Microsoft President Brad Smith testified before the House Homeland Security Committee Thursday.
Fuel your success with Forbes. Gain unlimited access to premium journalism, including breaking news, groundbreaking in-depth reported stories, daily digests and more. Plus, members get a front-row seat at members-only events with leading thinkers and doers, access to premium video that can help you get ahead, an ad-light experience, early access to select products including NFT drops and more:
https://account.forbes.com/membership/?utm_source=youtube&utm_medium=display&utm_campaign=growth_non-sub_paid_subscribe_ytdescript
Stay Connected
Forbes on Facebook: http://fb.com/forbes
Forbes Video on Twitter: http://www.twitter.com/forbes
Forbes Video on Instagram: http://instagram.com/forbes
More From Forbes: http://forbes.com
Fuel your success with Forbes. Gain unlimited access to premium journalism, including breaking news, groundbreaking in-depth reported stories, daily digests and more. Plus, members get a front-row seat at members-only events with leading thinkers and doers, access to premium video that can help you get ahead, an ad-light experience, early access to select products including NFT drops and more:
https://account.forbes.com/membership/?utm_source=youtube&utm_medium=display&utm_campaign=growth_non-sub_paid_subscribe_ytdescript
Stay Connected
Forbes on Facebook: http://fb.com/forbes
Forbes Video on Twitter: http://www.twitter.com/forbes
Forbes Video on Instagram: http://instagram.com/forbes
More From Forbes: http://forbes.com
Category
🗞
NewsTranscript
00:00:00security will come to order. Without objection, the Chair may declare the committee in recess at
00:00:03any point. The purpose of this hearing is to examine the Department of Homeland Security's
00:00:08Cyber Safety Review Board's recent report concerning the summer 2023 Microsoft Exchange
00:00:14online cyber incident. Specifically, we'll examine Microsoft's view regarding the company's
00:00:18security practices and challenges encountered in preventing significant cyber intrusions
00:00:24by suspected nation-state actors and its plans to strengthen security and measures moving forward.
00:00:30I now recognize myself for an opening statement. Each and every day, the United States depends
00:00:37upon Microsoft, cloud services, productivity tools, operating systems, to carry out an array
00:00:43of critical missions. Microsoft is deeply integrated into our nation's digital infrastructure,
00:00:49a presence that carries heightened respect and heightened responsibility. We're holding this
00:00:55hearing today because of the latest Department of Homeland Security Cyber Safety Review Board,
00:01:02CSRB, report. The report attributed last summer's Microsoft Exchange online hack by Storm 0558,
00:01:10which is backed by the Chinese Communist Party, to, and I quote,
00:01:14a cascade of security failures at Microsoft, end quote. The determinations were based on a number
00:01:20of findings detailed in the report, and I have the report and would like to introduce it into
00:01:24the record, and so ordered. Specifically, Storm 0558 assessed Microsoft, accessed Microsoft Exchange
00:01:35accounts using authentication tokens signed by an inactive private encryption key that Microsoft
00:01:41created in 2016. The Beijing-backed actor obtained tens of thousands of individual U.S. government
00:01:47emails by compromising the Microsoft Exchange email accounts of U.S. officials working on national
00:01:52security matters relating to China. The CSRB concluded that this intrusion would have been
00:01:59prevented had Microsoft cultivated a strong security culture, which the CSRB said, and I quote,
00:02:06requires an overhaul, particularly in light of the company's centrality in the technology ecosystem
00:02:11and the level of trust customers place in the company to protect their data and operations,
00:02:16end quote. By any measure, this cyber intrusion was not sophisticated. It did not involve advanced
00:02:23techniques of cutting-edge technologies. Instead, Storm 0558 exploited basic, well-known vulnerabilities
00:02:34that could have been avoided through basic cyber hygiene. In other words, this was avoidable.
00:02:40This is extremely concerning and falls into falls to this committee to do the due diligence and
00:02:46determine just where Microsoft sits and how it's taken this report to heart. Our goals today are
00:02:52simple. We want to give the company, we put so much faith in as a government, the opportunity
00:03:00to discuss the lessons learned, the actions taken, and of course, to share where they feel the report
00:03:07could have been wrong. To be clear, the U.S. government would never expect a private company
00:03:11to work alone in protecting itself against a nation-state actor. We need to do more, more work
00:03:18to define roles and responsibilities for public and private sector actors in the event of nation-state
00:03:25attacks. Our nation's adversaries possess advanced cyber capabilities and substantial resources,
00:03:31often exceeding the defensive cybersecurity measures available to even the most sophisticated
00:03:37companies. However, we do expect government vendors to implement basic cybersecurity practices.
00:03:46Since this is not the first time Microsoft has been the victim of an avoidable cyber attack,
00:03:52and in the light of the report, it's now Congress's responsibility to examine the
00:03:57response to this report. We must restore the trust of the American people who depend on
00:04:03Microsoft products every day. We must also address broader questions regarding the mitigation of
00:04:09economic and national security risks. This hearing aims to shed light on these issues and ensure
00:04:14Microsoft has implemented the CSRB's recommendations to safeguard against future breaches.
00:04:19As we dive into these issues, we need to keep three things in mind. First, closing the cyber
00:04:24workforce gap, my top priority for the committee this year. The security challenges we face as a
00:04:29nation are compounded by the persistent shortage of cybersecurity professionals.
00:04:33As Microsoft continues its work to invest in our cyber workforce, we must hearken back to the
00:04:38lessons from the report. Our cyber professionals must be trained to think security first. We must
00:04:43equip them with the right skills to protect our networks and to build our systems' security.
00:04:48Second, we need to define the role of public and private sector entities in protecting our
00:04:54networks against nation-state actors. I think the federal government has been silent too long on
00:04:59this. These attacks have become increasingly common, rather than anomalies. We need clearly
00:05:05defined responsibilities so that we can effectively respond to nation-state attacks on our networks
00:05:11in a private-public partnership. Finally, we must address a fundamental issue, the economic
00:05:16incentives that drive cybersecurity investments. As the CSRB's report recently revealed,
00:05:22underinvestment in essential security measures exposed critical vulnerabilities.
00:05:27Changing the economic incentives for cybersecurity investment is not about imposing onerous
00:05:32regulations or stifling innovation. It's about creating an environment where the costs of
00:05:37neglecting cybersecurity are outweighed by the potential benefits of comprehensive security
00:05:44measures. Today, we will explore the steps Microsoft is taking to strengthen its security culture
00:05:50through its Secure Future initiative. While I commend Microsoft for announcing steps to
00:05:55reform its security practices, I want to hear today what Microsoft's follow-through has been
00:06:00on those commitments. On its past responses to other significant cyber incidents, such as solar
00:06:06winds, one of my biggest concerns is Microsoft's presence in China, our nation's primary strategic
00:06:15adversary, and the regime's responsibility for the hack we're discussing today. Over the years,
00:06:20Microsoft has invested heavily in China, setting up research and development centers, including
00:06:25the Microsoft Research Asia Center in Beijing. Microsoft's presence in China creates a set of
00:06:30complex challenges and risks, and we have to talk about that today as a part of our discussion on
00:06:37this security issue. Mr. Smith is a longtime key leader within Microsoft. I anticipate that
00:06:43you will help us understand the gaps that enabled these recent cyber intrusions. The American people,
00:06:49as well as the numerous federal agencies that depend on Microsoft, deserve those assurances
00:06:54that their data and their operations will be protected. Mr. Smith, we appreciate your presence
00:07:00here today and look forward to your testimony. I also would like to let the members of the
00:07:04committee know, and listen up team, that should your question require an answer that would
00:07:11necessitate movement to a secure location, Mr. Smith will be the only one who knows that answer
00:07:18once you ask the question. Look, China and Russia, Beijing and Moscow are watching us right now,
00:07:25and if you don't think that's true, you're naive. The last thing we want to do is empower
00:07:31our adversary in any way. Members, if Mr. Smith says the answer would require a secure facility,
00:07:37please accept this and ask another question. The committee staff will determine the best way
00:07:42or mechanism to get you the answer in a secure and classified manner.
00:07:48With that, I yield now and I recognize the Ranking Member for his opening statement.
00:07:55Thank you very much, Mr. Chairman. I'd like to thank you for holding this hearing on the Cyber
00:08:02Safety Review Board investigation of an intrusion into federal networks involving Microsoft.
