Risky Business - Wide World of Cyber: Microsoft's China Entanglement
Episode Date: August 25, 2025The Wide World of Cyber podcast is back! In this episode host Patrick Gray chats with Alex Stamos and Chris Krebs about Microsoft’s entanglement in China. Redmond has... been using Chinese engineers to do everything from remotely support US DoD private cloud systems to maintain the on premise version of the SharePoint code base. It’s all blown up in the press over the last month, but how did we get here? Did Microsoft make these decisions to save money? Or was it more about getting access to the Chinese market? And how can we all make the world’s most important software company stop doing things like this? Tune in to the Wide World of Cyber podcast to find out! This episode is also available on Youtube. Show notes
Transcript
Discussion (0)
Hey everyone, and welcome back to the Wide World of Cyber Podcast.
My name is Patrick Gray.
The Wide World of Cyber Podcast is the one where we chat with Chris Krebs,
who is the founding director of Sisser, and Alex Stamos,
who has held various CISO posts over the years,
including with Yahoo, with Facebook, and most recently with Sentinel One.
and we chat about some big picture stuff in the cyber security discipline.
Now, this podcast used to be sponsored by Sentinel One, where Chris and Alex both worked.
But some things happened.
We won't go into it.
But, you know, their involvement with Sentinel One didn't quite work out due to various actions in the Oval Office.
So this podcast is no longer sponsored by Sentinel One.
And to be quite clear, that was my choice.
I wanted to keep doing this podcast with Chris and Alex.
and they don't work there anymore, the only option for me was to take this sort of outside of the Sentinel One sponsorship.
To be clear, clear, clear, clear, Central One have been absolutely fantastic about all of this.
And indeed, they are now sponsoring us to produce a documentary series about hacking through the 1980s, 90s, noughts, tens and 20s.
And we're working on that right now.
So no hate to Sentinel One, please.
They've been class acts the whole way through this, and yeah, so there we go.
All right, so gentlemen, welcome back to the wide world of cyber, for starters.
It's great to have you both here.
And what we're talking about today, we're really talking about Microsoft and China,
and the problems that China is creating for Microsoft,
and I guess, you know, trying to divine why things might be the way they are right now.
So let's just start with the digital Sherpa story.
this is something that we've covered at length on the main show.
The upshot of this story is that Microsoft engineers in China were being used to support
like DOD Microsoft cloud instances in the United States.
And no one seemed to really know about this until ProPublica ran a story about it.
Let's start with you, Chris.
Like this seems, I mean, look, everybody had the same reaction, right?
Which was this was really bad.
of course we've got updates in this story that are very recent, so we're not just rehashing stuff that
happened a month ago. But for those who aren't familiar with the story, like let's just give a
quick recap of what we learned when this story first broke. Yeah, so a few weeks ago, Renee Dudley
over at ProPublica, you know, dropped this bomb that Microsoft had been using as you laid out
the Chinese-based or Chinese citizens, effectively engineers to write code, updates that would
then be kind of laundered or washed through U.S. citizens with
presumably security clearances, but perhaps not at the same technical competency level.
And they were then taking the updates and then pushing them into the government cloud that was
deployed, not just a DOD in the Pentagon, but also, at least according again to Renee's reporting,
into some of the civilian agencies, the dot-gov agency. So a pretty shocking story all around. I mean,
it fails every single common sense test, I think.
It really doesn't make a whole lot of sense to me
how this was even initially approved
or how it even passed kind of the governance process
at the beginning inside Microsoft.
And certainly, if anybody at government reviewed this
and said there was a good idea,
I think they need to get their head checked.
So I think that's the quick and dirty on it.
Well, we've got some more information recently
about where this was disclosed,
how it was disclosed, how it kind of wasn't disclosed.
We'll get to that in a minute.
But Alex, you know, you've been a CSO for large organizations.
You know, you would have come across this sort of digital escort slash digital Sherpa type of arrangement before.
You know, it seems like the way that it works is that, you know, or the way that it worked in this instance is the, you know, the Chinese engineers would have sort of read only access and they would instruct the, the escorts to run various commands and whatnot, which is all well and good until you realize, until you see the recruitment ads for the.
digital escorts where it's like, we'll pay you $18 an hour. Technical skills, not necessary.
And all you need is a security clearance and come on in and you can do this job, which seems
not great. But that's the typical arrangement, isn't it? With the digital escort stuff,
that's the way Adam Bualo described it when he'd done that sort of work previously,
when he'd be the escorted engineer. It's usually like a read-only thing. You give the escort commands,
they run the commands. Yeah, copy and paste this into the high side shell.
I've seen this, and I explicitly said no to it, right?
