CyberWire Daily - Microsoft EVP Charlie Bell on the Future of Security [Afternoon Cyber Tea]
Episode Date: January 1, 2024Microsoft Security EVP Charlie Bell joins Ann on this week's episode of Afternoon Cyber Tea. Charlie has over four decades in the tech industry, from developing space shuttle software to leading the c...reation of Amazon Web Services' decentralized engineering system and now leading Microsoft’s effort to make the digital world safe and secure for everyone on the planet. Ann and Charlie discuss AI, the Security ecosystem, and why he thinks speed and acceleration of problem-solving are so relevant today.  Resources: View Charlie Bell on LinkedIn  View Ann Johnson on LinkedIn   Related Microsoft Podcasts:         Listen to: Uncovering Hidden Risks Listen to: Security Unlocked  Listen to: Security Unlocked: CISO Series with Bret Arsenault      Discover and follow other Microsoft podcasts at microsoft.com/podcasts Afternoon Cyber Tea with Ann Johnson is produced by Microsoft and distributed as part of The CyberWire Network. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Welcome to Afternoon Cyber Tea, where we explore the intersection of innovation and cybersecurity.
I'm your host, Dan Johnson.
of innovation and cybersecurity. I'm your host, Dan Johnson. From the front lines of digital defense to groundbreaking advancements shaping our digital future, we will bring
you the latest insights, expert interviews, and captivating stories to stay one step ahead.
Today I'm joined by the Executive Vice President of Microsoft Security, Charlie Bell.
Charlie has over four decades of leadership experience in the tech industry,
from developing space shuttle software to leading the creation of Amazon Web Services' decentralized engineering system,
and now working here at Microsoft to make the digital world secure and safe for everyone on the planet.
Charlie relishes
big challenges and believes that bold innovation is possible with deep curiosity, continuous
learning, and an emphasis on rapid problem solving. Welcome to the show, Charlie.
It's great to be here, Anne. Thanks.
So Charlie, you've had this really extraordinary and absolutely inspiring career in technology,
and I would love for our audience to hear a little bit more about your journey.
So can you tell us how you got your start and then what ultimately led you to your role
leading the Microsoft Security Organization?
Wow.
Yeah, it's been kind of a crazy wandering path.
I started out as a programmer working on the space shuttle.
I wasn't doing the flight software.
I was working on the engineering world, doing
mechanical engineering and other things for payload integration. We put the payloads in the
shuttle. The shuttle was this space truck that goes up and down. And NASA figured out, oh my gosh,
we've got a lot of logistics to do here. We've got to strap things in, take them out. They've
got to have power. They've got to have signal. They've got to make sure they're not going to
get baked on orbit or they're not going to fall out the back. And there were all kinds of things that we had to do. And I had a lot of fun
writing that software. And then I was thinking about changing careers just because, well,
that's a rocket factory. They're building space shuttles. And all I'm doing is writing a bunch
of software on how to do things. And I was having a conversation with the guy in front of me who was
a flight interface engineer. He was actually doing the hard engineering of how do you actually put these things in?
And he said, oh, you ought to do what I do.
I said, well, I couldn't do what you do.
And my next one-on-one with our boss, because we both reported the same later, he said,
well, I think you're going to do mission 61 Baker.
And I didn't know what he was talking about.
I said, what do you mean?
He goes, you're a flight interface engineer.
You're going to do 61 Baker.
Apparently, the guy had talked to him, and they'd already worked that out.
So I got out of software software i was doing flight interface engineering
which was just a blast i mean i got i did a mission down in houston i worked a console
not not the glamorous thing in the mission support room it's an engineering thing where
you get all the problems and you have to solve them really quick but it was a lot of great
experience i worked with some amazing people on the space program. And then the Challenger happened, which kind of put NASA on its heels. It was tough. We were planning on ramping up to 40 flights a year, and suddenly we had a whole different software and ended up working for Oracle for seven years. It was a lot of fun. Oracle was great because my aerospace background,
I spent a lot of time with Boeing. It's actually how I got up here in the Northwest.
