Risky Bulletin: Srsly Risky Biz

Episode: "Microsoft forgoes its secure future"

Date: February 12, 2026
Host: Amberly Jack
Guest: Tom Urian (Policy and Intelligence Editor)

Episode Overview

In this episode, Amberly Jack and Tom Urian break down key cybersecurity developments featured in the latest Seriously Risky Biz newsletter. Most notably, they unpack Microsoft’s shifting priorities with the departure of security head Charlie Bell, discuss China's increasingly overt preparations for disruptive cyberattacks in the region, and analyze recent use cases of cyber operations within conventional military strategies. The conversation spotlights how organizations and nation-states are balancing (or failing to balance) security imperatives against business or strategic drivers, with memorable insights and candid commentary from both hosts.

Key Discussion Points and Insights

1. Microsoft Security: A Cycle of Neglect and Response

Departure of Charlie Bell and Implications

Charlie Bell, brought in from AWS to bolster Microsoft’s security posture, is stepping aside; Hayet Galo will become the new Executive VP of Security.
Tom observes that Bell’s tenure demonstrates Microsoft only prioritizes security in response to major incidents or public criticism, not as an embedded, continuous value.

Historic Parallels and the Gates Memo

Reference to Bill Gates’s 2002 memo, a pivotal “security above all else” moment, showing Microsoft can improve security—but only under pressure.
Tom notes Bell “saying all the right words” but lacking executive backing initially, until state-level hacks (notably by China) forced action.

Fundamental Missteps and the Corporate Response

Flaws, such as expired signing keys still functioning, highlighted a lack of basic diligence and culture of security.
The Cyber Safety Review Board’s scathing report finally prompted Satya Nadella to echo the "security above all else" mantra, empowering Bell for a short-lived period.

A Return to Old Habits

With political pressure fading (notably attributed to a new U.S. administration), Microsoft pivots from a security-focused to a profit-centric approach.
Tom’s reading: Bell’s impact window closed as “politically, that time is gone,” prompting his exit.

Repeated Corporate Amnesia

Amberly connects Microsoft’s cyclical relationship with security to broader corporate amnesia—historically becoming secure only after disaster.
- “It definitely feels like Microsoft has had many ups and downs of secure, not secure, secure, not secure. Big things happen, let's get secure again.” (Amberly, 06:20)

Security vs. Innovation Tension

Tom argues the drive to innovate—seen now in AI—is at odds with secure practices:
- "The race is won by the people who are first, not by the people who are more secure." (Tom, 07:14)
Bad foundational decisions (e.g., outsourcing engineering to China) become almost impossible to reverse later on.

New Leadership, Questionable Priorities

Nadella introduced Hayet Galo mainly highlighting her sales track record, not her security expertise.
- "He introduced Galo, and he said she's really good at sales... He didn't talk about the security part at all." (Tom, 08:55)
The focus has shifted to sales momentum—security is no longer in the spotlight.

Bleak Prognosis for Microsoft Security

Given the oscillation between security and profit, and with only a brief, pressured nod toward better practices, Tom thinks meaningful, lasting change is unlikely absent fresh disaster.
- "I don't think a year's worth of good hard security work is enough." (Tom, 09:57)
- "What's it going to take to switch scales again? ...More disasters. That's the solution here." (Amberly/Tom, 10:10–10:16)

2. China Actively Preparing for Critical Infrastructure Attacks

Recent Intelligence Leak

Leaked documents reveal China is constructing detailed cyber "testbeds" replicating adversary infrastructure (e.g., power grids, transit) as training grounds for disruptive attacks.

Not Completely Shocking, But Instructive

Amberly: "This doesn't... seem all that surprising to me." (10:41)
Tom affirms this is standard practice for capable actors but stresses that public, concrete evidence signals real and near-term intent.

Contrast with Other Actors

Russia's 2015 Ukraine blackout was highly effective due to such detailed preparation—proof of concept for why these testbeds matter.

Noteworthy Operational Security Lapse

Chinese cyber range is exposed on the public internet (albeit behind decoy pages and QR-login), unlike typically air-gapped Western counterparts.
- "It appears that there's some sort of authentication process... but it's hidden behind decoy web pages." (Tom, 13:27)
May reflect the distributed nature of Chinese cyber operations and/or lack of infrastructure for fully isolated environments.

Takeaway

China is moving beyond theory; threat to neighboring infrastructure is immediate and actionable.
- "China's coming. Be prepared. They've got a cricket bat and they're running after you, so maybe you should do something about it." (Tom, 14:53)

3. Cyber as a Contributing Force in Kinetic Military Operations

U.S. Cyber in Iranian Air Defense Attacks

U.S. operations reportedly targeted key nodes in Iranian air defense, degrading performance. Not a standalone action—but instrumental to collective efforts with stealth and electronic attacks, and prior Israeli strikes.

Cyberwar: A “Force Multiplier,” Not a Silver Bullet

Tom: "Cyber may not win wars on its own, but this is important, and militaries that have time to plan should absolutely, absolutely utilize this in their operations." (Amberly, 15:07)
Effective use comes from deep integration—knowing systems’ dependencies and exploiting overlooked vulnerabilities:
- "The more complex a system is, the harder it gets to figure out what all those dependencies are and what you need to really protect." (Tom, 16:27)

Other Real-World Examples

2019: U.S. purportedly disabled Venezuelan grid to facilitate military operation—cyber provided a targeted, reversible alternative to kinetic attacks.
Russia’s 2022 Ukraine invasion began with cyber disruption of satellite and telecommunications—again, not decisive alone, but a contributor.

Implications for “Lesser” Militaries

Tom’s advice: If you lack big, capable cyber forces, focus on intelligence collection rather than trying to match superpower capabilities.
- "If you don't already have, like, big, powerful cyber forces, I wouldn't bother. I'd just focus on intelligence collection." (Tom, 18:38)

Notable Quotes & Memorable Moments

"You would not have made that decision if you cared in the least about security."
— Tom Urian on Microsoft’s key management failures (04:12)
"It definitely feels like Microsoft has had many ups and downs of secure, not secure, secure, not secure. Big things happen, let's get secure again."
— Amberly Jack (06:20)
"The race is won by the people who are first, not by the people who are more secure."
— Tom Urian (07:14)
"He introduced Galo, and he said she's really good at sales... He didn't talk about the security part at all."
— Tom Urian (08:55)
"China's coming. Be prepared. They've got a cricket bat and they're running after you, so maybe you should do something about it."
— Tom Urian (14:53)
"Cyber may not win wars on its own, but this is important, and militaries that have time to plan should absolutely, absolutely utilize this in their operations."
— Amberly Jack (15:07)

Important Timestamps

00:37–06:10 — Microsoft’s checkered security history, Bell’s tenure, and cultural failures
06:10–10:22 — Repeated corporate amnesia, tension between profit/innovation and security, Nadella’s priorities, speculation about future disasters
10:22–15:07 — China’s cyberattack preparations, operational differences, and lessons for potential targets
15:07–19:18 — Cyber in military operations, U.S./Iran, Venezuela, Ukraine, and broader implications for military doctrine

Summary Tone

The conversation is candid, at times cynical, and laced with industry insider humor and frustration—particularly regarding Microsoft’s oscillating commitment to security and the persistent organizational incentive to prioritize business outcomes over security fundamentals.

For more insights and to subscribe to the Seriously Risky Biz newsletter, visit the Risky Biz website.

Risky Bulletin: Srsly Risky Biz

Episode: "Microsoft forgoes its secure future"

Date: February 12, 2026
Host: Amberly Jack
Guest: Tom Urian (Policy and Intelligence Editor)

Episode Overview

Key Discussion Points and Insights

1. Microsoft Security: A Cycle of Neglect and Response

Departure of Charlie Bell and Implications

Charlie Bell, brought in from AWS to bolster Microsoft’s security posture, is stepping aside; Hayet Galo will become the new Executive VP of Security.
Tom observes that Bell’s tenure demonstrates Microsoft only prioritizes security in response to major incidents or public criticism, not as an embedded, continuous value.

Historic Parallels and the Gates Memo

Reference to Bill Gates’s 2002 memo, a pivotal “security above all else” moment, showing Microsoft can improve security—but only under pressure.
Tom notes Bell “saying all the right words” but lacking executive backing initially, until state-level hacks (notably by China) forced action.

Fundamental Missteps and the Corporate Response

Flaws, such as expired signing keys still functioning, highlighted a lack of basic diligence and culture of security.
The Cyber Safety Review Board’s scathing report finally prompted Satya Nadella to echo the "security above all else" mantra, empowering Bell for a short-lived period.

A Return to Old Habits

With political pressure fading (notably attributed to a new U.S. administration), Microsoft pivots from a security-focused to a profit-centric approach.
Tom’s reading: Bell’s impact window closed as “politically, that time is gone,” prompting his exit.

Repeated Corporate Amnesia

Amberly connects Microsoft’s cyclical relationship with security to broader corporate amnesia—historically becoming secure only after disaster.
- “It definitely feels like Microsoft has had many ups and downs of secure, not secure, secure, not secure. Big things happen, let's get secure again.” (Amberly, 06:20)

Security vs. Innovation Tension

Tom argues the drive to innovate—seen now in AI—is at odds with secure practices:
- "The race is won by the people who are first, not by the people who are more secure." (Tom, 07:14)
Bad foundational decisions (e.g., outsourcing engineering to China) become almost impossible to reverse later on.

New Leadership, Questionable Priorities

Nadella introduced Hayet Galo mainly highlighting her sales track record, not her security expertise.
- "He introduced Galo, and he said she's really good at sales... He didn't talk about the security part at all." (Tom, 08:55)
The focus has shifted to sales momentum—security is no longer in the spotlight.

Bleak Prognosis for Microsoft Security

Given the oscillation between security and profit, and with only a brief, pressured nod toward better practices, Tom thinks meaningful, lasting change is unlikely absent fresh disaster.
- "I don't think a year's worth of good hard security work is enough." (Tom, 09:57)
- "What's it going to take to switch scales again? ...More disasters. That's the solution here." (Amberly/Tom, 10:10–10:16)

2. China Actively Preparing for Critical Infrastructure Attacks

Recent Intelligence Leak

Leaked documents reveal China is constructing detailed cyber "testbeds" replicating adversary infrastructure (e.g., power grids, transit) as training grounds for disruptive attacks.

Not Completely Shocking, But Instructive

Amberly: "This doesn't... seem all that surprising to me." (10:41)
Tom affirms this is standard practice for capable actors but stresses that public, concrete evidence signals real and near-term intent.

Contrast with Other Actors

Russia's 2015 Ukraine blackout was highly effective due to such detailed preparation—proof of concept for why these testbeds matter.

Noteworthy Operational Security Lapse

Chinese cyber range is exposed on the public internet (albeit behind decoy pages and QR-login), unlike typically air-gapped Western counterparts.
- "It appears that there's some sort of authentication process... but it's hidden behind decoy web pages." (Tom, 13:27)
May reflect the distributed nature of Chinese cyber operations and/or lack of infrastructure for fully isolated environments.

Takeaway

China is moving beyond theory; threat to neighboring infrastructure is immediate and actionable.
- "China's coming. Be prepared. They've got a cricket bat and they're running after you, so maybe you should do something about it." (Tom, 14:53)

3. Cyber as a Contributing Force in Kinetic Military Operations

U.S. Cyber in Iranian Air Defense Attacks

U.S. operations reportedly targeted key nodes in Iranian air defense, degrading performance. Not a standalone action—but instrumental to collective efforts with stealth and electronic attacks, and prior Israeli strikes.

Cyberwar: A “Force Multiplier,” Not a Silver Bullet

Tom: "Cyber may not win wars on its own, but this is important, and militaries that have time to plan should absolutely, absolutely utilize this in their operations." (Amberly, 15:07)
Effective use comes from deep integration—knowing systems’ dependencies and exploiting overlooked vulnerabilities:
- "The more complex a system is, the harder it gets to figure out what all those dependencies are and what you need to really protect." (Tom, 16:27)

Other Real-World Examples

2019: U.S. purportedly disabled Venezuelan grid to facilitate military operation—cyber provided a targeted, reversible alternative to kinetic attacks.
Russia’s 2022 Ukraine invasion began with cyber disruption of satellite and telecommunications—again, not decisive alone, but a contributor.