So, you know, like you said, my last C-So job as of last week, I was the C-So of Sentinel-1.
As you said, just because it's the first time we're doing this, I just want to make it completely clear.
My departure for Central 1 was completely friendly, and a decision I made.
I made that decision because as of the day that this is airing, I'm starting at Corridor,
which is a startup that two of my smartest Stanford students started, and I just, I'm in the
middle of a midlife crisis, and I thought, hey,
I'm going to do a startup with some young people.
Well, you already own a boat, right?
So this is next.
Exactly.
Right, right.
It's like, that's the standard midlife crisis thing is the boat.
I've got the boat.
So let's do the startup, right?
And to be clear, my departure from everybody saw mine on LinkedIn.
And mine was the same way, nothing but good feelings on the way out was sitting a one,
Tomer and the team.
Yes.
Yeah.
Except, yes.
Chris had external things that, that pushes the session.
This was just me.
A different kind of midlife crisis going.
on here.
This is just, you know, me wanting to try to do the startup thing again with some really
cool people.
But anyway, but yes, so at 1001, you know, we have, do a bunch of government work and
we have FedRampi, right?
So, you know, to get a little more specific here, you know, there's classified work, which
are called IL's integrity levels.
There's like IL5, IL6, which includes classified work.
What we're talking about here is not classified.
It's FedRamp, and FedRamp, moderate FedRamp High are the ones you usually talk about.
And at the center one, we hit FedRamp high, and it's a real pain.
Even though it's not classified, it's a real pain in the butt, right, to do FedRamp.
And especially for a multinational company, because normally your cloud work, you're doing
follow the sun, you have DevOps engineers who are awake based upon where they live,
who you have pager duty set up that, depending on who is awake at any moment, they're catching
any alert and they're dealing with it.
And yes, you might wake anybody up at 2 a.m.
depending on what's going on.
But hopefully, you know, you're able to do 24-hour support
based upon being an international company.
And, you know, generally with the Fed ramp rules,
you have to support people only with American citizens
and at the highest levels of people with actual security clearances.
So I understand, you know, how that can be a pain.
And it's also just difficult to find people
with all the experiences you need with the proper background.
and you have to pay them a lot of money, right?
Well, Microsoft has a solution to this, as it turns out.
Right, and apparently they have a solution, which is you break the rules, right?
So, like, I explicitly said no to a situation like this, and it wasn't Chinese employees.
It was, like, Swedish employees, right?
Or Israeli employees.
Like, for Microsoft to say yes, I mean, it's pushing the line to let even, like, people who live in NATO countries to do this for the United States.
to allow Chinese employees to do this is just, I mean, mindblown.gift, right?
Like, I cannot believe that anybody who knew what they're doing would say yes to this.
Because as you and Adam pointed out, like the digital Sherpas here from the ads had no idea what they're doing when they're overseeing these Chinese technical employees.
There's no possible way they knew what they were doing and that they would possibly be able to do oversee.
Well, I mean, I think Adam was overseen, I think when Adam was over, I was doing this sort of work, he was being overseen by some junior at IBM who had no idea what Unix sorcery he was asking him to cut and paste into a console somewhere, right?
I mean, there's no amount of money you could pay me to try to oversee Adam Barlow, do it like to copy pay something that Adam would give me to copy into a terminal.
There's no possible way.
I would be responsible for that and certainly not like a junior person in IBM, right?
So, like, this is just, it's crazy talk. And that, again, that would be true for somebody from a, from, you know, a NATO country, from Israel, from a country that, you know, the Czech Republic, a country that's like kind of in, kind of out, for the People's Republic of China, the number one adversary of the United States, it is just completely and totally unacceptable.
for Max Saututonnes.
I take your point.
I think the only other countries where you would accept engineers from those countries
would be other Five Eyes countries, because there is that sort of very special relationship
when it comes to government information, signals intelligence, things like that, right?
But even Italy, Greece, you wouldn't, right?
The French, no.
No, Greece would be okay, my way.
Of course, of course.
Yes, of course.
Mr. Stamos.
No, no, of course.
The Five Eyes would be, right, is probably the place, people of Five Eyes clearances,
would be the kind of place where you'd probably be fine with it.
But, and maybe in other situations,
NATO countries, right, are the kind of things,
if you got approval from your government sponsor.
But there's absolutely no way.
There's no possible way you could go to either a civilian
or military government sponsor and say,
hey, I have an idea.
We're going to get people in Beijing to do this work,
and then we're going to get somebody for 18 bucks an hour
with no technical skills just to copy and paste it.
How does that sound?
There's no possible way.
As a guy who had to, like, fill out paperwork to do this stuff,
and, like, they give you huge crap for, like, trying to patch things.
