connects Microsoft’s cyclical relationship with security to broader corporate amnesia—historically becoming secure only after disaster.
- “It definitely feels like Microsoft has had many ups and downs of secure, not secure, secure, not secure. Big things happen, let's get secure again.” (Amberly, 06:20)
Security vs. Innovation Tension
- Tom argues the drive to innovate—seen now in AI—is at odds with secure practices:
- "The race is won by the people who are first, not by the people who are more secure." (Tom, 07:14)
- Bad foundational decisions (e.g., outsourcing engineering to China) become almost impossible to reverse later on.
New Leadership, Questionable Priorities
- Nadella introduced Hayet Galo mainly highlighting her sales track record, not her security expertise.
- "He introduced Galo, and he said she's really good at sales... He didn't talk about the security part at all." (Tom, 08:55)
- The focus has shifted to sales momentum—security is no longer in the spotlight.
Bleak Prognosis for Microsoft Security
- Given the oscillation between security and profit, and with only a brief, pressured nod toward better practices, Tom thinks meaningful, lasting change is unlikely absent fresh disaster.
- "I don't think a year's worth of good hard security work is enough." (Tom, 09:57)
- "What's it going to take to switch scales again? ...More disasters. That's the solution here." (Amberly/Tom, 10:10–10:16)
2. China Actively Preparing for Critical Infrastructure Attacks
Recent Intelligence Leak
- Leaked documents reveal China is constructing detailed cyber "testbeds" replicating adversary infrastructure (e.g., power grids, transit) as training grounds for disruptive attacks.
Not Completely Shocking, But Instructive
- Amberly: "This doesn't... seem all that surprising to me." (10:41)
- Tom affirms this is standard practice for capable actors but stresses that public, concrete evidence signals real and near-term intent.
Contrast with Other Actors
- Russia's 2015 Ukraine blackout was highly effective due to such detailed preparation—proof of concept for why these testbeds matter.
Noteworthy Operational Security Lapse
- Chinese cyber range is exposed on the public internet (albeit behind decoy pages and QR-login), unlike typically air-gapped Western counterparts.
- "It appears that there's some sort of authentication process... but it's hidden behind decoy web pages." (Tom, 13:27)
- May reflect the distributed nature of Chinese cyber operations and/or lack of infrastructure for fully isolated environments.
Takeaway
- China is moving beyond theory; threat to neighboring infrastructure is immediate and actionable.
- "China's coming. Be prepared. They've got a cricket bat and they're running after you, so maybe you should do something about it." (Tom, 14:53)
3. Cyber as a Contributing Force in Kinetic Military Operations
U.S. Cyber in Iranian Air Defense Attacks
- U.S. operations reportedly targeted key nodes in Iranian air defense, degrading performance. Not a standalone action—but instrumental to collective efforts with stealth and electronic attacks, and prior Israeli strikes.
Cyberwar: A “Force Multiplier,” Not a Silver Bullet
- Tom: "Cyber may not win wars on its own, but this is important, and militaries that have time to plan should absolutely, absolutely utilize this in their operations." (Amberly, 15:07)
- Effective use comes from deep integration—knowing systems’ dependencies and exploiting overlooked vulnerabilities:
- "The more complex a system is, the harder it gets to figure out what all those dependencies are and what you need to really protect." (Tom, 16:27)
Other Real-World Examples
- 2019: U.S. purportedly disabled Venezuelan grid to facilitate military operation—cyber provided a targeted, reversible alternative to kinetic attacks.
- Russia’s 2022 Ukraine invasion began with cyber disruption of satellite and telecommunications—again, not decisive alone, but a contributor.
Implications for “Lesser” Militaries
- Tom’s advice: If you lack big, capable cyber forces, focus on intelligence collection rather than trying to match superpower capabilities.
- "If you don't already have, like, big, powerful cyber forces, I wouldn't bother. I'd just focus on intelligence collection." (Tom, 18:38)
Notable Quotes & Memorable Moments
-
"You would not have made that decision if you cared in the least about security."
— Tom Urian on Microsoft’s key management failures (04:12) -
"It definitely feels like Microsoft has had many ups and downs of secure, not secure, secure, not secure. Big things happen, let's get secure again."
— Amberly Jack (06:20) -
"The race is won by the people who are first, not by the people who are more secure."
— Tom Urian (07:14) -
"He introduced Galo, and he said she's really good at sales... He didn't talk about the security part at all."
— Tom Urian (08:55) -
"China's coming. Be prepared. They've got a cricket bat and they're running after you, so maybe you should do something about it."
— Tom Urian (14:53) -
"Cyber may not win wars on its own, but this is important, and militaries that have time to plan should absolutely, absolutely utilize this in their operations."
— Amberly Jack (15:07)
Important Timestamps
- 00:37–06:10 — Microsoft’s checkered security history, Bell’s tenure, and cultural failures
- 06:10–10:22 — Repeated corporate amnesia, tension between profit/innovation and security, Nadella’s priorities, speculation about future disasters
- 10:22–15:07 — China’s cyberattack preparations, operational differences, and lessons for potential targets
- 15:07–19:18 — Cyber in military operations, U.S./Iran, Venezuela, Ukraine, and broader implications for military doctrine
Summary Tone
The conversation is candid, at times cynical, and laced with industry insider humor and frustration—particularly regarding Microsoft’s oscillating commitment to security and the persistent organizational incentive to prioritize business outcomes over security fundamentals.
For more insights and to subscribe to the Seriously Risky Biz newsletter, visit the Risky Biz website.
