A

Foreign.

B

Hey, everyone, and welcome back to the Wide World of Cyber podcast. My name is Patrick Gray. The Wide World of Cyber podcast is the one where we chat with Chris Krebs, who is the founding director of cisa, and Alex Stamos, who has held various CISO posts over the years, including with Yahoo, with Facebook, and most recently with Sentinel 1. And we chat about some big picture stuff in the cyber cybersecurity discipline. Now, this podcast used to be sponsored by Sentinel One, where Chris and Alex both worked, but some things happened. We won't go into it, but you know, their involvement with, with Sentinel One didn't quite work out due to various actions in the, in the Oval Office. So this podcast is no longer sponsored by Sentinel One. And to be quite clear, that was my choice. I wanted to keep doing this podcast with Chris and Alex, and given they don't work there anymore, the only option for me was to take this sort of outside of the Sentinel 1 sponsorship, to be clear. Clear, clear, clear. Sentinel 1 have been absolutely fantastic about all of this. And indeed they are now sponsoring us to produce a documentary series about hacking through the 1980s 90s, naughts, tens and twenties. And we're working on that right now. So no hate to Sentinel One, please. They've been class acts the whole way through this. And yeah, so there we. So, gentlemen, welcome back to the Wide World of Cyber. For starters, it's, it's great to have you both here. And what we're talking about today, we're really talking about Microsoft and China and the problems that China is creating for Microsoft and I guess, you know, trying to, trying to divine why things might be the way they are right now. So let's just start with the digital Sherpa story. This is something that we've covered at length on the main show. The upshot of this story is that Microsoft engineers in China were being used to support, like DoD, Microsoft Cloud instances in the United States. And no one seemed to really know about this until ProPublica ran a story about it. Let's start with you, Chris. Like, this seems, I mean, look, everybody had the same reaction, right? Which was this was really bad. Of course, we've got updates in this story that are very recent, so we're not just rehashing stuff that happened a month ago. But for those who aren't familiar with the story, let's just give a quick recap of what we learned when this story first broke.

C

Yeah, so a few weeks ago, Rene dudley over at ProPublica dropped this bomb that Microsoft had Been using, as you laid out Chinese based or Chinese citizens effectively engineers to write code updates that would then be kind of laundered or washed through US citizens with presumably security clearances, but perhaps not at the same technical competency level. And they were then taking the updates and then pushing them into the government cloud that was deployed. Not just a DOD in the Pentagon, but also at least according again to Rene's reporting into some of the civilian agencies, the.gov agency. So a pretty shocking story all around. I mean it fails every single common sense test. I think it really doesn't make a whole lot of sense to me how this was even initially approved or how it even passed kind of the governance process at the beginning inside Microsoft. And certainly if anybody at government reviewed this and said it was a good idea, I think they need to get their head checked. So I think that's the quick and dirty on it.

B

Well, we've got some more information recently about where this was disclosed, how it was disclosed, how it kind of wasn't disclosed. We'll get to that in a minute. But Alex, you know, you've been a CISO for large organizations. You know, you would have come across this sort of digital escort, slash digital Sherpa type of arrangement before. You know, it seems like the way that it works is that, you know, or the way that it worked in this instance is the, you know, the Chinese engineers would have sort of read only access and they would instruct the, the escorts to run various commands and whatnot. Which is all well and good until you realize, until you see the recruitment ads for the digital escorts where it's like, we'll pay you $18 an hour, technical skills not necessary, and all you need is a security clearance and come on in and you can do this job. Which seems not great. But that's the typical arrangement, isn't it, with the digital escort stuff. That's the way Adam Boileau described it when he'd done that sort of work previously when he'd be the escorted engineer. It's usually like a read only thing. You give the escort commands. They run the commands.

A

Yeah. Copy and paste this into the high side shell. I've seen this and I explicitly said no to it. Right. So like you said, my last CISO job as of last week, I was the CISO of Sentinel One. As you said, just because it's the first time we're doing this. I just want to make it clear my departure for Sentinel 1 was completely friendly and a decision I made. I made that decision because as of the day that this is airing, I'm starting at Corridor, which is a startup that two of my smartest Stanford students started and I'm in the middle of a midlife crisis and I thought, hey, I'm going to do a startup with some young people.

B

Well, you already own a boat, right? So this is next, right?

A

Exactly right, right. It's like that's the standard midlife crisis thing, is the boat. I've got the boat. So let's do the startup. Right.