There's no possible way that anybody in the government said yes to this.
Now, now, I should point out, too, this is our second turn at recording this podcast, right?
Because we recorded the original version of this podcast last week.
And then a whole bunch more information came out and we're like,
well, looks like we're having to do it again.
Which is why you're both sitting there on your Sunday evenings recording this with me.
So what we did find out was Peter Hegzeth announced...
Our wives love you, Patrick.
Peter Hegzeth announced when all of this broke, and it was the appropriate response.
He said, that's it, like, this is not acceptable.
We're nuking all of this.
We're ordering a review.
And the part that I thought was a bit funny is we'll come back in two weeks and this will have been sorted out.
I mean, you know, that's not realistic.
But that said, they have managed to find out and sort of disclose certain things about the scope of all of this
activity. And the one interesting thing that has come out of all of this is that it looks like Microsoft had not appropriately disclosed this to DoD. They had, you know, various documents they were supposed to lodge, which would describe things like support arrangements and stuff. And they did, I think they did describe digital escorting procedures, but they failed to mention that it was Chinese staff who would be doing that. That seems fairly ridiculous. Like, it is crazy in my mind that if you're the Department of Defense of the United States, you would have.
have to ask them, hey, by the way, are you planning on using Chinese nationals in Beijing to do
this work? Chris, you know, you've worked in government. You've been in the inside. When you've
seen this latest news come out, you've read through it. I mean, I'm guessing this is like mind-boggling
round two, right? I think the best quotes in all the articles come from former DOD chief
information officer John Sherman. I think he had one point, you know, he mentioned the common sense
test. But he also says, this is essentially a matter of not asking the perfect question of the vendor
with the very specific conditions and prohibitions. And I think to your point, like, who in their
right mind would ever think, oh, no, we need to be very specific that they cannot use Chinese nationals
sitting in Beijing, perhaps formerly MSS agents? I don't know if they are or what, but I can only
imagine what the recruiting process was like once this kind of made this.
circles at the MSS. But, you know, the complexity of managing cloud infrastructure and the
commercial sectors, you know, just mind blowing in and of itself. And now once you start
mapping it over into the private sector, or rather into the government sector, with all the
various overlays and controls and processes that are in place. And then trying to mash them up together,
I think that's what we're seeing here. Again, it's just a bunch of gaps, things that
missed, a failure of governance, and I, you know, just trying to close the deal. Like getting that
contract closed that, you know, we remember in the first Trump administration, the back and forth
on the Jedi contract was potentially a billion, no, what was it? What was it 10 billion, 20 billion
in cloud service sales into the DOD that was back and forth between Microsoft and Amazon and then
Oracle and, you know, all these back and forth. So this stuff is, this is, this is, this is
the new kind of commercial Batagron. And, you know, it looks like some, some cheeky phrasing in the
system security plan or program that made it through. Well, I mean, I love how Amazon is trying
to make hay here, which is they just are sticking their hand up immediately saying, we don't use
trainees engineers. You know, they're being totally pick me. Pick me. Pick me. Well, that's the
important context here, right? Is that like Microsoft's clearly doing this to save money. And the
Well, hang on, hang on, is it? And that's an interesting part of this conversation, but do go on. I don't, we don't know that that's why they're doing it. I mean, okay, so the important big picture context here is that Microsoft and Amazon, to a much lesser extent, Google are part of a huge fight for government cloud services, right? And Microsoft winning a bunch of government cloud contracts from Amazon was very controversial. There have been all of these lawsuits.
contracts are won, which is normal in the government contracting world, is whoever loses,
immediately goes to court and sues, saying, you know, that this was given out incorrectly,
yada, yada, which is very controversial because that always drives up the cost of any government
contract, is the loser never giving in? And so if I was Amazon, it is completely reasonable
for them to say, you know, that Microsoft won on a lie. Chris, like how much is Google being,
is playing on the high side here? Because I know Amazon,
It's a huge focus on GovCloud.
I don't know how much Google is trying to get in.
The classified side of the cloud, there are some existing contracts that AWS has had at CIA and elsewhere for years.
Yeah.
There's a emerging requirement for a broader intelligence community cloud that's at an impact level that would service, I believe, CIPRNet, which is at the secret level.
And whether that then pulls in J. Wick's, which is the top secret and above, I don't know.
what the timeline is there.
But those are going to be massive contracts, huge
billions of compliance requirements.
And the problem is, if I'm sure a bunch of the listeners
or viewers have served in the military, in the US
or elsewhere, or even in the reserves.
And they've seen how long some of this classified equipment
sticks around.
It doesn't get refreshed every two to three years.
It's just not how it works.