We were writing software for the electrical organization at Boeing, putting a database
under diagrams. It was a lot of fun. I wrote a lot of C code and I got tricked into doing
management at one point. Somebody came to me and said, well, you know, you ought to do this.
And I said, okay, I'll try it.
I didn't have a lot of desire to do it, but as I started to do it, I realized,
okay, I get to, I get to have a little more impact.
And then the internet happened.
That was a 1995 ish, 96.
I left Oracle to start a company.
It was called Server Technologies.
We were building an e-commerce platform.
And it was really cool.
We got going.
We were literally rolling for a couple of years.
We had customers.
Very exciting.
We had one engineer still bringing in,
because we're all self-funded, bringing in cash
by consulting with this little startup across the lake.
They were doing e-commerce and I needed him back. So I had a conversation with the CIO of that
startup. He ended up buying my company. That was Amazon. And so 1998, March of 98, the 12 of us,
so we were very small. It was nothing big in material. It was an aqua hire. He was basically
looking for the Oracle talent because they were using a lot of Oracle. And so we ended up, Marty was an Aqua hire. He was basically looking for the Oracle talent because they were using a lot of Oracle. And so we ended up over there at Amazon and oh boy, what a ride. 23 years.
I got the job. First job actually was running a customer service applications. That was actually
really interesting. But I was only doing that for a few months when the CIO there said, hey,
I need you to run infrastructure. And I thought, wow, that's the worst job in any company.
But okay, it's got to be fun. It's Amazon. I'll do it. And boy, was it a ride. I had so much fun
doing it. I learned all kinds of things. I learned all about networks and data centers and operating
systems, all kinds of stuff we provided. It was crazy. But what would happen, we understood that
there was this interesting problem that developers had to muck with infrastructure.
And they were all mucking in the same way.
So we built AWS.
And that was initially just pretty raw compute service, EC2.
And S3 was simple storage.
Actually, the very first one was the simple messaging service.
But that was so small and really didn't count.
The first two were those compute and storage.
Anyway, we did that. That was crazy. I got to see the whole cloud thing happen.
And I feel kind of lucky. I went through this, I saw the internet happen with e-commerce,
and I see the cloud thing happen. And what happened was it got to be a big deal. And
Jeff said he was going to retire. And it caused me to think a little bit about, well, at my age, I could probably do one more
thing that is important.
I could try something or I could stay and do this.
And both of them were kind of interesting.
And the more I thought about it, though, the more I thought that security was a huge problem
in the world that was just going to get bigger.
It's a very interesting problem.
And as you know, you're in this business.
bigger. It's a very interesting problem. And as you know, you're in this business. And I just see the future of this. I needed help and whatever I could add would help. And so I thought, so I was
talking to my wife and I said, well, I wonder where I would do this. She said, oh, you ought
to talk to Satya. She knew Satya. And so anyway, I ended up in building 34 over there talking to
Satya. And the more I talked to him, the more I realized, oh my gosh, Microsoft's really committed
to this problem. And there was already a lot of good work that had been done. And so,
this was in August of 21, I came over to work on the security problem. And it's been a hell of a
lot of fun ever since. Whenever I hear you tell your story, Charlie, I am reminded of Apollo 13, right? And some of the parallels to security because creativity, ingenuity, teamwork, never give up.
All of those things are things we think about in the industry.
So your experience in the space program is really relevant, as well as obviously married with your experience at AWS.
But it's relevant to problem solving and security and how we think about problems.
Absolutely. It's so true.
I mean, you tackle a very large problem.
I think it's easy to be daunted
by those very large complex problems
and think, oh my gosh, how's this ever going to work?
I have developed some confidence
that we are going to solve this.
You know, you won't ever eliminate the bad actors,
I don't think.
Maybe human nature will change over a years, I don't know.
But it's certainly not in our lifetimes.
But I think we can do some great things here to make it not the dominant thing in our lives.
Yeah, no doubt.
And you're coming up, as you mentioned, on two years.
And obviously, you had this really impactful and meaningful career before Microsoft.
So tell me, why Microsoft and why the
pivot to security? Well, like I said, I was looking at when I started thinking about, well, what is
the big problem in the world that I want to work on? And the more I thought about it, it's security
is the, I call it the mother of all problems, because almost everything we do in technology
can become a weapon in the hands of
someone. And so you think about all the advances that humanity has had, you know, since fire,
and everything that we create in the computer world and the technology world can be turned
around and used as a weapon. And so you can't really make the kind of progress we all want to
make unless we first solve this problem. So it's kind of the mother of all problems.
Unless you feel secure, imagine all the work that we're going to do to change the world of transportation.
We're going to have a lot of autonomous cars, and we're going to have all the rail that's driven by software.
And just all the transportation world is incredibly digital now.
Well, it's a surface area that makes you very nervous about what attackers might do to work power infrastructure.
You know, we've seen attacks on gas pipelines.
You know, one of the things we hate about ransomware is they go after hospitals.
And so when you think about this problem, until you solve this problem, we have to walk afraid in everything we want to advance because everything we add could end up being a new
source of problems. So for me, this was like the biggest problem of all. And the other thing that
makes it very interesting is you have a bunch of bad actors out there who are innovating to try to
create new problems. And getting ahead of that innovation, it's not like most problems you solve,
you solve the problem, you move to the next one, you know, you get this solution, you know, you
build a better car, and now you figure out how to digitize it and turn it autonomous and on and on.
But in security, everything you build ends up being twisted and turned by somebody else who's
trying to innovate. And so I think that makes the problem, makes it very difficult, but also challenging and therefore very interesting to tackle.
And so that was what's going through my head.
The other thing that I also thought about is, gosh, I know a lot about the world.
I thought about what is my experience going to be useful for?
Like, how can I be useful?
What is my background going to help?
And I thought, well, I know a bit about infrastructure and cloud.
And I know a bit about a lot of things. I know a lot about data and how it works. And I thought, well,
I also know a lot about services and operations and things like that. A lot of that all comes
together in security. So I felt, yeah, I would be able to help in this area.
There's no doubt, right? There's no doubt you have helped in this area. And I know
in listening to you and speaking with you, you consider it a great honor, a great responsibility to build technology in service for our customers.
And you speak with senior leaders at every company and every sector and every part of the world. So
can you tell the audience a little bit about some of the top security-related opportunities
and challenges you hear consistently from customers? How does that frame your strategy
and your thinking about what we need to do at Microsoft and also in this ecosystem that we think about when we think about collective defense and
security problems really being an ecosystem solved for the industry?
Well, by the way, it's one of the reasons I did, I thought, again, thinking about the problem
and how customers, I was talking to a lot of customers about this. The first thing is they,
it's too hard. I mean, when you think about the complexity
of the modern technology world, it's too hard to get it right. And so I think one of the big
problems they have is getting set up correctly. The analogy I've used is, you know, imagine
a football field. And by the way, I'll use the European and rest of the world definition of
football, not the American version where you touch the ball with your hands.
Odd to call it football.
But imagine you have this pitch and you can make it 20 miles long and you make the goal
two feet wide.
It gets a lot harder to be a very low scoring game.
And so that's what customers want.
They want to have everything set up correctly and not have to worry about the problem because
they know that they're set from the start.
And being a provider, you get to understand the latest.
You get to understand, for example, what is happening in containers or what's happening
in AI right now.
And you understand how it's evolving and how people are using it.
And that helps you protect it better.
And so that was one reason I came to Microsoft.
And also, by the way, the whole end user world, I mean, attackers go after people
because, sadly, we're the weak link in the chain.
And so having being a provider of productivity technology, of email and documents
and analytics and things like that, I think helps understand the problem better.