C

And to be clear, my departure from Everybody saw mine on LinkedIn and mine was the same wave, nothing but good feelings on the way out with Sentinel 1, Tomer and the team.

A

Yes, except yes, Chris had external things that push his decision. This was just me.

C

A different kind of midlife crisis going on here.

A

A different kind of midlife crisis. This is just me wanting to try to do the startup thing again with some really cool people. But anyway. But yes. So at Channel one we do a bunch of government work and we have Fedramp high. Right. So to get a little more specific here, there's classified work which are called ILS integrity levels. There's like IL5, IL6, which includes classified work. What we're talking about here is not classified. It's Fedramp and Fedramp moderate Fedramp high are the ones you usually talk about. And at center one we had FedRamp high and it's a real pain. Even though it's not classified, it's a real pain in the butt to do Fedramp, especially for a multinational company because normally your cloud work you're doing Follow the sun. You have DevOps engineers who are awake based upon where they live. You have pagerduty set up that depending on who is awake at any moment, they're catching any alert and they're dealing with it. And yes, you might wake anybody up at 2am depending on what's going on. But hopefully you're able to do 24 hour support based upon being an international company and you, you know, generally with the Fedramp rules you have to support people only with American citizens and at the highest levels, people with actual security clearances. So I understand, you know how that can be a pain. And it's also just difficult to find people with all the experiences you need with the proper backgrounds and you have to pay them a lot of money. Right.

B

Well, Microsoft has a solution to this, as it turns out.

A

Right, right. And apparently they have a solution which is you break the rules. Right. So like I explicitly said no to a Situation like this. And it wasn't Chinese employees, it was like Swedish employees, right. Or Israeli employees. Like for Microsoft to say yes, I mean it's pushing the line to let even like people who live in NATO countries to do this. For the United States to allow Chinese employees to do this is just, I mean mind blown gif. Right. Like I cannot believe that anybody who knew what they were doing would say yes to this because as you and Adam pointed out, like the digital Sherpas here from the ads had no idea what they're doing when they're overseeing these Chinese technical employees. There's no possible way they knew what they were doing and that they would possibly be able to do oversee.

B

Well, I mean I think Adam was overseen. I think when Adam was doing this sort of work, he was being overseen by some junior at IBM who had no idea what UNIX sorcery he was asking him to cut and paste into a console somewhere. Right.

A

I mean there's no amount of money you could pay me to try to oversee Adam Barlow. Do it like to copy paste something that Adam would give me to copy into a terminal. There's no possible way I would be responsible for that. And certainly not like a junior person IBM, right. So like this is just, it's crazy talk. And that again that would be true for somebody from a, from a NATO country, from Israel, from a country that, you know, the Czech Republic, a country that's like kind of in, kind of out for the People's Republic of China, the number one adversary of the United States. It is just completely and totally unacceptable for Microsoft to done this.

B

I take your point. I think the only other countries that would, where you would accept engineers from those countries would be other five eyes countries. Because there is that sort of very special relationship when it comes to government information, signals intelligence, things like that. Right? But even Italy, Greece, you wouldn't. Right? The French.

A

No, no, Greece would be okay, my friend.

B

Of course, Mr. Stannis.

A

No, no, of course the Five Eyes would be right. It's probably the place people with Five Eyes clearances would be, the kind of place where you'd probably be fine with it. But. And maybe, and maybe in other situations, NATO countries, right. You know, are the kind of things if you got approval from your government sponsor. But there's absolutely no way, there's no possible way you could go to either civilian or military government sponsor and say hey, I have an idea. We're going to get people in Beijing to do this work and then we're going to get somebody for 18 bucks an hour with no technical skills just to copy and paste it. How does that sound? There's no possible way, as a guy who had to fill out paperwork to do this stuff. And, like, they give you huge crap for, like, trying to patch things. There's no possible way that anybody in the government said yes to this.

B

Now, now I should point out, too, this is our second turn at recording this podcast, right? Because we recorded the original version of this podcast last week, and then a whole bunch more information came out, and we're like, well, looks like we're having to do it again, which is why you're both sitting there on your Sunday evenings recording this with me. So what we did find out was Pete Hegseth announced, our wives love you, Patrick.

A

They're like, oh, man.