00:08:10At the outset, I want to be clear, this is not a got you hearing. It's not the committee's goal
00:08:16to shame, embarrass, or discredit the witness, Microsoft, or any other entity mentioned in the
00:08:24CSRB report. We have three objectives today. Accountability, securing federal networks,
00:08:32and securing the broader internet ecosystem. Last year, we were disturbed to learn that a
00:08:39state-sponsored threat actor from China had accessed the email accounts of high-ranking
00:08:46officials at the Department of State and Commerce and an email account of a member of Congress,
00:08:53among others. As the investigation unfolded, we learned that the threat actor assessed these
00:08:59accounts by forging tokens using a stolen key from 2016 and that the State Department,
00:09:07not Microsoft, had discovered the intrusion. By August, Secretary Mayorkas announced that the CSRB
00:09:16would review the Microsoft Exchange online intrusion and the malicious targeting of cloud
00:09:22environments. The CSRB engaged in a thorough and expeditious review, and its report was released
00:09:30earlier this year, and I might add the chair just included a copy of that report in the record.
00:09:38The CSRB did exactly the kind of review it was supposed to do, and it did so in a manner only
00:09:46the government can. The CSRB examined a serious incident and made pointed findings and recommendations
00:09:54that will ultimately improve how Microsoft, other cloud service providers, and the government
00:10:01approach security. It is incumbent on this committee to hold Microsoft, one of the fellow
00:10:08government's most prominent IT vendors and security partners, accountable for the findings
00:10:14and recommendations in the report. Microsoft deserves credit for cooperating with the
00:10:20board's investigation, but make no mistake, it's Congress's expectation that Microsoft
00:10:27or any similarly situated company would do just the same. Microsoft is one of the largest
00:10:34technology suppliers in the world, and its products are used by governments and private sector
00:10:40entities alike. The company provides an estimated 85 percent of the productivity software used by
00:10:50the federal government. Microsoft also sells security tools and is one of the government's
00:10:56top cloud service providers. Moreover, a reported 25 to 30 percent of its government revenue comes
00:11:05from noncompetitive contracts, at least in part due to the terms of its licensing agreements.
00:11:13Any company with such a significant footprint in our federal network has an obligation to cooperate
00:11:21with a government review of how a Chinese threat actor assessed sensitive information
00:11:28by exploiting vulnerabilities in one of their products. Turning to the report's findings, the
00:11:35CSRB determined that last summer's intrusion was, and I quote, preventable and never should have
00:11:42occurred, unquote. Additionally, it found that, quote, Microsoft's security culture was inadequate
00:11:50and requires an overhaul, unquote. As someone responsible for overseeing the security of
00:11:57federal networks that rely heavily on Microsoft, and as a user of Microsoft products myself,
00:12:05I find these observations deeply troubling. The CSRB report exhaustively described how last
00:12:14summer's incident occurred and includes a thorough history of the threat actor's previous
00:12:20activities. Importantly, the report observed that the security community has been tracking the
00:12:27threat actor for over 20 years. Over that time, the threat actor has demonstrated tactics and
00:12:34objectives that those we saw in last summer's attack. Dating back to Operation Aurora in 2009,
00:12:44an RSA compromise in 2011, the threat actor has a well-documented interest compromising cloud
00:12:53identity systems, stealing signing keys and forging tokens that would enable access to
00:13:00targeted customer accounts. For over a decade, every technology provider in the world has been
00:13:07on notice and should have stepped up their approach to securing identity and authentication
00:13:15accordingly. But the CSRB found Microsoft did not do so. And while Microsoft did cooperate
00:13:23with the CSRB investigation, the board found the company was slow to be fully transparent
00:13:34with the public, most notably about how the threat actor obtained the signing key.
00:13:40To this day, we still do not know how the threat actor accessed the signing key.
00:13:48Microsoft's explanations about why the key was still active in 2023 and why it worked for both
00:13:56consumer and enterprise accounts have not been confident. As I remain troubled that Microsoft
00:14:03was reluctant to be transparent with the public, that it was not confident about the root cause of
00:14:10the incident. My concerns about whether we can rely on Microsoft to be transparent were heightened
00:14:18this morning when I read a ProPublica article about how an employee alerted Microsoft's leadership
00:14:26to a vulnerability in its Active Directory Federation services before security researchers
00:14:34publicly reported it in 2017. That vulnerability, which Microsoft chose not to fix, was ultimately
00:14:43used by Russian hackers to carry out secondary phases of the SolarWinds attack in 2020.