I mean, some of these systems can be much older than that.
So it's a huge ballgame, and everybody's going to be shooting for that.
And so I think this is maybe even a great leveler creating additional opportunity for GCP over the next several years.
Well, look, look, I want to shift tech just for a moment because we've had all of this other stuff come out as well.
Now, of course, in the last couple of months, there's been a bogging sharepoint getting exploited by Chinese threat actors.
this is fairly well established
that it's Chinese threat actors behind this
there was some speculation
that this was
there was a leak out of the early access
to vulnerabilities program that Microsoft runs
called MAP MAPP
as a result of that Microsoft
has just announced that it's eating a whole bunch
of Chinese organizations out of the
MAP program which they've done
before they did it after Hafnium when the same thing was alleged
to have happened and you know when this whole thing broke
I actually went at how to look at like who's actually in this map program, a lot of Chinese firms, right?
So the idea that there could have been a leak there, not so surprising.
So Microsoft actually trying to, you know, make that circle a little tighter, makes a lot of sense.
But then I think it was also Renee Dudley at ProPublica, who's just got excellent sourcing on all of this,
also wrote a story pointing out that it looks like Microsoft China actually maintains, at least to some level,
maintains the code base for SharePoint on-prem, which is the product that has this bug in it.
So I don't know that like tightening the circle on map is going to quite get it done here
when you've got a Chinese engineering center actually maintaining this product.
Now, when you try to figure out how many Chinese engineers actually work for Microsoft in China,
it's not entirely clear.
You get varying numbers.
Some are like, well, there's 9,000 for their APAC engineering center,
and most of them are in China.
So we don't have an exact number.
I don't know that those numbers would encompass, you know, subcontractors and various support firms and other arrangements.
And I'm not going to spend three days reading Microsoft earnings reports and disclosures to find that out, if I'm honest.
But safe to say, there's a lot of Chinese engineers working for Microsoft, right?
So the question becomes, Alex, you said they did this for cost reasons.
But surely there's more to it than that, because there are plenty of places.
Like, Microsoft is, sorry, China is not as cheap a country to do business in as it once was.
I mean, the GDP per capita in China is roughly the same as it is in Brazil.
You know, this is not a country with a tiny economy anymore.
So really, like, how did we get here?
And, you know, understanding that you don't work for Microsoft, I mean, Chris used to,
so we'll obviously get his thoughts here as well.
But how do we get here?
How do we get into this situation where there's thousands of engineers working for Microsoft
in China, supporting codebases used by the U.S. government
and doing support into Department of Defense clouds.
Like, it seems wild, and it can't just be for cost savings.
Yeah, I mean, cost has to be part of it, but you're right.
Like, China is the country that every tech company has to make incredibly challenging
ethical decisions about it.
Like, every company is the place that Google,
that hacked Google famously with the aurora attacks,
Google had to pull out,
and that has been a defining moment in Google's history,
a positive one from an ethical perspective,
a negative one from a financial perspective.
It is the country that Apple decided to ship their phone into
and has now, you know,
everything that Apple says about privacy and safety and security
falls apart with China,
and now they find themselves in a very difficult situation
caught between China and the Trump administration
from a supply chain perspective.
And for the enterprise companies,
for Microsoft and Amazon
and the cloud companies,
China has been a very challenging place
in that multinationals and Chinese companies
want to be able to do business in China,
but to do so, you have to make some kind of compromise
with the PRC.
And Microsoft and Amazon have handled that
in slightly different ways.
Both of them have instances of their cloud.
But Microsoft has gone full in to China, right?
And they have serviced the Chinese market,
just like any other market.
And not only does Microsoft Azure operate there,
but they are, you know, they treat Chinese companies
like you did with MAP.
They treated Chinese security companies
like any other security company,
and they have just decided to pull back.
Where Amazon, I think, was much more careful
of here's Amazon Cloud,
but like if you look at the Amazon Cloud instance in China, you know, there are a gazillion things, warnings of like, if you run your stuff here, this doesn't work, this doesn't work, this doesn't work, and effectively we do not give you any kind of security in these ways, right? And Amazon, like I'm pointing out, we're not doing the digital server and such. And I'm pretty sure Amazon was not doing this kind of development there. So I think Microsoft just made the decision of we're going to treat China as a market.
uh and to do so you have to also treat them you have to hire people there you have to treat the country there you have to send brad smith to go shake she's hand and to go to conferences and uh you you have to have uh executives in the country and part of that is is you can't treat you can't hold them arms length in the same way that other country companies and so like apple and Microsoft i think made that decision to bring china in house and to treat them like a normal country and they're dealing with the
they now are dealing with the after effects where Google and Amazon and some other companies
held them at arm's length and found some way to make money there but not all the money
and they are going to have the benefit of of being like these people this country is not
we choose the West right like we choose and that's not necessarily a moral decision but
they recognized you can't both choose the West and choose China
at the same time. You have to pick aside.
