Charlie Bell, a former Amazon Web Services executive, is now the leader of Microsofts newly formed, 10,000-person security engineering organization. (Microsoft Photo)
Your code will be attacked.
That warning, so obvious today, was a blunt wake-up call 20 years ago for many of the software developers reading the book Writing Secure Code, by Microsoft security engineering leaders Michael Howard and David LeBlanc.
Bill Gates was one. He absorbed the 477-page technical tome in one weekend and returned to Redmond ready to change how Microsoft made software prioritizing security and reliability over new features.
Eventually Gates wrote, our software should be so fundamentally secure that customers never even worry about it.
Two decades later, that line from the Microsoft co-founders Trustworthy Computing memo would seem quaint if the reality werent so terrifying: ransomware, software supply chain attacks, privacy breaches, nation-state hacks, malware, worms, and adversarial machine learning are just a few of the looming threats.
And the security of Microsofts software is still falling well short of Gates vision. Last month, on the anniversary of the landmark memo, Microsoft patched nearly 120 holes in Windows and other products. Nine were critical. One was wormable, letting attacks spread between computers without human involvement.
Charlie Bell is known to love big engineering challenges. He appears to have found the perfect job, because it would be hard to imagine one bigger than this.
The former Amazon Web Services executive, whose departure for Microsoft last fall was the subject of weeks of negotiations between the Seattle-area tech giants, is now almost four months into his role as a Microsoft executive vice president, leading a new Security, Compliance, Identity, and Management organization.
Bringing together existing groups from across the company, the new organization numbers 10,000 people including existing and open positions, representing more than 5% of the tech giants nearly 200,000 employees.
Its primary focus will be developing and delivering security products and services, not the core security of the companys individual products, which is the purview of security groups inside product teams.
But people inside and outside Microsoft hope Bell can spark meaningful change for the company and cybersecurity writ large, as a respected leader coming in with fresh eyes and a mandate from Microsoft CEO Satya Nadella.
The next big challenge for our company and our industry is securing digital technology platforms, devices, and clouds in our customers heterogenous environments, wrote Nadella in an internal memo announcing Bells position. This is a bold ambition we are going after and is what attracted Charlie to Microsoft.
In a LinkedIn post about his new job, Bell wrote that he was inspired to join Microsoft to take on one of the greatest challenges of our time, trying to take the world from digital medievalism to digital civilization.
Microsoft, he wrote, is the only company in a position to deliver this.
One reason, others point out, is Microsofts own role in the problem.
Microsoft is at the root of tons and tons of the issues these days and people are saying, Just fix this.
Microsoft is at the root of tons and tons of the issues these days. Theres a lot of customer frustration, and people saying, Just fix this. said Alex Gounares, founder and CEO at Bellevue, Wash.-based security tech company Polyverse, who worked in the role of technical advisor to Gates at Microsoft from 2003 to 2006.
Gounares said he believes Microsoft already has much of the technology it needs to address many of the core challenges in cybersecurity. Back in the day, he said, Gates was a forcing function internally to bring Microsofts disparate efforts together in the interest of the greater whole. Bell could now play a similar role in marshaling the companys cybersecurity initiatives.
Charlie is well-known as a get-stuff-done kind of guy, Gounares said. I think its a really good move on Microsofts part to get somebody of his talent and stature to drive fundamental improvements.
But theres a big difference from the days of Bill Gates. The company isnt merely trying to write secure code anymore. The security threats are much larger, and so are Microsofts aspirations to address them. The company wants to build a large line of business by offering security and software to protect its customers, no matter whose software or services theyre using at any given moment.
In fact, this business is already booming. As part of its record-setting earnings report last week, the company said revenue from security products in the prior 12 months surpassed $15 billion, up 45% year over year.
Thats more than 8% of Microsofts total revenue for that time period, and three times the annual revenue of Palo Alto Networks, the largest publicly traded standalone IT security company by market value.
This quest to delivery security across many devices, platforms and clouds is the focus of Bells job leading Microsofts new security engineering organization.
But in the larger scheme of the company, the initiative raises a natural question: How can Microsoft justify making so much money on security when its still routinely patching critical holes in its software?
Deutsche Bank analyst Brad Zelnick raised this issue on Microsofts earnings call, asking Nadella to explain the extent to which Microsoft sees cybersecurity as its responsibility, versus it being a commercial opportunity that you can continue to monetize.
Were going to be very, very mindful of our responsibility.
Nadella acknowledged that one of Microsofts fundamental responsibilities is to build security into its products. The company is going to be very, very mindful of our responsibility, he said.
At the same time, he added, we think we have a security opportunity in being able to secure the entire heterogeneous digital estate of our customers.
Our monetization is about really recognizing that the real world is not some homogenous Microsoft infrastructure world. It is a multi-cloud, multi-platform world, Nadella said. And we will definitely monetize those aspects [where] we have best-of-breed solutions and suites and offerings.
Microsoft had more than 715,000 corporate customers using its security solutions as of its most recent quarter, and Nadella said they save 60% compared to companies that implement solutions from multiple vendors.
The company declined to make Bell available for an interview. Microsofts security team, in a detailed response to GeekWires questions, outlined the companys wide-ranging investments in technology, tools and teams, including a pledge to boost spending to $20 billion on security protections for customers over five years.
Microsoft says its fighting an asymmetric battle in unprecedented times.
In addition to the SolarWinds software supply chain attacks that first emerged in late 2020, the company says it saw increases of 150% in ransomware and more than 600% in phishing last year, plus password attacks at a rate of 579 per second.