00:14:51Even more troubling, the article recounts Microsoft's testimony before the Senate in 2021,
00:15:00which denied that any Microsoft vulnerability was exploited in SolarWinds. Transparency is a
00:15:08foundation of trust and Microsoft needs to be more transparent. In 2002, Bill Gates said,
00:15:18when we face a choice between adding features and resolving security issues, we need to choose
00:15:24security. The CSRB found that Microsoft had drifted away from this ethos. I agree.
00:15:35Last November, Microsoft announced a secure future initiative, touting a reinvigorated approach
00:15:43to security. But in January, Microsoft itself was compromised by Russian threat actors
00:15:50who used unsophisticated tactics to assess the emails of high-level employees.
00:15:57Unfortunately, those emails included correspondence with government officials and put the security
00:16:05of federal networks at risk once again. Basic cybersecurity tools that were not enabled
00:16:12would have thwarted this intrusion. In May, following the CSRB report, Microsoft announced
00:16:20an expansion of the secure future initiative that committed to making security a top priority.
00:16:28But the same month, Microsoft announced recall, a new feature that takes and stores periodic
00:16:36snapshots of a user's computer screen, which has raised concerns among both privacy and security
00:16:45experts. I understand that last Friday, Microsoft modified the rollout of recall in order to
00:16:54incorporate significant changes. I hope it will continue to consider these concerns of security
00:17:01and privacy as it rolls out new products. On a final note, I've been warned that the
00:17:07committee's oversight of this incident will chill private sector cooperation with the Board
00:17:14in the future. That cannot and should not be the case. I want to put future subjects of CSRB
00:17:22investigations on notice. This committee will not tolerate refusals to cooperate
00:17:29with legitimate investigations undertaken by the Board, particularly when federal networks
00:17:35are involved. Any effort to obstruct CSRB investigations into cyber incident would
00:17:42invite significant scrutiny by this committee and would certainly force expedited consideration of
00:17:49proposals to grant CSRB greater investigatory powers. Microsoft is one of the federal
00:17:57government's most important technology and security partners, but we cannot afford to allow
00:18:03the importance of that relationship to enable complacency or interfere with our oversight.
00:18:11National security demands that technology providers continue the evolution toward
00:18:17transparency so we can better secure the digital ecosystem. With that, I look forward,
00:18:23Mr. Chairman, to a productive conversation today about how Microsoft will improve its security
00:18:30culture and thereby the security of its customers. I yield back.
00:18:37I thank the Ranking Member for his opening remarks. Other members of the committee are
00:18:41reminded that opening statements may be submitted to the record. I'm pleased to have a distinguished
00:18:48witness here before us today. I ask that our witness please rise and raise his right hand.
00:18:53Do you solemnly swear the testimony you will give before the Committee on Homeland Security of the
00:18:59United States House of Representatives will be the truth, the whole truth, and nothing but the truth,
00:19:03so help you God? Let the record reflect that the witness has answered in the affirmative.
00:19:10I would now like to formally introduce our witness. Mr. Brad Smith currently serves as the Vice Chair
00:19:15and President of Microsoft Corporation, where he plays a pivotal role in steering the company's
00:19:20strategic direction in legal affairs. He joined Microsoft in 1993, initially leading the legal
00:19:25and corporate affairs team in Paris, and later held various senior roles in the legal and corporate
00:19:31affairs department. Under his leadership, Microsoft has tackled significant legal challenges and been
00:19:36at the forefront of critical policy debates, including cybersecurity, privacy, and artificial
00:19:40intelligence, among other issues. He has testified numerous times before the United States Congress
00:19:45and other governments on these key policy issues. Before joining Microsoft, Mr. Smith worked as an
00:19:50associate and then partner at Covington & Burling, a prestigious law firm here in Washington. He held
00:19:56his bachelor's degree from Princeton University and a law degree from the Columbia University.
00:20:00I thank the witness for being here, and I now recognize Mr. Smith for five minutes to summarize
00:20:06his opening statement. Well, thank you, Mr. Chairman, and thank you, Ranking Minority Member
00:20:11Thompson. Thank you to all of you for the opportunity to be here today. I think you,
00:20:18between the two of you, captured so well, so much of what is so important for us to talk about this
00:20:24afternoon. A lot of times in life, the most important words to heed are words that are difficult to hear.
00:20:34So, as you can imagine, as I listened to the two of you just now, it wasn't how I hoped I might spend
00:20:41an afternoon in June when the year began. But we're here for an important reason. It starts with
00:20:47the role this committee plays, the protection of the homeland security of the United States.
00:20:52And the reality is you cannot protect the homeland security of this country without protecting the
00:20:57cybersecurity of it as well. And that is a shared responsibility between the public and private
00:21:03sectors, and hence what you do to oversee us and others in the private sector is critical.
00:21:12I think the most important thing for me to say, the most important thing for me to write in my
00:21:16written testimony, is that we accept responsibility for each and every finding in the CSRB report.
00:21:25As you can imagine, you get a report, you look at it, it's difficult to read, you sort of
00:21:30think, how are you going to react? And when I sat down with Satya Nadella, Microsoft's chairman and
00:21:36CEO, we both resolved immediately that we would react without any defensiveness, without
00:21:43equivocation, without hesitation, and we would instead use this report to make Microsoft and
00:21:49the cybersecurity protection of this country better. That's our goal. And part of that, frankly,
00:21:56involves accepting responsibility, apologizing to those that were impacted, as I have done in person.
00:22:03It involves reminding our employees of something that I often say to them. No one ever died of
00:22:09humility. Use the mistakes you make so you can learn from them and get better. Of course, that
00:22:17only works if you actually use what you learn and you do get better. And I appreciate that's
00:22:22where both of you are pushing quite rightly. And that involves two things. It involves strategy
00:22:28and it involves culture. So from a strategic perspective, we did start last November to apply
00:22:33the lessons we were learning already from Storm 0558. That's why we launched the Secure Future
00:22:38Initiative. But I think here what's most important is the CSRB's recommendations. There are 25 of
00:22:45them. 16 are really applicable to us, four only to us, 12 to all cloud services and other technology
00:22:55providers. So we have mapped all 16 of those recommendations onto our plan for our Secure
00:23:03Future Initiative so that we will do each and every one of them. And we're making progress.
00:23:08But we're not stopping there. There's 18 other concrete recommendations that we have incorporated
00:23:14as part of this plan. And we have measurable milestones. In fact, we now have the equivalent
00:23:23full time of 34,000 engineers working on this project. This is the largest engineering project
00:23:32focused on cybersecurity in the history of digital technology. But I think you ask a second question
00:23:40as well, is that enough? And I think if we did that alone, it would not be. That's what you're
00:23:45saying. And those are words I heed as well. And that is why we're focused on changing, strengthening
00:23:52and building a world class security culture. And I look forward to talking about that.
00:23:58It starts with the tone of the top. It needs to reach all of our employees. And just yesterday,
00:24:02our board of directors approved two new steps. One will change the compensation of our most senior
00:24:08people so that annual bonuses are tied in part to cybersecurity with an exclusive focus on it.
00:24:14But second, I think even more than that, that this will become part of the biannual review
00:24:20for every employee at Microsoft, what they're doing on cybersecurity. And then I would conclude
00:24:26by saying that I think the two of you captured so well everything else we need to think about here,
00:24:32because if we improve Microsoft alone, that won't be enough. We're dealing with four formidable
00:24:41foes in China, Russia, North Korea, Iran. And they're getting better. They're getting more
00:24:48aggressive. We should all expect them to work together. Their waging attacks at an extraordinary
00:24:55rate. So I welcome the opportunity to ask ourselves to learn together what can we do in that space as
00:25:03well. You frame some excellent ideas in your two openings. I look forward to talking about them.
00:25:09Thank you. Thank you, Mr. Smith. Members will be recognized in order of seniority for their
00:25:16five minutes of questioning. I want to remind everyone to please keep their questioning to
00:25:20five minutes. An additional round of questioning may be called after all members have been
00:25:24recognized. I now recognize myself for five minutes of questioning. I was intrigued by
00:25:30from your statement and your written testimony about the, you know, let me start by saying this.
00:25:37We as human beings respond to initiatives or incentives, I'm sorry, incentives. Economics is
00:25:46about the study of incentives. And you mentioned the recent payroll changes for your senior
00:25:54executives. And I wonder if you're at liberty to discuss how deep that goes, you know, what level
00:26:01of leadership. And I think that's a novel approach. And I'd love to hear more about that.
00:26:11Sure, let me say two things. First, the Board of Directors took the first step yesterday.
00:26:15And it acted a bit ahead of schedule. We ordinarily make these decisions in July, August.
00:26:22But for the 16 most senior people in the company, including our CEO, including me and others,
00:26:27with the new fiscal year, which starts July 1, one third of the individual performance element
00:26:33of our bonus will be about one thing and one thing only cybersecurity. So that's the first thing.
00:26:39Second, the board did note that when it awards bonuses for the fiscal year that ends at the end
00:26:45of this month, it will take cybersecurity performance of the individual executive into
00:26:51account. But the thing we probably spent the most time as a senior leadership team talking
00:26:56about the last month or so, is how to create incentives for everybody. And of course, it's
00:27:03based on the culture of the company and our processes. So twice a year, every employee has
00:27:09a forum and a conversation with their manager, we call it a connect form. And they first reflect
00:27:15and show what they've done. And then the manager comments and they talk about it. And so what
00:27:20we've created is a new piece of this that everyone will have to address on cybersecurity. And the
00:27:26thing I like about it most, to be honest, is it gives every employee at Microsoft the opportunity
00:27:32to think, what have I done? What could I do? How am I doing and then be rewarded at the end of the
00:27:40year based on that, that sounds that's encouraging. Having run a company myself, I think, how you tie
00:27:49the incentives drives performance, and what people make the priority. So I appreciate that. Let me
00:27:54ask a little bit about your involvement in China. I'd love to get a little bit more detail granularity
00:27:59on where you are right now. You know, what's your current posture? And you know, what are you sharing
00:28:04with the Chinese people? Or to the Chinese government? I mean, are you having to give up code?
00:28:10And what what the involvement there is, if you don't mind elaborating on that a little bit.
00:28:15Sure, it's a broad topic. We have a few different activities in China, it's not a major source of
00:28:23revenue for Microsoft. Globally, it accounts for about 1.4 1.5% of our revenue. We do have an
00:28:32engineering team that we have been reducing, and we announced most recently, that we were offering
00:28:38about 800 people, seven or 800 people the opportunity to move out of China, and they were
00:28:42going to need to move out of China in order to keep the job they have. So we've been reducing our
00:28:47engineering presence. There are two things that we do that we believe are very important. First,
00:28:55we do run some data centers, cloud services, principally, I would say for the benefit of
00:29:02multinational companies who do business in China, and we're not alone. Others in our industry do the
00:29:07same thing. But I the reason I think this is so important is if you're an American automobile
00:29:13company, an aircraft company, a pharmaceutical company, a coffee company, you need to use the
00:29:19cloud when you're in China. We want their American trade secrets to be stored in an American data
00:29:26center in China. I mean, if I could jump in, what access does the Chinese government have to that?
00:29:34None. Okay. And believe me, every time there is anything remotely close to a request,
00:29:44I always ensure we say no. Okay. Very specifically on this hack, because it did come from China,
00:29:50can you talk how you are with your presence in China, ensuring that that source isn't
00:30:00going to use your location in China as a vector? And what other if you can,
00:30:08what are you doing there to prevent that? I think it involves having very direct
00:30:15understanding yourself of what your guardrails are, what your limits are, what you can do and
00:30:22what you won't do. You have to know your own mind. We do. Second, you've got to be prepared
00:30:29to look people in the eye and say no to them. And that's something I do myself. I was in Beijing in
00:30:37December, I got pushed because there was unhappiness about reports that we've made
00:30:44publicly about attacks from China about us critical infrastructure and about
00:30:50the influence operations. And I said, there are lines that we don't believe governments should
00:30:57cross, we're going to be principled and we're going to be public. And there are many things
00:31:03we're not going to do in China. And there will be things we're not allowed to do in China. But I
00:31:07think at the end of the day, we have to know our principles. Thank you. My time has expired. And
00:31:14I now recognize the ranking member for his five minutes of questioning.
00:31:18Thank you very much. Mr. Chairman, I'd like to enter into the record. ProPublica article entitled
00:31:26Microsoft shows profit over security and left US government vulnerable to Russian hack whistleblower
00:31:34says. So ordered. And I'm sure you are somewhat familiar with that article and the fact that
00:31:45we were left vulnerable with that situation. Can you say to us or commit to us
00:31:54that you have established a process or on Budsman to ensure that employee concerns
00:32:03about security at Microsoft or their products are prioritized and addressed?