B

Peter Hegseth announced when all of this broke, and it was the appropriate response. He said, that's it. Like, this is not acceptable. We're nuking all of this. We're ordering a review. And we'll, we'll, we'll. The part that I thought was a bit funny is we'll come back in two weeks and this will have been sorted out. I mean, you know, that's not realistic. But that said, they have managed to find out and, and sort of disclose certain things about the scope of all of this activity. And the one interesting thing that has come out of all of this is that it looks like Microsoft had not appropriately disclosed this to dod. They had, you know, various documents they were supposed to lodge which would describe things like support arrangements and stuff. And they did, I think they did describe digital escorting procedures, but they failed to mention that it was Chinese staff who would be doing that. That seems fairly ridiculous. Like, it is crazy in my mind that if you're the Department of Defense of the United States, you. You would have to ask them, hey, by the way, are you planning on using Chinese nationals in, like, Beijing to do this work? Chris, you know, you've worked in government. You've been in the inside. When you've seen this latest news come out, you've read through it. I mean, I'm guessing this is, like, mind boggling round two, right?

C

I think the best quotes in all the articles come from former DoD Chief Information Officer John Sherman. I think he, at one point, you know, he mentioned the common sense test, but he also says this is essentially a matter of not asking the perfect question of the vendor with the very specific conditions and prohibitions. And I think to your point, like, who in their right mind would ever think, oh, no, we need to be very specific, that they cannot use Chinese nationals sitting in Beijing, perhaps formerly MSS agents. I don't know if they are or what, but I can only imagine what the requirements recruiting process was like once this kind of made the circles at the mss. But you know, the complexity of managing cloud infrastructure in the commercial sectors, you know, just mind blowing in and of itself. And now once you start mapping it over into the private sector, or rather into the government sector, with all the various overlays and controls and processes that are in place and then trying to mash them up together, I think that's what we're seeing here. Again, it's just a bunch of gaps, things that got missed, a failure of governance and just trying to close the deal, getting that contract closed. We remember in the first Trump administration, the back and forth on the Jedi contract was potentially a billion. No, what was it? Was it 10 billion, 20 billion in cloud service sales into the DoD? That was back and forth between Microsoft and Amazon and then Oracle and all these back and forth. So this stuff is, this is the new kind of commercial battleground and it looks like some cheeky phrasing in the system security plan or program made it through.

B

Well, I mean, I love how Amazon is trying to make hay here, which is they just sticking their hand up immediately saying we don't use Chinese engineers. They're being totally, pick me, pick me, pick me.

A

Well, that's the important context here, right, is that Microsoft's clearly doing this to save money. And the, this is.

B

Well, hang on, hang on, is it? And that's an interesting part of this conversation, but do go on. We don't know that that's why they're doing it.

A

I mean, okay, so I mean the important big picture context here is that Microsoft and Amazon and to a much lesser extent Google are part of a huge fight for government cloud services, right? And Microsoft winning a bunch of government cloud contracts from Amazon was very controversial. There have been all of these lawsuits when contracts are won, which is normal in the government contracting world, is whoever loses immediately goes to court and sues saying this was given out incorrectly, yada yada, which is very controversial because that always drives up the cost of any government contract, is the loser never giving in? And so if I was Amazon, it is completely reasonable for them to say, you know, that Microsoft won on, on a lie. Chris, like, how much is Google being is playing on the high side here? Because I know Amazon's a huge focus on govcloud. I don't know how much Google's trying.

C

To get in the classified side of the cloud. There are some existing contracts that AWS has had at CIA and elsewhere for years. Yeah, there's a emerging requirement for a broader intelligence community cloud that's at an impact level that would service, I believe siprnet, which is at the secret level. And whether that then pulls in J wix, which is the top secret and above, I don't know what the timeline is there. But those are going to be massive contracts, huge billions and billions compliance requirements. And the problem is if, you know, I'm sure a bunch of the listeners or viewers have served in the military, in the US or elsewhere, or even in the reserves and they've seen how long some of this classified equipment sticks around. It doesn't get refreshed every two to three years. It's just not how it works. I mean, some of these systems can be much older than that. So it's a huge ballgame and everybody's going to be shooting for that. And so I think this is maybe even a great leveler creating additional opportunity for GCP over the next several years.