The attack landscape is very sophisticated. Its very frequent. And we have our jobs cut out for us, said Vasu Jakkal, Microsoft corporate vice president for security, compliance, identity and privacy.
The company listed these key priorities for its security initiatives:
Microsoft also has a Digital Crimes Unit with an extensive track record of identifying, pursuing and taking down botnets, ransomware rings and other criminal networks online. The company also works on election integrity.
While Microsoft is far from alone in dealing with vulnerabilities in its software, its technology has long been foundational for many businesses. The company has extended that role into a new era by making the transition to the cloud. The resurgence of the PC market has made the company all the more relevant.
Microsoft is the arsonist, the fire department, and the building inspector all rolled into one.
Microsoft acknowledges that its unique in delivering both software and security products. Some competitors believe that dual role amounts to playing both sides of the fence.
[W]ith one hand, the company ships vulnerabilities and hosts malware, and with the other, it charges to protect users from those same vulnerabilities and threats, wrote Ryan Kalember, a National Cyber Security Alliance board member and executive vice president with Proofpoint, which competes with Microsoft in enterprise security. Add in the worlds most extensive incident response practice, and Microsoft is the arsonist, the fire department, and the building inspector all rolled into one.
Another issue is Microsofts practice of putting advanced security solutions into its costliest enterprise licensing tiers.
Weve gotten to this point now where you have to pay a premium to get security features, which is honestly very unfortunate, said Wes Miller, research analyst at the independent Directions on Microsoft research firm. So customers who either are unwilling or unable to pay that premium for the security features get left out in the cold.
Miller, who was working at Microsoft as a Windows program manager when Gates issued his memo, said he sees a disconnect in the companys recent announcements touting its security revenue growth.
The reality is, you shouldnt be gloating about the money youre making, considering the larger security issues, he said. Regardless of whats in Windows 11, the company is not doing enough to fight ransomware. They are not.
The companys role in the ransomware problem was documented in a detailed post last year by Kevin Beaumont, a former Microsoft senior threat intelligence analyst. For one, Beaumont wrote, many people underestimate the burden that patching software vulnerabilities puts on IT departments.
Beaumont also cited the enterprise licensing issue.
Basic secure usage of Microsofts products, which currently helps fuel a worldwide criminal network in ransomware gangs, shouldnt have a security poverty line. That is a key element these groups are exploiting, he wrote.
He added, Microsoft can lead the security market and still make money by driving product change in its own offerings, and genuinely changing both the security industry and technology risk landscape of the world.
In an interview with GeekWire last fall, Microsoft President Brad Smith said the companys licensing approach is driven by a desire to give enterprise customers the choice to use Microsofts security solutions or others. Thats especially important in enterprise security, he said, given the extreme diversity of legacy IT infrastructure.
Theres a level of complexity that we need to think through, Smith said. The lines will probably shift over time. I think Charlie Bell can help us figure that out. And that will be good not just for Microsoft and our customers; it will be good for the country and the world.
Bell, 64, is a native of Irvine, Calif., who graduated from California State University, Fullerton. Early in his career, he worked at Boeing as a Space Shuttle flight interface engineer. He joined Amazon in 1998 when it acquired Server Technologies Group, an e-commerce software company that he founded in 1996 after leaving Oracle.
He talked about his history and focus at Amazon in this 2020 conversation at the IEEE conference on Computer Vision and Pattern Recognition.
Bell worked at Amazon for more than 23 years, including 15 as a top AWS executive. He reported to Andy Jassy, the longtime AWS CEO, before Jassy became Amazon CEO. Once considered a potential successor to Jassy at AWS, Bell took the Microsoft job after Amazon brought Adam Selipsky back from Tableau to AWS as CEO.
Longtime colleagues describe Bell as a down-to-Earth leader with a pragmatic streak. During his Amazon tenure, he could often be spotted walking from his home through the city to Amazons campus, wearing a bright yellow safety jacket.
Bell is the husband of Nadia Shouraboura, an entrepreneur who was previously an Amazon vice president and founder and CEO of Seattle-based robot-powered apparel startup Hointer.
A consummate engineer, Bell is also a quintessential Seattleite, the kind of person who would be as comfortable leading a multinational corporation as he might be chatting about Puget Sounds J Pod endangered southern resident orcas, said a former AWS colleague, Brian Hall.
Hes fascinated with problems and opportunities, and how to engineer solutions, Hall said.
Jakkal said she and Bell bonded over a shared interest science fiction and quantum physics, and a Star Trek analogy that explains the security engineering groups vision: giving Microsoft customers the same level of visibility into the security landscape as a captain of the Enterprise would have into deep space from the bridge.
Im confident hes going to help us build that, Jakkal said.
Microsoft executives and teams now reporting to Bell are:
The language in Bells LinkedIn post was, in some ways, reminiscent of Gates memo.
As digital services have become an integral part of our lives, were outstripping our ability to provide security and safety, he wrote. Its constantly highlighted in the headlines we see every day: fraud, theft, ransomware attacks, public exposure of private data, and even attacks against physical infrastructure.
He added, This has been weighing on my mind and the best way I can think to describe it is digital medievalism, where organizations and individuals each depend on the walls of their castles and the strength of their citizens against bad actors who can simply retreat to their own castle with the spoils of an attack.
We all want a world where safety is an invariant, something that is always true, and we can constantly prove we have, he wrote.We all want digital civilization.
Updates: Added information on Microsofts Digital Crimes unit and related activities. Corrected to remove reference to Harv Bhela, who had been one of Bells direct reports but recently left to become NetApps chief product officer.
Follow this link:
