Loading summary
A
Hey, everyone, and welcome along to Seriously Risky Biz. This is our podcast here, all about cybersecurity policy and intelligence. My name's Amberly Jack, and in just a moment I'll bring in Tom Urian, who is our policy and intelligence editor, and he and I are going to chat all about the Seriously Risky Business newsletter that he has put together this week. And you can of course, read that and subscribe to it over at our website, Risky Biz. This episode is sponsored by Trail of Bits and you can find them at trailofits. So massive. Thank you to them for that. G', Day, Tom. It's great to see you.
B
G', day, Amberly. How are you?
A
Yeah, pretty good, thanks. And we have quite a bit to get through today. And the first thing that I want to talk to you about, Tom, is you're a sad panda today. And what has you so blue, Tom, stems from the recent announcement from Microsoft that Charlie Bell, former head of security, is moving aside and the new executive vice president of security is Hayet Galo. Now, what you've done in the newsletter today, Tom, is kind of taken a look back at Bell's tenure at Microsoft, who by all intents and purposes, has a really good reputation. And you've sort of pointed out that Microsoft seems to care about security when it's forced to. And this most recent news kind of feels like the boardroom meetings this week won't have security way up high on that list on the agenda.
B
Yeah, yeah. So I guess for me, this story is personally interesting because in the history of the time I've been writing this newsletter, basically Microsoft went through a long period where there were security floor after security floor after security floor, and they basically didn't seem to care. And there's such an important player in the ecosystem that's truly significant. And the company's interesting because way back in, I think it was 2002, maybe, Bill Gates was suffering from the same situation where Microsoft had security flaw after security flaw after security flaw and issued this really pivotal memo where he said, we're going to do security above all else. And to me, it's a classic example of how a company, if they actually care about security, they can do a relatively good job. And Microsoft really turned it around for, like, a relatively long period because it actually did care. And so Bell, he joined Microsoft after leaving AWS because he wanted to make a difference to security, like improve the security of Microsoft. And. And the first couple of years, he basically had very, very limited impact. So, like, there was a security initiative launched And I did some tea reading at the tea leave reading at the time. And, you know, Nadella didn't say anything about it. He wasn't the face of the public launch. And even Bell said, you know, you need to help me in this role. I can't do it myself.
A
Yeah, right.
B
Like he was. Bell was saying the right words, but it was clear he didn' the top level cover. And the announcement went into all these things that were kind of peripheral to security and that it never said, security is actually important and we need to get it right. So eventually Microsoft got hacked a couple of times by state actors, the Chinese in particular, they hacked Microsoft and there was just this string of errors which made it pretty clear to me that Microsoft just didn't care about security. So, for example, they had. The Chinese found a key, a special key, and that key continued to work even after it had meant to expire. And like, okay, Microsoft, you control the signing architecture, you control the key architecture. Did you just not check that your keys actually expired?
A
Right.
B
And there was a series of just absolutely flabbergasting decisions where, like, you would not have made that decision if you cared in the least about security. So this happened because no one thought to check that keys worked like they were meant to. And that led to a Cyber Safety Review Board report where they blasted Microsoft. And that was the moment where they actually started to care. So within a month, Nadella had issued a memo saying, we've got to do security above all else was the phrase he used. And so after that, Bell was able to kick some goals. He had the organization behind him. People were told, if you need to make a choice between security and something else, you fix security. Unfortunately, that didn't last very long. And so I think since the Trump administration's come in, that pressure is off the company. Nadella is like, oh, great, I don't have to spend. I suppose in his mind, I suppose, I don't know, it must be. Security is a pain in the ass. We've got other things that we can do that will make us money. Yeah. And so Bell is leaving. My reading of the situation is that he had a time where he could make a difference and he's realized that politically that time is gone. And so why am I hanging around fighting the good fight and beating my head against a brick wall? So the history of his time there was that until that sort of moment where they, after the review board report, Bell had been fighting against other Microsoft managers who were like, ah, this security thing, it looks a bit painful. Do we really need to be that secure. And so he's at a time in his career where it's like, I can't do this anymore.
A
It's quite funny actually, you brought up before that there was a time back in the early 2000s where things weren't great and then security took focus again. And I've had my head very deep in research of history of hacking and hacking communities for a series that we're doing at Risky Bit is how the world got owned. And you can of course listen to the first episode, the 1980s on our website Risky Biz. But while I have been sitting in the corner of my room surrounded by papers and research over this thing, it definitely feels like Microsoft has had many ups and downs of secure, not secure, secure, not secure. Big things happen, let's get secure again. This is something that seems to have plagued the company since the company was a company pretty much.