B

Well, look, look, I want to shift tech just for a moment because we've had all of this other stuff come out as well. Now, of course in the last couple of months there's been a bug in SharePoint getting exposed, getting exploited by Chinese threat actors. This is fairly well established that it's Chinese threat actors behind this. There was some speculation that this was. There was a leak out of the early access to vulnerabilities program that Microsoft runs called mapp. Mapp. As a result of that, Microsoft has just announced that it's yeeting a whole bunch of Chinese organizations out of the MAP program, which they've done before. They did it after hafnium when the same thing was alleged to have happened. And when this whole thing broke, I actually went and had a look at who's actually in this MAP program. A lot of Chinese firms. Right. So the idea that there could have been a leak there, not so surprising. So Microsoft actually trying to, you know, make that circle a little tighter makes a lot of sense. But then I think it was also rene Dudley at ProPublica who's just got excellent sourcing on all of this. Also wrote a story pointing out that it looks like Microsoft China actually maintains, at least to some level maintains, the code base for SharePoint on prem, which is the product that has this bug in it. So I don't know that like tightening the circle on MAP is going to quite get it done here. When you've got a Chinese engineering center actually maintaining this product. Now, when you try to figure out how many Chinese engineers actually work for Microsoft in China, it's not entirely clear. You get varying numbers. Some are like, well, there's 9,000 for their APAC engineering center and most of them are in China. So we don't have an exact number. I don't know that those numbers would encompass, you know, subcontractors and various support firms and other arrangements. And I'm not going to spend three days reading Microsoft earnings reports and disclosures to find that out, if I'm honest. But safe to say there's a lot of Chinese engineers working for Microsoft. Right. So the question becomes, Alex, you said they did this for cost reasons, but surely there's more to it than that because there are plenty of places like Microsoft is, sorry, China is not as cheap a country to do business in as it once was. I mean, the GDP per capita in China is roughly the same as it is in Brazil. You know, this is, this is not a country with a tiny economy anymore. So really, like what? How did we get here? And, you know, understanding that you don't work for Microsoft, I mean, Chris used to. So we'll obviously get his thoughts here as well. But how do we get here? How do we get into this situation where there's thousands of engineers working for Microsoft in China supporting code bases used by the US Government and doing support into Department of Defense clouds? It seems wild. And it can't just be for cost savings.

A

Yeah, I mean, cost has to be part of it. But you're right. China is the country that every tech company has to make incredibly challenging ethical decisions about. Every company is the place that hacked Google, famously, with the Aurora tax, Google had to pull out. And that has been a defining moment in Google's history. A positive one from an ethical perspective, a negative one from a financial perspective. It is the country that Apple decided to ship their phone into and has now, everything that Apple says about privacy and safety and security falls apart with China. And now they find themselves in a very difficult situation, caught between China and the Trump administration from a supply chain perspective and for the enterprise companies, for Microsoft and Amazon and the cloud companies, China has been a very challenging place in that multinationals and Chinese companies want to be able to do business in China, but to do so, you have to make some kind of compromise with the prc. And Microsoft and Amazon have handled that in slightly different ways. Both of them have instances of their cloud, but Microsoft has gone full in to China Right. And they have serviced the Chinese market just like any other market. And not only does Microsoft Azure operate there, but they treat Chinese companies like you said with map, they treated Chinese security companies like any other security company. And they have just decided to pull back where Amazon, I think, was much more careful of. Here's Amazon cloud. But if you look at the Amazon cloud instance in China, there are a gazillion things, warnings of if you run your stuff here, this doesn't work, this doesn't work, this doesn't work. And effectively we do not give you any kind of security in these ways. And Amazon, like I pointed out, we're not doing the digital SERPA and such. And I'm pretty sure Amazon was not doing this kind of development there. So I think Microsoft just made the decision of we're going to treat China as a market. And to do so you have to also treat them. You have to hire people there, you have to treat the country there. You have to send Brad Smith to go shake Xi's hand and to go to conferences and you have to have executives in the country. And part of that is you can't hold them arm's length in the same way that other companies. And so Apple and Microsoft, I think, made that decision to bring China in house and to treat them like a normal country. And they're dealing with that. They now are dealing with the after effects where Google and Amazon and some other companies held them at arm's length and found some way to make money there, but not all the money. And they are going to have the benefit of being like these people. This country is not. We choose the West. Right. Like we choose. And that's not necessarily a moral decision, but they recognized you can't both choose the west and choose China at the same time. You have to pick a side.

B

So hang on, hang on. Your argument here is essentially that Microsoft's presence and I guess, embrace of China is largely about market access.