So, hang on, hang on. Your argument here is essentially that Microsoft's presence and, I guess,
embrace of China is largely about market access.
Yes. It's about market access, yes. And servicing companies that are multinational, right?
And I think that's also a difference between Microsoft and Amazon, is Amazon, you know,
obviously they have consumer businesses in China. Amazon's service of corporations is mostly
cloud services, whereas Microsoft sells all kinds of software and services to business,
businesses that also have Chinese positions, right? So if you're Pricewaterhouse-Coopers and you
have a humongous China office, you want those employees to have 100% of the same experience
as your European employees and your Australian employees and your Indian employees. And so I think
part of it too is if you're Microsoft and it's the 90s and China has entered the WTO and you're
making the decision of you're looking at the big global aspect. And you're like, China is now a
full member of the international community. And you're going to, you make a full, throated embrace of
China. It is because you have decided that you are going to support the entry of China into
the global world because you're supporting the multinational companies that are going to
operate there. And that is part of probably their success. And Microsoft effectively has a monopoly
in a certain types of corporate enterprise services, right?
Like, as I love that I get to use G Suite every day,
I'm in my past company, in my future company,
we use G Suite, we do not use Microsoft 365,
but that is not true for any insurance company in the world, right?
That is not true for any large auto company.
That is not true for almost any large multinational.
They're all Microsoft customers.
Microsoft hasn't been up.
Yeah.
And so, and that's just the,
that's just the reality. So Chris, I want to bring you into this. You know, you worked at Microsoft
before you stepped into the role spinning up Sysa. You know, is what Alex has just said there.
I mean, does that vibe with your understanding as someone who actually worked there?
Well, so I was actually a part of the trustworthy computing team that was up under Brad Smith
that Alex had mentioned earlier that was run by Scott Charnie. It was effectively responsible
for going out. I wasn't on that team, but there was a,
a whole host of lawyers that would go out globally and negotiate various deals on the policy side
in national capitals all around the world.
There's one program, in addition to MAP, that they would run as the transparency centers,
which are dedicated, basically clean rooms that would host certain co-bases across various
Microsoft offerings that would allow access by government employees to come in and run certain
tools that were approved by Microsoft against the code to see if there were any backdoors
built in by the NSA or CIA or whomever.
It was a really interesting program.
There were a lot of hard negotiations, but there were countries that would just by the pure
fact of Microsoft saying, yeah, we'll set this up for you and you can, we'll build it and
you can come in.
That was enough.
Like they never would look at the code.
They would just say, okay, if you're willing to go this far, we're going to take your
work for it.
Or at least you've called her bluff.
That's good enough.
Well, it's funny that Microsoft has done this because, you know, back in the day, this was,
I mean, back in the day, what, eight years ago or whatever, you know, Kasperski tried something
similar with its transparency center in Switzerland and whatnot.
And it's, I don't think it really worked in that instance, but it seems like it does work
for Microsoft here because it's a U.S. headquartered company.
So it's interesting in that Microsoft is probably one of the only companies in the world,
frankly, that could pull it off.
that could actually build it, not have any real impact to the stack or the code,
and then at the same time build trust with customers, government or commercial,
in part just because the complexity of the code alone.
I mean, Microsoft has a hard enough time as we see compiling Windows.
So it would be really challenging for a government engineer to come in,
And do what?
Like, you can't memorize all of it.
You can't take anything out.
Yeah.
Yeah, here's a few terabytes of code that, like,
some of it was written in the 80s by people who are now deceased,
have had it.
They're not deceased.
They're just, like, SVPs.
Damn.
But hang on, hang on, Chris, Chris, Chris.
I want to ask you, though, like, just pulling it back to that analysis
of whether or not you believe that Microsoft was treating China like any other
market, as Alex Ogg used. I mean, did you get that sense when you were there?
So first off, again, going back to the Transparency Center, a lot of that was in the wake
of Snowden, where there was this overriding concern that the NSA was using all U.S.
companies that operated globally as a proxy, or at least as a front for operations.
Now, do I think that there's a bigger concern here just?
from the multinational aspect, I think apps, you know, we see this all the time talking to
European customers, right? European customers don't have the same trepidation of going and
operating in China or working with Chinese companies that American companies have. Do I think
it's catching up a little bit? Yeah, I think certainly with the current Trump administration
that is going to put a lot of friction points in between anybody doing business with China.