B
I think there's a constant tension between doing more and doing things securely. And you can see that today with AI where there'll be like the whole open claw or multip book or whatever. Like people are attracted by the ability to do new things and that's great, but very rarely do they go, oh, let's make this secure. Because the, I mean the race is won by the people who are first, not by the people who are more secure. And so there's a constant tension between that and I guess, you know, we come from a community where security is important, so we value that and so we're always arguing for it. And I think people need to fight the good fight to do that. But also at the same time I'm realistic that things are going to get done without security. Now I think for something, a company as important as Microsoft, there's many things that they need to get right fundamentally. And if they don't care about security, they never get it right fundamentally and it becomes harder and harder to undo. And so I guess there's examples where for example, they were outsourcing work to countries you'd pretty much call adversary nations, like outsourcing engineering work to China. That seems like a terrible idea. And it's the sort of decision that it's very hard to undo. It takes time to undo. It's once you've made it and you would have been the company and like the country would have been better if that decision had never been made. But they weren't looking at it with that security lens at the time. And so I think that's the. Those are those sort of long term Architectural decisions that are very hard to undo when you don't care. And so like the announcement that the Delaware made, he did not want mentioned once how important getting security was. Right, right.
A
So he introduced executive VP of security.
B
Yeah, yeah. So he introduced Galo and he said she's really good at sales. The things she's done at Microsoft are really important. And she does have some security background. So she seems to have gone back and forth at times between security and being a sort of sales, not salesperson, but leading sales organizations. But he didn't talk about the security part at all. And then when he did talk about security, it's like, yeah, we've got really strong momentum, we're selling a lot of products, we want that to continue. So the entire tone of what he's talking about, what is important, is totally different. Like the security is important and you must do it. That is totally gone. And it's all about sales and making money. And I think that's like bad news. I think there's a bounce to be struck. Being perfectly secure is not good, but being perfectly profit motivated I think is also bad. And so they've like swung back and forth very rapidly in the last few years. And I don't think a year's worth of good hard security work is enough. Yeah.
A
What's it going to take, Tom, do you think, to switch scales again? Is it literally going to be another public. There's something really bad that happened because security was so bad.
B
Yes, more disasters. That's the solution here.
A
Great.
B
Yeah. Something to look forward to.
A
Hey, I want to move on now to China, Tom. And China seems to be actively honing its skills and preparing to launch disruptive attacks on power grids and transport networks in neighboring adversarial countries. And this kind of comes out from some leaked documents that suggest this doesn't kind of seem all that surprising to me. But I don't know, you tell me more.
B
I think at one level you're right. It's not a surprise. Like any country that wants to have the ability to fiddle with another country's critical infrastructure, you are going to create training grounds or test beds or cyber ranges and you'll replicate in extreme detail the target network and you'll go play there and test techniques and test tools and test procedures to be able to cause the effects you want, the exact effects you want when you want it. So in the recent Russian attacks on the Polish power grid, it appears like they got an easy way in. They had credentials, they had known vulnerabilities that Were like, the network is essentially open, but basically in Dragos's report. So Dragos is an industrial control cyber security company. They said that they just went in and did stuff. They didn't have the time and the space to plan what they were doing to actually achieve significant effects. So that's what happens when you don't practice, but when you do practice, they contrasted it to the attacks in 2015 in Ukraine, where Russia actually achieved significant blackout for a number of hours. And they had at that time the time and space to practice. So you can bet your bottom dollar that they had a range or a test bed where they'd set up replicas of the Ukrainian equipment and had done that. That's what you do. And so this news indicates intent, like we're actively planning it, and it indicates which countries they're interested in. So it talked about countries in the South China Sea and basically geographically near China. I think it's interesting to go from this is theoretically what they could be doing to here's real example of them doing it. Like, I think there's a lot of value from a being on the receiving end that you've moved from the theoretical to the real. Like, I think that motivates people. Like, you can imagine someone chasing you with a cricket bat or a baseball bat if you're American. But to know that someone is chasing you with a cricket bat is very different. Like, you do different things. The threat is immediate and real rather than theoretical.
A
You and I were just as a little side note as well, you and I were talking about this before and you mentioned this environment was all on the public Internet as well.
B
Yeah, yeah. So one of the fascinating things is if a Western country was doing this, they do it on some air gapped, isolated network and it would be super secret. So this one's just on the public Internet. So it appears that there's some sort of authentication process with a QR code, but it's hidden behind decoy web pages. And so if you go to the site, it's just a web page, but if you've got the right authentication, it lets you into this testbed. So I was kind of thinking, why would you do that? And my sort of hypothesis is that maybe Chinese hacking is so distributed in so many different places that they don't have like a central air gapped, top secret network that they would put that on that a whole lot of hackers could get access to or different organizations could get access to. The environment was commissioned by the Ministry of Public Security. So that's an intelligence organization. It seems like they don't have a place to put that where they would just let the people who needed access onto it. It's a bit strange. I don't know what to make of that. I thought it was. That was one thing that was really different from the way a Western country would do it though.
A
Yeah, interesting. And so what's the takeaway here is pretty much China's coming. Be prepared.
B
They've got a cricket bat and they're running after you, so maybe you should do something about it.
A
Yeah, run or get a bigger bat.
B
Yeah, I guess Chinese don't play cricket. I'm not sure what bat sports they would use instead, but.
A
And Tom, I know that you do love when cyber plays a meaningful role in military operations. So this last story I want to talk to you about. U.S. cyber was used in Iranian air defense strikes. And that's kind of got you thinking again, Tom, that look, cyber may not win wars on its own, but this is important and militaries that have time to plan should absolutely, absolutely utilize this in their operations. Is kind of your thinking.
B
I think that countries that have capable cyber forces will. Are. Should be used thinking about how do we integrate that into conventional military operations. So now we've got like kind of three examples, three good examples. So the story in the record is that officials say that the US cyber operators did something to Iranian air defence that helped to degrade it. So it didn't degrade it completely by itself. And the report talks about attacking a particular key node or key military system somewhere. And because all the air defence systems are connected, that somehow degraded the capability of the whole, the system as a whole. So that kind of seems plausible because I think it's unlikely that you can attack an isolated air defense system directly just because people will be like, that's a thing that they would, others would want to do. So, you know, we're going to protect against that. Yeah, that seems like that's the inner shell where you adversaries would spend the most time and effort protecting it. But as you go further out, there's these dependencies and it's, you know, the more complex a system is, the harder it gets to figure out what all those dependencies are and what you need to really protect. And I think it's an example where if you do your homework, you can probably find some vulnerability that's a bit unexpected, but works now also, it's not the cyber operation by itself. The US also has stealth aircraft and it's got electronic warfare aircraft and The Israelis were bombing Iranian air defense in the days leading up to the attack. So there's a whole series of things, but it's a contributor.
A
Yeah.
B
And this is probably of the stories we've heard. One of the more. It feels like one of the more sensational ones.
A
Yeah.
B
So the other stories just quickly were when the US Raided Venezuela to capture Nicolas Maduro. The story there is that they turned out the lights, they disrupted the electricity grid for a particular time and place. So again, it's a contribution. They had conventional alternatives. They could have blown up electricity infrastructure, or they've got special bombs that can. That can disrupt electricity. In some sense, cyber is better because it's more temporary, like, better. And then the third. The third case is in the very early days of their invasion of Ukraine, Russia disrupted a satellite network and a Ukrainian telco. So in all these cases, they're like contributing to parts of an operation. Sometimes the contribution will be greater or lesser, but none of those examples feel like they make a decisive difference. And so I think that's what capable militaries will be trying to do. When they've got the time and space to do their homework and to plan, they'll try and figure out what's the best way we can use cyber operations to help us. I think the interesting question is, for militaries that are smaller and don't have capable cyber forces, what do you do with them? Is it worth investing a whole heap to get that? My gut feeling is if you don't already have, like, big, powerful cyber forces, I wouldn't bother. I'd just focus on intelligence collection. But to me, it's interesting that we're starting to learn more about how it's used in practice and what it looks, what success looks like.
A
Yeah. All right, Tom. We might actually leave it there, but thank you so much again for joining me. You can, of course, read and subscribe to Tom's newsletter over at our website, Risky Biz. And, Tom, I will catch you same time next week. Thank you so much.
B
Thanks, Amber. Sam.
In this episode, Amberly Jack and Tom Urian break down key cybersecurity developments featured in the latest Seriously Risky Biz newsletter. Most notably, they unpack Microsoft’s shifting priorities with the departure of security head Charlie Bell, discuss China's increasingly overt preparations for disruptive cyberattacks in the region, and analyze recent use cases of cyber operations within conventional military strategies. The conversation spotlights how organizations and nation-states are balancing (or failing to balance) security imperatives against business or strategic drivers, with memorable insights and candid commentary from both hosts.
Departure of Charlie Bell and Implications
Historic Parallels and the Gates Memo
Fundamental Missteps and the Corporate Response
A Return to Old Habits
Repeated Corporate Amnesia
Security vs. Innovation Tension
New Leadership, Questionable Priorities
Bleak Prognosis for Microsoft Security
Recent Intelligence Leak
Not Completely Shocking, But Instructive
Contrast with Other Actors
Noteworthy Operational Security Lapse
Takeaway
U.S. Cyber in Iranian Air Defense Attacks
Cyberwar: A “Force Multiplier,” Not a Silver Bullet
Other Real-World Examples
Implications for “Lesser” Militaries
"You would not have made that decision if you cared in the least about security."
— Tom Urian on Microsoft’s key management failures (04:12)
"It definitely feels like Microsoft has had many ups and downs of secure, not secure, secure, not secure. Big things happen, let's get secure again."
— Amberly Jack (06:20)
"The race is won by the people who are first, not by the people who are more secure."
— Tom Urian (07:14)
"He introduced Galo, and he said she's really good at sales... He didn't talk about the security part at all."
— Tom Urian (08:55)
"China's coming. Be prepared. They've got a cricket bat and they're running after you, so maybe you should do something about it."
— Tom Urian (14:53)
"Cyber may not win wars on its own, but this is important, and militaries that have time to plan should absolutely, absolutely utilize this in their operations."
— Amberly Jack (15:07)
The conversation is candid, at times cynical, and laced with industry insider humor and frustration—particularly regarding Microsoft’s oscillating commitment to security and the persistent organizational incentive to prioritize business outcomes over security fundamentals.
For more insights and to subscribe to the Seriously Risky Biz newsletter, visit the Risky Biz website.