Implications for “Lesser” Militaries

Tom’s advice: If you lack big, capable cyber forces, focus on intelligence collection rather than trying to match superpower capabilities.
- "If you don't already have, like, big, powerful cyber forces, I wouldn't bother. I'd just focus on intelligence collection." (Tom, 18:38)

Notable Quotes & Memorable Moments

"You would not have made that decision if you cared in the least about security."
— Tom Urian on Microsoft’s key management failures (04:12)
"It definitely feels like Microsoft has had many ups and downs of secure, not secure, secure, not secure. Big things happen, let's get secure again."
— Amberly Jack (06:20)
"The race is won by the people who are first, not by the people who are more secure."
— Tom Urian (07:14)
"He introduced Galo, and he said she's really good at sales... He didn't talk about the security part at all."
— Tom Urian (08:55)
"China's coming. Be prepared. They've got a cricket bat and they're running after you, so maybe you should do something about it."
— Tom Urian (14:53)
"Cyber may not win wars on its own, but this is important, and militaries that have time to plan should absolutely, absolutely utilize this in their operations."
— Amberly Jack (15:07)

Important Timestamps

00:37–06:10 — Microsoft’s checkered security history, Bell’s tenure, and cultural failures
06:10–10:22 — Repeated corporate amnesia, tension between profit/innovation and security, Nadella’s priorities, speculation about future disasters
10:22–15:07 — China’s cyberattack preparations, operational differences, and lessons for potential targets
15:07–19:18 — Cyber in military operations, U.S./Iran, Venezuela, Ukraine, and broader implications for military doctrine

Summary Tone

For more insights and to subscribe to the Seriously Risky Biz newsletter, visit the Risky Biz website.

wavePod

Srsly Risky Biz: Microsoft forgoes its secure future

Powered by Wave AI

Summary

Risky Bulletin: Srsly Risky Biz

Episode: "Microsoft forgoes its secure future"

Date: February 12, 2026
Host: Amberly Jack
Guest: Tom Urian (Policy and Intelligence Editor)

Episode Overview

Key Discussion Points and Insights

1. Microsoft Security: A Cycle of Neglect and Response

2. China Actively Preparing for Critical Infrastructure Attacks

3. Cyber as a Contributing Force in Kinetic Military Operations

Notable Quotes & Memorable Moments

Important Timestamps

Summary Tone

Summary

Risky Bulletin: Srsly Risky Biz

Episode: "Microsoft forgoes its secure future"

Date: February 12, 2026
Host: Amberly Jack
Guest: Tom Urian (Policy and Intelligence Editor)

Episode Overview

Key Discussion Points and Insights

1. Microsoft Security: A Cycle of Neglect and Response

2. China Actively Preparing for Critical Infrastructure Attacks

3. Cyber as a Contributing Force in Kinetic Military Operations

Notable Quotes & Memorable Moments

Important Timestamps

Summary Tone

Srsly Risky Biz: Microsoft forgoes its secure future

Powered by Wave AI

Summary

Risky Bulletin: Srsly Risky Biz

Episode: "Microsoft forgoes its secure future"

Date: February 12, 2026 Host: Amberly Jack Guest: Tom Urian (Policy and Intelligence Editor)

Episode Overview

Key Discussion Points and Insights

1. Microsoft Security: A Cycle of Neglect and Response

2. China Actively Preparing for Critical Infrastructure Attacks

3. Cyber as a Contributing Force in Kinetic Military Operations

Notable Quotes & Memorable Moments

Important Timestamps

Summary Tone

Summary

Risky Bulletin: Srsly Risky Biz

Episode: "Microsoft forgoes its secure future"

Date: February 12, 2026 Host: Amberly Jack Guest: Tom Urian (Policy and Intelligence Editor)

Episode Overview

Key Discussion Points and Insights

1. Microsoft Security: A Cycle of Neglect and Response

2. China Actively Preparing for Critical Infrastructure Attacks

3. Cyber as a Contributing Force in Kinetic Military Operations

Notable Quotes & Memorable Moments

Important Timestamps

Summary Tone

Date: February 12, 2026
Host: Amberly Jack
Guest: Tom Urian (Policy and Intelligence Editor)

Date: February 12, 2026
Host: Amberly Jack
Guest: Tom Urian (Policy and Intelligence Editor)