00:32:10Well, one of the changes we've just made as part of the secure future initiative
00:32:17is a new governance structure. It takes our chief information security officer or CISO as it's
00:32:23called in the industry, creates an office and then puts deputy CISOs in every part of the company.
00:32:30And the job of these individuals is to constantly monitor and assess and pick up feedback and apply
00:32:40a principled approach to address these things. So I would hope that that would address part of what
00:32:44you're referring to. I would say one other thing, though, the fundamental cultural change that we
00:32:52are seeking to make is to integrate security into every process as we've really thought a lot over
00:33:01the last couple of months. What's the key to getting better when your adversary is investing
00:33:06and constantly changing? And the thing that we have really concluded is there's a lot that we
00:33:12learn from what's called total quality management. This really came out of American business thinking
00:33:17and then Toyota really innovated in the 1980s. And the basic process was to empower
00:33:24every employee to focus on continuous employment, sorry, continuous improvement
00:33:31and speak up. And that's what we're trying to do, empower every employee to be able to speak up.
00:33:40And there's going to be debates. I mean, I don't think one can say that debates will end,
00:33:44but to ensure that those voices are heard and heeded. Well, and I trust based on what you've
00:33:52said that that will be going forward, that anybody who comes forward with something,
00:34:00they will be at least heard and responded to. With respect to that, we are here because of
00:34:10storm 0558, as it's commonly referred to. And the real concern is Microsoft didn't find the problem.
00:34:21It was the State Department. Help us out. That's a great question. And the one thing I'd ask all
00:34:28of us to think about is that's the way it should work. No one entity in the ecosystem can see
00:34:37everything. So we all need to work together. And the way networks are constructed, people will see
00:34:44specific endpoints. In this case, as you know, it was the individuals at the State Department who
00:34:51saw the intrusion into the State Department email system. First of all, you ought to give those
00:34:56folks a medal. In all seriousness, that is fantastic. That is real innovation and great
00:35:02professionalism at work. And so they let us know. And by the way, we're the ones, interestingly
00:35:10enough, at the same time who identified the Chinese intrusions into electricity companies,
00:35:17water companies, air traffic control systems. We're all going to see different things. And so
00:35:23when somebody else sees it, we should applaud and say thank you, not say, oh, I wish I had found it
00:35:31instead. Well, I wish it was that simple. But we have a real challenge. And because you are such a
00:35:42big customer of government, we rely heavily on your product. And it's not our job to find the
00:35:53culprits. That's what we're paying you for. So I want you to don't switch the role. I'm not switching
00:36:02it at all. I appreciate what you're saying, for sure. Right. So maybe we'll have another round,
00:36:08Mr. Chair, but Chairman. Okay. Well, thank you. So the fellow government is one of your largest
00:36:16customers, as I said. How can you earn back the trust that this situation has caused?
00:36:29I think it's just critical that we acknowledge shortcomings, accept responsibility, devise a
00:36:36strategy to address them, change the culture, be transparent about what we're doing, and always
00:36:45listen to feedback. Thank you. The gentleman yields. I now recognize the gentleman from
00:36:50Louisiana, Mr. Higgins, for his five minutes questioning. Thank you, Mr. Chairman. Mr.
00:36:57Smith, congratulations on your company's success. In fact, it's the very success of Microsoft that
00:37:05makes you such a big target, isn't it? That's certainly a part of it. Would you generally
00:37:12agree that Microsoft has grown so massive because of your own technological advancements that you
00:37:26have driven from within your company, and because of the trust that has been extended
00:37:33to Microsoft products through the decades? Yeah, I think that's fair. I think success comes from
00:37:39many things, but of all of the factors that we place the most importance on, I would say earning
00:37:45and retaining the trust of our customers. Okay, so we're in agreement. Microsoft's a great company.
00:37:54Everybody in here has some kind of interaction with Microsoft. We really don't have much choice.
00:38:00So it's critical that this committee gets this right, and quite frankly, the American people,
00:38:10myself included, we have some issues with what has happened, and how it happened,
00:38:17and what has transpired since, and yet there's no plan B, really. We have to address
00:38:27with you, that's what that means. Sometimes life comes down. My dad used to say, there's always one
00:38:33guy. It's always one guy, and today, congratulations. I'm the guy. You're the one guy.