But that's what I hear from customers is just being better protected. And then the other problem they
have is as they try to build the way that they protect themselves, and of course they have to be,
the problem is attackers are moving ever faster. They're automating, they're moving with the speed
of machines now. I think the average, I think we said an hour and 17 minutes, I think was the
average time to goal for an attacker getting in now.
That's the average.
And so they're moving incredibly fast.
And so defending requires a very unified look at everything going on and the ability to move with machine speed.
And the problem that customers have today is most of the tools they can put on the problem, they're very fragmented.
Many of the customers I've talked to, they might have 100 security tools that they're applying to the problem. And so,
you know, we talk a lot about end-to-end, but it's basically getting one way of looking at,
you know, you take away some of the advantage the attacker has. The attacker comes from any point,
but if you can see the entire field, if you can see everything, then you get to employ everything
in the defense. And so I think that's the other
thing I hear from customers is getting rid of the seams in their defense and in their posture and
the way they're set up and really getting to one view of it. Yeah, look, I think that makes sense.
And to the point, we talk a lot about end-to-end and we talk a lot about having a cohesive
platform and visibility and the big problems we're trying to solve because with too many disparate tools,
you have seams, right?
And you have surface area you can't see
that's open for the bad actors.
And I know you know this.
And as you look to solve that,
I listened in on and participate
in a lot of the calls you have
with your leadership team.
And one of the things that always struck me
and I think is really poignant to security
is this leadership philosophy
you have around rapid problem solving. Can you tell us a little bit more about that and explain why
you think speed and acceleration of problem solving is so relevant, particularly in the
security space? Yeah, well, a couple of things. One is, as I said, it's the mother of all problems.
And so if you want to think of it is you got to be faster than the fastest innovation. So take the absolute tip of the spear in what's happening, and you've got to move that fast if
you want to protect. And so that's one driver of speed. We're seeing it play out in generative AI
right now. Microsoft's the first mover in this space, but we've got to move really, really fast
in the security world just to make sure that customers can confidently move forward with it.
But also, you've got to remember what I said before.
The attackers are constantly innovating.
Again, you have humans out there actively innovating all the time.
And so the speed that you move, you've just got to move faster than they do.
And so speed is everything.
The other thing I'll say is the nice thing about speed is you accumulate it.
And so the faster you innovate, the more quickly you get to the next thing and the more you can
build upon what you already did. And it's the way to think of it, it's like the first derivative of
the rate that you're traveling. So the speed of innovation is incredibly important.
And recognize that it's a community thing. There's no genius that's going
to figure everything out here. It's going to be a crowdsourced kind of view of all the ideas that
come in, and then make sure that you can quickly harness those ideas and get them in the hands of
the people who need them. Yeah, there's no doubt. And doing that rapidly, staying one step ahead of
the bad actors who are innovating and innovating with investment, right?
It's incredibly important.
Let's switch a little and talk innovation, right?
Microsoft has been in the news and internally hyper-focused on AI, which I've long believed is going to be a step change for the cybersecurity industry.
So, what do you think about the overall promise of AI?
And what global issues, even outside of security, do you think are going
to be addressed with AI? Well, the first thing I'll say is, we talk about the asymmetry of the
attacker, the fact that they come at us from any point. It's like first move in a chess game,
they get to move first. But we actually have an asymmetry too. The asymmetry on our side is data.
We get to see everything. Microsoft, we talk about the 65
trillion signals a day, but we have a tremendous amount of data. And as you see what's going on,
you can take what you see in one spot and you can defend everything with it.
So the data asymmetry, think of it as a big half of the solution to tilting things in our favor.
But the other half of it is to harness everything that you have.
And, you know, one of the challenges in security, it's been a very bespoke kind of industry.
You know, you have your experts in the network and experts in endpoint and experts in email
and each of the areas you operate in identity and access and privilege and everything else.
And so you get experts.
And the problem is to be great at security you've got to be over the whole thing.
Again, it goes back to what we said.
It's end to end.
And so it's very hard for us to get humans that can think, that system thinkers that
can get across all that and think about the whole thing.
And so we end up siloing and passing things, and it slows everything down for us.
The nice thing about AI is it's all discipline it doesn't care about a particular discipline it thinks about across all of it
and it thinks about it with lightning speed it it knows it can say oh i need to go look at the
access logs for x and pull a query and grab it and use that information to provide context for the next
action that it's going to take. And it does all that at machine speed. And so if there ever is
going to be anything that totally changes that asymmetry, it is AI. Because the fact that you
can harness everything you have and do it with machine speed now, that makes it very difficult
for attackers. Because remember, they do have a data disadvantage. They only get to see the surface
and they only get to see what the area that they've been able to get to. Because remember, they do have a data disadvantage. They only get to see the surface and they only get to see the area that they've been able to get to.
But remember, we see the whole thing. We just haven't been able to harness it all. And that's what AI
is going to let us do. I think that's a great way of looking at it.
And look, I think the possibilities are endless. And I've
said this so often, but there's also, you know, we want to cut
through hype. We want to cut through
noise. So to bring it down to today, you know, what security use cases are short-term? What's
real? And then maybe what's your future thinking? Well, oh, and you asked me before about other
things that we might apply that AI to. And that would take a long, long day, I think, to go
through. This is what's happening in Gen A.
You've seen it from Microsoft, all the things that we're doing.
But in security, I'd say we can use it for so many things, and it's advancing very quickly.
I think that one of the initial problems that we have to go to work on right away is what
I said, that you don't have the experts.
I think the number is three and a half million jobs go wanting in security just because we don't have the people to do them. And so I think the very first thing we go after
is the defenders, the people who protect and make them incredibly productive so that we have only a
few thousand jobs that go wanting. We'll feel much safer and much better. And so just making
defenders much more productive, being able to handle an incident and
be able to move across everything with machine speed, be able to go to the next step, go to the
next step, look at the next thing and do it faster than the attackers could ever do it. I think,
you know, those would be some of the first early use cases. I think posture is another one. I think
looking at the way things are set and configuration and just processing where, and by the way, the
priorities, because one of the things I love about the AI
is you can ask it,
which things should I work on first?
But just getting that side of it.
I think another place we're going to see right away,
these are all right away things that we can go after.
I think we're going to see it in how we build code.
If you go look at GitHub Copilot,
I'd like to say it's a security tool.
It's a developer tool,
but it's a great security tool
because it can write vulnerability-free
code and it can look at existing code and tell you.
Those are some of the early use cases.
It's going to get broader.
I think we'll get deeper into helping the business understand how to solve problems
in brand new ways.
Protecting AI is going to be a big, important part of it.
I think for those that
haven't followed what happens with Gen AI, you basically converse with the AI in natural
language. It's not an API. You don't say, get me this, put me this. You give a natural language
question and it processes it. And of course, that means that if somebody were able to get
into that stream, they can manipulate the AI. You can imagine if you have AI agents out there and bad actors are able to manipulate
those agents, that's a whole new world.
I think we'll use AI to defend AI.
One of the cleverest things I've seen is some of the applications of AI to basically spot
when somebody's trying to manipulate and protect them.
when somebody's trying to manipulate and protect their... And using AI in other ways to understand maybe where bad actors are attempting to use technology in a new way and pervert it to do
something wrong. And certainly, it's going to permeate everything we do to get set up correctly.
And one thing I've said often is that security and management are really two sides of the same
coin, security and availability.
A lot of the things you do to make sure that bad actors can't deliberately do something,
you also do to make sure that your people can't accidentally do. And so there's an awful lot of
things that we're going to be able to do in that space as well. That's fantastic. And you know,
I spent a lot of time thinking about the ecosystem. And you and I have talked about security,
management, identity as all things
that are important to us, but also a belief that it's a team sport, right? And that public-private
partnership is important. And us developing an ecosystem with startups, the enterprise security
community is also important. How do you think about that? How do you think of all of us coming
together for CollectDefense? Well, you nailed it, Anne. Again, it was what made me excited to come
to Microsoft. And I go back when I did my startup back in the mid-90s, I knew that I would need to
work. We're a startup. We're going to work on some technology platform. We're going to try to rewrite
operating systems and all that. And I thought about a few companies. And then I started talking
to Microsoft, but we were a Microsoft partner. Everything we built, we went from Oracle. We were all Oracle experts.