A

Yes. It's about market access. Yes. And servicing companies that are multinational. Right. I think that's also a difference between Microsoft and Amazon is Amazon, obviously they have consumer businesses in China. Amazon's service of corporations is mostly cloud services, whereas Microsoft sells all kinds of software and services to business businesses that also have Chinese positions. Right. So if you're PricewaterhouseCoopers and you have a humongous China office, you want those employees to have 100% of the same experience as your European employees and your Australian employees and your Indian employees. And so I think part of it too is if You're Microsoft and it's the 90s and China has entered the WTO and you're making the decision of, you're looking at the big global aspect and you're like, China is now a full member of the international community and you're going to, you make a full throated embrace of China. It is because you have decided that you are going to support the entry of China into the global world because you're supporting the multinational companies that are going to operate there and that is part of probably their success. And Microsoft effectively has a monopoly in a certain types of corporate enterprise services. Right. I love that I get to use G Suite every day. I'm in my past company, in my future company we use G Suite. We do not use Microsoft 365. But that is not true for any insurance company in the world. Right. That is not true for any large auto company. That is not true for almost any large multinational. They're all Microsoft customers. Microsoft hasn't been.

B

Yeah.

A

And so, and that's, that's just the, that's just the reality.

B

So Chris, I want to bring you into this. You know, you worked at Microsoft before you stepped into the role. Spinning up cisa, you know, is, is, is what Alex has just said there. I mean, does that vibe with your understanding as someone who actually worked there?

C

Well, so I was actually a part of the trustworthy computing team that was up under Brad Smith that Alex had mentioned earlier that was run by Scott Charney, that was effectively responsible for going out. I wasn't on that team, but there was a whole host of lawyers that would go out globally and negotiate various deals on the policy side and national capitals all around the world. There's one program in addition to MAP that they would run is the Transparency Centers which are dedicated basically clean rooms. They would host certain code bases across various Microsoft offerings that would allow access by government employees to come in and run certain tools that were approved by Microsoft against the code to see if there were any backdoors built in by the NSA or CIA or whomever. It was a really interesting program. There were a lot of hard negotiations, but there were countries that would just by the pure fact of Microsoft saying, yeah, we'll set this up for you and we'll build it and you can come in. That was enough. Like they never would look at the code. They would just say, okay, if you're willing to go this far, we're going to take your word for it. Or at least you've called our bluff. That's good enough.

B

Well, it's funny that Microsoft has done this because, you know, back in the day, this was, I mean, back in the day, what, eight years ago or whatever. You know, Kaspersky tried something similar with its Transparency center in Switzerland and whatnot. And it's. I don't think it really worked in that instance, but seems like it does work for Microsoft here because it's a US headquartered company.

C

So it's interesting in that Microsoft is probably one of the only companies in the world, frankly, that could pull it off, that could actually build it, not have any real impact to the stack or the code, and then at the same time build trust with customers, government or commercial, in part just because the complexity of the code alone. I mean, Microsoft has a hard enough time as we see, compiling Windows, so it would be really challenging for a government engineer to come in and do what, like you can't memorize all of it, you can't take anything out.

B

Yeah, yeah. Here's a few terabytes of code that like some of it was written in the 80s by people who are now deceased. Have at it.

A

They're not deceased, they're just like SVP's.

B

Damn.

A

But hang on, hang on.

B

Chris, Chris, Chris, I want to ask you though, like just pulling it back to that analysis of whether or not you believe that Microsoft was treating China like any other market, as Alex argues. I mean, did you get that sense when you were there?

C

So first off, like again, going back to the Transparency Center, a lot of that was in the wake of Snowden where there was this overriding concern that the NSA was using all US Companies that operate globally as a proxy or at least as a front for operations. Now, do I think that there's a bigger concern here just from the multinational aspect? I think we see this all the time talking to European customers. European customers don't have the same trepidation of going and operating in China or working with Chinese companies that American companies have. Do I think it's catching up a little bit? Yeah, I think certainly with the current Trump administration, that is going to put a lot of friction points in between anybody doing business with China. That's all going to come back around. So maybe this moment of Microsoft working closely with China, having the 21 vionet, galicake, whatever fork of Azure operating in China, maybe that kind of opportunity space, that window is closing pretty rapidly. But at the same time, what looks like a window or a door slamming shut all of a sudden turns into a opportunity somewhere else down the road. I mean, just look what happened here with intel and the 10% stake that the US government now has in intel, when just two or three weeks ago, there was a call for Lip Bhutan, who is the CEO of Intel, to step down, to resign because he was conflicted because of his Chinese links. Now the government. So I. Look, Government affairs right now, particularly being in House government affairs, is a very, very difficult job. You really don't know what's going to happen one week to the next. There's just a lot of twisting in the wind out there and it's, it's creating all sorts of havoc in boardrooms and NC suites.

B

Well, I mean, I got to do a meme on the intel thing, which I was quite proud of, which was the Drake meme, which is maggobi, like, you know, socialized medicine. No thanks. You know, socialized intel processes. Now we're talking.

A

So look, taking it back to my history class. What is it called when a government owns the means of production? In the 20th century, we had a term for that.

B

Well, my joke was we must seize the means of computation. But anyway, let's.

C

Well, so just running this back though, like GlobalFoundries was a failed experiment, right? The dedicated fabs in the US providing specialized chips to the IC, to national defense utilizations. I just, I wonder if there's a market enough to really support this. And we played this game before. We'll see what happens this time.

B

Yeah, yeah. So look, I mean, then the question becomes where to from here? Now I remember when was it? Like late 2023. I was in Washington, D.C. and I wound up doing sort of like a guest lecture or Q and A in Jason Kichter's class at Johns Hopkins University. And, you know, we're just sitting there sort of noodling on some of the big topics in cybersecurity. And when it got to Microsoft, you know, one thing I, one thing I came up with kind of there is like, you know, we got Microsoft problems, like whether it's this China stuff or whether it's them not appropriately maintaining some sort of products. Right. The point is just Microsoft does whatever the hell it wants and the US government doesn't really have that much leverage on them. You guys are like, oh, well, maybe they can withdraw some contracts from certain areas. That's very difficult. It's extremely difficult when Excel is a Microsoft product and it kind of runs the world. Right? Like, this is the fundamental building block of all commerce and government is, sadly, Excel spreadsheets. So really the question becomes, you know, what do you do about it? And there's two things to my mind that can be done here. One is that you need to lobby Microsoft. You need to treat it sort of like it's a state. You don't have, you know, a huge amount of leverage. Same as you don't have a huge amount of leverage over, over a lot of countries. But you can sort of lobby them, you can kind of carrot and stick them, try to guide them into doing the right thing. I don't know that that's been terribly successful because it has, it seems like it has been tried. Then the other issue is again going back to the Excel thing. You know, what would the world look like, what would Microsoft look like if all of a sudden, you know, M365 had to be available through some sort of Google app portal so you could have your GCP with Office? What would the world look like then? You know, would it. I'm guessing there would be some fairly disastrous security consequences on one hand in that those integrations are never going to be as good as a top to bottom stack provided by one provider, like in the case of Microsoft. But I'm guessing in other instances it's going to make Microsoft compete, it's going to make Microsoft do things better. So the question is where to from here and how much of this issue do you think, you know, these, these, these negative things, how much of it do you think stems from the fact that, that Microsoft doesn't really have to operate in as competitive environment as is appropriate. Let's start with you again on this Chris, and then I'll get your thoughts.

C

Alex, I think to the point of sparing the rod in the past with Microsoft has not been terribly successful. The Cyber Safety Review Board report from a couple years ago was I think one of the first really impactful ways to get since at least the turn of the millennium, frankly with, with the actual launch of Trustworthy Computing in 2003 era. But the Cybersafety Review Board really called out a number of glaring failures not just in security processes, but in kind of a, from a leadership perspective and the trade offs they were making between sales and security engineering. And so then you get the launch of the secure future initiative, SFI, right? And the 20 or however many deputy CISOs they've got. And a lot of them are friends, a lot of them are really great people. And from what I've heard there's been progress there. So maybe it takes that calling to the carpet and lobbying. One way to lobby is to call people out. I mean that happens all the Time that's more on the output research and just kind of got the wetwork of lobbying, at least in D.C. but this.

B

Is the stuff that I contend has not worked.

C

I think it certainly made Microsoft has changed behaviors and practices. They've spent, I think, a good chunk of money. Now, whether, if you just want to say that's a wrapper in security theater, okay, we'll see what happens. But when you just look at the sheer size, scale, breadth of Microsoft, the things that they do, the places they sell, the things they sell, it's really hard to turn that, I think, entire operation around very quickly and effectively the aircraft carrier.

B

But, but do you think, do you think, you know, some, some, some fine tuning of the competitive environment here would make a difference?

C

Could. I don't think it's going to happen. I mean, that's the other thing. Right. It's the political environment within we're operating right now that is very, very pro business, which is, you know, typical of Republican administrations, at least in the US I don't really see a lot of regulation coming down the pike. I mean, you have that same approach from the first Trump administration where, you know, for every new admin, for every new regulation, you have to get rid of two. And I certainly don't see them wasting cycles on, you know, a cybersecurity or any sort of software liability regime.

B

Well, hang on, hang on. They're bringing back plastic straws. Maybe we can have better cloud computing in exchange. I mean, how does that, you know, what do we think?

C

But that's, yeah, look, this is not, this isn't breaking the top hundred priorities in this White House. And look, they've got their priorities. Cloud ain't one of them. I think personnel also is policy. And so it's going to be some time to get these confirmed members of the President's tech team in place. You've got Mike Kratzios, who's the OSTP head. You've got Sean Cairncross now, who's the National Cyber Director, waiting on Sean Plenky, of course, as the CISA director. We now have a new Deputy National Security Agency director. And it's not clear who's going to lead that Cyber, CyberCom and the NSA. So still lots of personnel question marks. And in the meantime, I suspect the careers that are sitting in place there are just kind of in a holding pattern.

B

Yeah. What are your thoughts here, Alex? Where to from here, I guess, is the question.

A

I mean, I think we need more competition. Right. And so, I mean, the nice thing here is for this specific screw up is in an area in which there's a lot. There's a. There actually are competitors. Right. You know, Amazon is a direct competitor with Microsoft in the services that we're talking about here. So if the government wants to not purchase cloud services from Microsoft, at least in the places which search for a competitor, that's great, I would love to see. It is shocking to me that you have not seen Google continue to invest in some of the areas in which they should be competing with Microsoft. That you have not seen Amazon invest in direct competitors Microsoft, such as in collaboration suites in why Amazon never bought Zoom, for example, once their price dropped through the floor, I have no idea. And so I would like to see somebody decide to go up against Microsoft for like a full featured suite. Like G Suite's 70% of the way there. Why won't Google go the last 30%? Just drives me fricking insane. But that would be nice because then it would be nice if there really was a competitor there.

B

Do you think there's a role, do you think there's a role for regulators to sort of make that happen? Right? Because I mean we've seen similar action about like against Internet Explorer a million years ago. Right. We've seen action like that in the past.

A

Yeah. So okay, so for, I think where regulatory, where regulators should get involved is actually on the security front. Because the other thing, one, I think there should be work to make sure Microsoft is not both the arsonist and the firefighters. Right. Like now that I'm out of center one, I can say this. Microsoft is trying to completely dominate. They're trying to get rid of any independent security company. They're trying to take all of the revenue for all of the different. They want to get rid of Proofpoint, they want to get rid of CrowdStrike, they want to get rid of SentinelOne and they're just taking all of the revenue. And it's funny because you end up with CrowdStrike and Sentinel 1 and all those companies hating each other. And while those companies are fighting, Microsoft just gives away an inferior product for free with an email subscription.

B

This is the end of Gangs of New York all over again.

A

Right?

B

Right.

A

Yeah, exactly. Yeah, exactly. And so, right, you got the games down here and the WASP taking over whatever, Right? Yeah, exactly. So the inferior product is winning because they give it away for free. And so I think that is something that is. And what's the other thing that's happening right now is Microsoft is using is making technical decisions to do things like kick other security products out of the Windows kernel using the CrowdStrikes group from last year as an excuse to do so.

B

And well, they haven't done that yet. I mean, they're, they haven't done it.

A

Yet, but they're, they're, they're moving to do it now. I don't think it's actually going to happen because I don't think they're actually going to be able to implement all the things at a performance level necessary. But like they're talking about it, right? But that's the kind of thing that I think regulators can step in and be like, no, we're just not going to let you get rid of the entire independent security industry. And we're not. And right now what they can do is they can step in on the, competitive, on the giving away security products for free, right? Like, oh, you buy email and you give away everything. You get rid of all email security products and get rid of all cloud security products and you get rid of all EDR products because you guys give away for free. And it's just impossible to compete with free. It is. And so as a result, you end up. The problem is Defender has the same security blind spots as the Windows kernel, right? Their email products have the same security blind spots. And getting rid of all independent views and all independent voices in the security world is bad. That's just a bad thing. And nobody talks about it. So I think that is the place where they are trying to build a monopoly and they just don't want anybody criticizing them, which is fine. I mean, I understand why they want that, but that is bad for the world.

B

All right, so final word from Mr. Krebs, who's been bobbing up and down in his seat while you've been talking. Alex. And then we're going to wrap it up. Chris.

C

So I agree that that's a big opportunity, particularly in the security space. It's just not a kind of a core area of emphasis. They've got great people in security research, security, Eng mystic, all that, but it just does feel it's something that they figured out that they could throw in the bag and maybe pick up a little revenue with it. But to your point, it's not as good as stuff that's on the market. I really think, though, what's going to happen, or at least has the highest likelihood of happening, is not anything out of Congress, probably not anything near term out of the Federal Trade Commission, unless somebody at Microsoft pisses off the administration. I think what's more likely to happen Is some element of government contracting and spending tightening up in the vein of doge of look, taking a hard look at government contracting and identifying opportunities to reduce redundancy. And I think the greatest example I've talked about it, Pat, on the show before is looking at for instance the M365 contracts. And when I say contracts plural, there are a bunch of them. And the way the incentive structure is set up right now is it's really not Microsoft that's going to start winnowing down or necking down and getting people on, you know, a smaller set of contracts. And it's certainly not in the government side either because of the budget process. Now that could change as CIOs and CISOs are getting their, their contracts or rather their, their budgets reduced. And so they're going to have to start turning to someone that has a shared service model, whether that's CISA for security services. Could be a Department of justice that offers some IT shared services, managed services out of the Department of Justice.

B

I mean, I mean, I will say Chris, though, that that sounds like a fairly large bureaucratic effort. And I can't see this current administration hiring a bunch of like, you know, hiring a bunch of new bureaucrats to kind of do this work even if it makes sense and we'll save a bunch of money.

C

I don't know, I can't, I can't say. But they've spent money to cut money I guess already in the first several months of the administration. And I do think that if you look at the out years over a 10 year period, it's going to be just a significant windfall of savings. And look, just look to the north. Canada has done this now. Shared services Canada, when it launched about a decade ago was not a screaming success, but they have learned a bunch of things. They've got it. It's run by Scott Jones, who used to be my cyber counterpart and it's actually a pretty successful program right now. And I think that we could at least bring it down as a pilot and get some of the micro and mini agencies on the civilian side off running their own metal.

B

Yeah, I mean the amount of like iron port still out there is like wild, right? Like it's just mind blowing and most of it's in government. You know, I do wonder too, once you start centralizing procurement in the way that you're describing, I mean we've had various things like state governments and stuff in Australia do it. I'm sure it's the same in the United States. There's a lot of graft opportunities there. There's like it's a recipe for corruption. Once you've got centralized procurement, I guess it's a, you know, at least you're centralizing the corruption as well because there's already procurement corruption everywhere. But I also wonder too that once you've centralized your procurement that way, there's other opportunities to do things like percentage caps on how much cloud spend can go to each provider. Right. So you're like, well, we don't like what you're doing. We're going to cut your share of total government cloud spending by 2%. And then you let the various agencies fight it out.

C

If I'm Google, I'm all over this because the 101, 100 and however many federal agencies, I think there's only one that really runs kind of the full stack, gcp, and that's the, that's GSA Government Services Administration. So I think that the opportunity is right there. It's a almost said quick, easy win. It's probably neither quick or easy, but it's gotta be done. It just the status quo of government contracting, particularly for cloud services, it just basic productivity services and contracts cannot continue.

B

Yeah. And then that's a bigger stick. Right. And then maybe it means that you won't have Chinese engineers popping up in your gov clouds. And mind you, the announcement from Microsoft is that they're no longer doing this for DoD, but they did not say that they're no longer doing it for the rest of the United States government. Make of that what you will.

A

Or Australia.

B

You were talking before. You were talking before, Chris, about having to ask the perfect question. I think there's a few more questions that could be asked of Microsoft. All right, we're going to wrap it up there. Alex Stamos, Chris Krebs, thank you so much for joining me. This is the triumphant return of the Wide World of Cyber podcast. It's been great chatting to both of you. Thank you.

A

Great to see you guys. Great beard, Chris. Looking good.

C

It's the end of summer beard. Happy end of winter to you, Pat. Good see you, Alex.