That's all going to come back around. So maybe this moment of Microsoft working
closely with China having the 21 Vianade, Gallicake, whatever fork of Azure operating in China,
maybe that kind of opportunity space, that window is closing pretty rapidly.
But at the same time, you know, what looks like a window or a door slamming shut,
all of a sudden turns into a opportunity somewhere else down the road.
I mean, just look what happened here with Intel in the 10% state.
that the U.S. government now has an Intel when just two or three weeks ago,
there was a call for Lipp Bhutan, who is the CEO of Intel, to step down, to resign
because he was conflicted because of his Chinese wings. Now the government, so I,
look, government affairs right now, particularly being in-house government affairs,
is a very, very difficult job. You really don't know what's going to happen one week to the next.
There's just a lot of twisting in the wind out there.
And it's creating all sorts of havoc in boardrooms and NC suites.
Well, I mean, I got to do a meme on the Intel thing, which I was quite proud of,
which was the Drake meme, which is Magh be like, you know, socialized medicine, no thanks,
you know, socialized intel processes.
Now we're talking.
So look, the-
I'm thinking back to my history class.
What is it called when a government owns the means of production?
In the 20th century, we had a term for that.
Well, my joke was we must seize the means of computation.
But anyway, let's...
So just running this back, though.
Like, global foundries was a failed experiment, right?
The dedicated fabs in the US providing specialized chips to the IC to national defense
utilizations.
I just, I wonder if there's a market enough to really support this.
And we've played this game before.
We'll see what happens.
that. Yeah. Yeah. So look, I mean, then the question becomes where to from here. Now, I remember
when was it, like late 2023. I was in Washington, D.C., and I wound up doing sort of like a guest
lecture or Q&A in Jason Kickeda's class at Johns Hopkins University. And, you know, we're just
sitting there sort of noodling on some of the big topics in cybersecurity. And when it got to
Microsoft, you know, one thing I came up with kind of there is like, you know, we got Microsoft
problems, like whether it's this China stuff or whether it's them not appropriately maintaining
some sort of products, right? The point is just Microsoft does whatever the hell it wants.
And the US government doesn't really have that much leverage on them. You guys are like,
oh, well, maybe they can withdraw some contracts from certain areas. That's very difficult.
It's extremely difficult when Excel is a Microsoft product and it kind of runs the world, right?
Like this is the fundamental building block of all commerce and government is, sadly, Excel spreadsheets.
So really the question becomes, you know, what do you do about it?
And there's two things to my mind that can be done here.
One is that you need to lobby Microsoft.
You need to treat it sort of like it's a state.
You don't have, you know, a huge amount of leverage.
Same as you don't have a huge amount of leverage over a lot of countries.
But you can sort of lobby them.
You can kind of carrot and stick them, try to guide them into doing the right thing.
I don't know that that's been terribly successful because it has, it seems like it has been
tried. Then the other issue is, again, going back to the Excel thing. You know, what would the
world look like? What would Microsoft look like if all of a sudden, you know, M365 had to be
available through some sort of Google app portal so you could have your GCP with Office? What would
the world look like then? You know, would it, I'm guessing there would be some fairly disastrous
security consequences on one hand in that those integrations are never going to be as good
as a top-to-bottom stack provided by one provider, like in the case of Microsoft.
But I'm guessing in other instances, it's going to make Microsoft compete.
It's going to make Microsoft do things better.
So the question is, where to from here and how much of this issue do you think, you know,
these negative things, how much of it do you think stems from the fact that Microsoft
doesn't really have to operate in as competitive environment as is appropriate?
Let's start with you again on this, Chris.
And then I'll get your thoughts, Alex.
I think to the point of kind of the sparing the rod in the past with Microsoft has not been terribly successful.
The Cyber Safety Review Board report from a couple years ago was, I think, one of the first really impactful ways to get, since at least the turn of the millennium, frankly, with the actual launch of trustworthy computing in 2003 era.
But the Cyber Safety Review Board really called out a number of glaring failures, not just in security processes, but in kind of a, from a leadership perspective, in the tradeoffs they were making between sales and security engineering.
And so then you get the launch of the secure future initiative, SFI, right?
And the 20 or however many deputy Cissos they've got.
And, you know, a lot of them are friends.
A lot of them are really great people.
And, you know, from what I've heard, there's been progress there.
So maybe it takes that calling to the carpet.
And, you know, lobbying, one way to lobby is to call people out.
I mean, that happens all the time.
That's more on the APO research, kind of got the wet work of lobbying, at least in D.C.
But this is the stuff that I've, you know, that I contend has not worked.
I think it's certainly made, Microsoft has changed behaviors and practices.
They've spent, I think, a good chunk of money.