We built everything on Microsoft technology.
Why?
Because Microsoft, by its nature, was open to working closely with startups and other
companies, and it's been that way ever.
And so in security, it's so important because the space is so vast.
As I said, it's the biggest problem.
Security is so important because the space is so vast.
As I said, it's the biggest problem.
And in fact, I think we talk sometimes about the economic loss that happens in the security space.
It's like $6 trillion a year, which if it were a GDP, it would be like the third largest
GDP, be actually bigger than Japan and growing faster than India, which is the fastest growing
GDP in the top 20.
And so when you think about the landscape, how big this is, and how much help needs to
be brought to the problem, it's not going to happen from one company.
You know, Microsoft isn't going to be the answer.
It needs leaders, and it needs some ability to bring people together because of the fragmentation
problem we were talking about.
It doesn't mean that you need one provider. And it is going to
take a team. And by the way, partnership with government, incredibly important. I think the
work we do worldwide with different government entities and also the laws and how we make sure
that bad actors don't persist out there, I think are really important. But it's a partnership of
government, of organizations, large companies. You know, we work closely with the financial services because they're a really important part of the infrastructure, power infrastructure, and all of the ecosystem of ISVs and systems integrators and service providers.
It takes the community to really, and it is our advantage, by the way.
There's more of us than there are of the bad actors if we actually work together and we don't let them pick us off one by one.
Yeah, I think that's right.
And I think only together, right,
are we going to solve this problem.
As you said, it's a huge landscape
and no one can do it alone.
Well, Charlie, I want to thank you for chatting with me.
I know how busy you are.
And despite the rise in cybercrime,
I'm always an optimistic, right?
I believe cyber defenders are more often than not
multiple steps ahead of the bad guys.
I try to be incredibly optimistic and that's why I get out of bed every day and do what I do. And I know you are too. So as we wrap, I would love to hear why you're a security
optimist. What is your perspective on how we continue to come together and defend our digital
world? Well, I am. And that's why I got into it. If I thought it was a lost cause, I'd probably spend my time on something else.
But I think partly because of this change, we're seeing a lot of capability from cloud
and huge changes in what we can do with AI.
And that's been apparent for a while.
And so I think that, like I said, I think the asymmetry is changing.
I think that we do have the data advantage and we certainly have the AI advantage
because of that. And so I think inevitably we'll get ahead of it. The question is how fast can we
get to this better world? I mean, you think about it. I saw some estimates that said by 2030,
if we don't turn the tide on this, you'll see the take being bigger than the US economy.
And the world just has too many problems,
you know, to go solve, to be wasting our resource this way. I mean, imagine what,
imagine what $6 trillion a year would do for climate change, for sequestering carbon or
something like that. So we've just got a lot better things to spend our time and effort on.
And I feel good. The defenders as a community, as an ecosystem, that we're going to turn this
around. And it's,. And eventually, it's
going to be something most people, most of the
bad actors just don't want to waste their time doing.
They'll do something a little more useful.
Completely and totally agree. And it's one of the
reasons AI is so important because
we do need to close that
staffing gap. And one of the ways we can close
it is by automating everything
so that by 2030, we're not in that position.
Charlie, thank you so much
again for taking the time to join me today. Oh, thanks for having me. Really appreciate it.
And many thanks to our audience for listening. Join us next time on Afternoon Cyber Tea.
It was an easy decision to invite Charlie Bell to be on Afternoon Cyber Tea. Charlie is leading
the entirety of the Microsoft Security Division. He's responsible for everything and his vision and the way he works and his optimism and his
philosophy. He's just this incredibly talented executive who always brings the right attitude
and perspective to the work. And it was an engaging conversation and I know the audience will love it.