Now, whether if you just want to say that's a rapper and,
in security theater, okay, we'll see what happens.
But when you just look at the sheer size, scale breadth of Microsoft,
the things that they do, the places they sell, the things they sell,
it's really hard to turn that, I think, entire operation around very quickly
and effectively the aircraft carrier.
But do you think, do you think, you know, some fine-tuning of the competitive environment here
would make a difference?
Could. I don't think it's going to happen. I mean, that's the other thing, right? It's the political
environment within we're operating right now that is very, very pro-business, which is, you know,
typical of Republican administrations, at least in the U.S. I don't really see a lot of regulation coming
down the pike. I mean, you have that same approach from the first Trump administration where, you know,
for every new regulation, you have to get rid of two. And I certainly don't see them wasting cycles
on, you know, a cybersecurity or any sort of self-reliability regimes.
Well, hang on, hang on.
They're bringing back plastic straws.
Maybe we can have better cloud computing in exchange.
I mean, how does that, you know, what do we think?
But that's, yeah, look, this is not, this isn't breaking the top 100 priorities in this
White House.
And look, they've got their priorities.
Cloud ain't one of them.
I think personnel also is policy.
And so it's going to be some time to get these confirmed members of the president's tech team in place.
You've got Mike Kratzios, who's the OSTP head.
You've got Sean Karen Cross now, who's the National Cyber Director.
Waiting on Sean Planky, of course, is the assistant director.
We now have a new deputy national security agency director, and it's not clear who's going to
lead that, cybercom and the NSA. So still lots of personal question marks. And in the meantime,
I suspect the careers that are sitting in place there are just kind of in a holding pattern.
Yeah. What are your thoughts here, Alex? Where to from here, I guess, is the question.
I mean, I think we need more competition, right? And so, I mean, the nice thing here is for this
specific screw up, is it an area in which there's a lot, there's actually are competitors, right?
You know, Amazon is a direct competitor with Microsoft in the services that we're talking about here.
So if the government wants to not purchase cloud services from Microsoft, at least in the places with search direct competitor, that's great.
I would love to see, it is shocking to me that you have not seen Google continue to invest in some of the areas in which they should be competing with Microsoft, that you have not seen Amazon invest in.
direct competitors of Microsoft, such as in collaboration suites, in why Amazon never bought
Zoom, for example, once their price dropped through the floor. I have no idea. And, you know,
so I would like to see somebody decide to go up against Microsoft for like a full featured suite.
Like, G-sweets 70% the way there. Why won't Google go the last 30% just drives me freaking insane?
But, you know, that would be nice
because then we could, it would be nice
if there really was a competitor there.
Do you think there's a role,
do you think there's a role for regulators
to sort of make that happen, right?
Because, I mean, we've seen similar action
about, like, against Internet Explorer
a million years ago, right?
We've seen action like that in the past.
Yeah, so, okay, so for,
I think where regulatory,
where regulators should get involved
is actually on the security front.
because the other thing, one, I think there should be work to make sure Microsoft is not
both the arsonist and the firefighters, right?
Like, you know, now that I'm out of Senta 1, I can say this.
Like Microsoft is trying to completely dominate.
They're trying to get rid of any independent security company, right?
They're trying to take all of the revenue for all of the different.
They want to get rid of ProPoint.
They want to get rid of Crowdstrike.
They want to get rid of Sentinel 1.
And they're just taking all.
all of the revenue.
And it's funny because you end up with like Crowdstrike and Sentinel One and all those
companies hating each other.
And while those companies are like fighting, Microsoft just like gives away an inferior
product for free with an email subscription.
This is the end of the end of gangs of New York all over again.
Yeah, right, right.
Yeah, exactly.
And so, right, right, you got the games down here and the wasp taking over or whatever.
Yeah, exactly.
So like, it's, it's, um, the,
inferior product is winning because they give it away for free. And so I think that is
something that is bad. And what's the other thing that is happening right now is
is making technical decisions to do things like kick other security products out of the
Windows kernel, using the CrowdStrakes Group from last year as an excuse to do so.
Well, they haven't done that yet. I mean, they haven't done it yet, but they're moving to do it.
Now, I don't think it's actually going to happen because I don't think they're actually going to
be able to implement all the things at a performance level necessary.
But, like, they're talking about it, right?
But, like, that's the kind of thing that I think regulators can step in and be like,
no, we're just not going to let you get rid of the entire independent security industry.
And we're not, and right now what they can do is they can step in on the competitive,
on the giving away security products for free, right?
Like, oh, you buy email and you give away everything,
you get rid of all email security products and get rid of all cloud security products,
and you get rid of, you know, all EDR products.
because you guys give away for free, and it's just impossible to compete with free.
It is.
And so as a result, like, you end up, the problem is the defender has the same security
blind spots as the Windows kernel, right?
Their email products have the same security blind spots.
And, like, getting rid of all independent views and all independent voices in the security
world is bad.
That's just a bad thing.
And nobody talks about it.
So I think that is the place where they are trying to build a monopoly and they just don't want anybody criticizing them, which is fine.
I mean, I understand why they want that, but that is bad for the world.
All right.
So final word from Mr. Krebs, who's been bobbing up and down in his seat while you've been talking, Alex, and then we're going to wrap it up.
Chris.
So I agree that that's a big opportunity, particularly in the security space.
It's just not a kind of a core area of emphasis.
They've got great people in security research, security engineering, mystic, all that.
But it just does feel it's something that they figured out that they could throw in the bag and maybe pick up a little revenue with it.
But to your point, it's not as good as stuff that's on the market.
I really think, though, what's going to happen, or at least has the highest likelihood of happening, is not anything out of Congress, probably not anything near term out of the Federal Trade Commission unless somebody at Microsoft pisses off the administration.
I think what's more likely to happen is some element of government contracting and spending, tightening up in the vein of Doge, of taking a hard look at government contracting and identifying opportunities to reduce redundancy.
And I think the greatest example, I've talked about it, Pat, on the show before, is looking at, for instance, the M365 contracts.
And when I say contracts plural, there are a bunch of them.
And the way the incentive structures set up right now is it's really not Microsoft that's going to start winnowing down or necking down and getting people on a smaller set of contracts.
And it's certainly not in the government side either because of the budget process.
Now that could change as CIOs and CISOs are getting their contracts or rather their budgets reduced.
And so they're going to have to start turning to someone that has a shared service model.
other that's SISA for security services, could be the Department of Justice that offers some
IT shared services, managed services out of the Department of Justice.
I mean, I will say, Chris, though, that that sounds like a fairly large bureaucratic effort,
and I can't see this current administration hiring a bunch of, like, you know, hiring a bunch
of new bureaucrats to kind of do this work, even if it makes sense and we'll save a bunch of
money. I don't know. I can't save it. They've spent money to cut money.
I guess already in the first several months of the administration.
And I do think that if you look at the out years over a 10-year period,
it's going to be just a significant windfall of savings.
And look, just look to the north.
Canada has done this.
Now, Shared Services Canada, when it launched about a decade ago, was not a screaming success.
But they have learned a bunch of things.
They've got it.
It's run by Scott Jones, who used to be my cyber counterpart.
And it's actually a pretty successful program right now.
And I think that we could at least bring it down as a pilot and get some of the micro and mini
agencies on the civilian side, uh, off running their own metal.
Yeah. I mean, the amount of like iron ports still out there is like wild, right? Like it's
just mind blowing and most of it's in government. You know, I do one to two once you start
centralizing procurement in the way that you're describing. I mean, we've had various things like
state governments and stuff in Australia do it. I'm sure it's the same in the United States. There's a lot of
graft opportunities there. There's like it's a recipe for corruption once you've got
centralized procurement. I guess it's a, you know, at least you're centralizing the
corruption as well because there's already procurement corruption everywhere. But I also
wonder too that once you've centralized your procurement that way, there's other
opportunities to do things like percentage caps on how much cloud spend can go to each provider,
right? So you're like, well, we don't like what you're doing. We're going to cut your share
of total government cloud spending by 2%. And then you let the various agencies
find it out. If I'm Google, I'm all over this. Yeah. Because the 101, 100 and however many federal
agencies, I think there's only one that really runs kind of the full stack GCP, and that's the,
that's GSA, government services administration. So I think that the opportunity is right there.
It's a, I almost said quick, easy win. It's probably neither quick or easy, but it's got to be done.
It just, the status quo of government contracting, particularly for cloud services,
just basic productivity services
and contracts cannot continue.
Yeah, and then that's a bigger stick, right?
And then maybe it means that you won't have
Chinese engineers popping up in your Gov clouds.
And mind you, the announcement from Microsoft
is that they're no longer doing this for DOD,
but they did not say that they're no longer doing it
for the rest of the United States government.
Make of that what you will.
Or Australia.
You were talking before, Chris,
about having to ask the perfect question.
I think there's a few more questions
that could be asked of Microsoft.
All right, we're going to wrap it up there.
Alex Stamos, Chris Krebs. Thank you so much for joining me. This is the triumphant return of the
wide world of cyber podcast. It's been great chatting to both of you. Thank you. Great to see you guys.
Great beard, great beard. Happy end of winter to you, Pat. Continue out.