00:38:41I get it. So I have a couple of difficult questions, and I apologize for any discomfort,
00:38:50because I am a gentleman, but again, you're the guy. Why did Microsoft not update its
00:39:00blog post after the hack? They call it, it's very fancy here in America, called an intrusion,
00:39:07but after the hack, the 2023 Microsoft online exchange intrusion, why did it take six months
00:39:16for Microsoft to update the means by which most Americans would sort of be made aware of such a
00:39:25hack? Well, first of all, I appreciate the question. It's one that I asked our team when I
00:39:30read the CSRB report. It's the part of the report that surprised me the most.
00:39:34We had five versions of that blog, the original, and then four updates, and we do a lot of updates
00:39:42of these reports, and when I asked the team, they said the specific thing that had changed,
00:39:49namely a theory, a hypothesis about the cause of the intrusion, changed over time,
00:39:57but it didn't change in a way that would give anyone useful or actionable information
00:40:04if they could apply. Okay, so you see, Mr. Smith, respectfully, that answer does not encourage
00:40:12trust, and regular Americans listening are going to have to move the tape back on a Microsoft
00:40:23instrument and listen to what you said again, but you didn't do it. I mean, you're Microsoft.
00:40:29You had a major thing happen, and the means by which you communicate with your customers was
00:40:35not updated for six months, so I'm just going to say I don't really accept that answer as
00:40:41thoroughly honest, but I need to move on. No, and then could I just say-
00:40:45Another question. I said the same thing, and we had the same conversation inside the company.
00:40:51Okay, I accept that that you did, so bigger question, China. I mean, you go to China,
00:41:00you meet with you, like you went to China. I guess you made many trips there. You're doing
00:41:06business there. That's fine, but you meet with Chinese Communist Party officials, and you
00:41:12reiterated Microsoft's support for helping the CCP achieve technological advancements. I believe
00:41:19this is your quote. I'm asking you to actively participate in the digital transformation of
00:41:25China's economy. I believe that was your statement, and my question is, does it strike you
00:41:33as contradictory that you'd make that statement just months after China sponsored the attack that
00:41:39we're discussing, and I yield for your answer, sir. The reality is that was not my statement. I
00:41:46chose my words more carefully. That was the statement made by an official of the Chinese
00:41:52government attributing it to- So it was not your quote?
00:41:56Let me just say, I was more careful and precise in what I said, and that was not my quote.
00:42:05So you find it as contradictory, or- Sorry?
00:42:08You say that's not your quote, but was that the position of Microsoft?
00:42:13My time has expired. I'm just trying to complete this answer.
00:42:16I'll just, yeah, thank you for giving me the opportunity. I explained in a meeting that there
00:42:23were areas where we thought it was appropriate and even important for us to be present and
00:42:27participate, but I did not choose or use the words. When I saw that quote appear, I was like,
00:42:34hmm, interesting. Thank you, sir. My time has far expired. I yield.
00:42:38Gentleman yields. I now recognize Mr. Swalwell for his five minutes of questioning.
00:42:43Thank you, Chairman, and I wanted to echo the ranking member's sentiment that I don't view
00:42:50this hearing as a shaming of any particular company, but rather an opportunity to learn
00:42:56from mistakes in the past so that we can better secure the digital ecosystem, especially with,
00:43:02you know, a company that has such a large footprint in that ecosystem. And so first,
00:43:09Mr. Smith, I was hoping we could go back to the ProPublica story where an employee alleges that
00:43:21a vulnerability was discussed and it was at the same time you were seeking government business,
00:43:27and knowing that you do have so many government clients today, as we sit here today, are there
00:43:34any vulnerabilities within your operating system that have been expressed to you,
00:43:41similar to what was alleged in the past that would affect any government system that you're aware of?
00:43:49What I would say is that everything that we're doing is focused on identifying every
00:43:55vulnerability that we can find, every vulnerability our employees can find,
00:44:01so we can go address them. And given the diversity of digital technology, given the complexity,
00:44:13I'm not sitting here today aware of anything that fits your description, but I am constantly hoping
00:44:20that every day we'll have people who find something and raise it so we can fix it. That's
00:44:28the culture we need, I think. So we can fix it, which I think is the theme here today. And in
00:44:33that spirit of what can we fix, what did you learn from the internal decision-making process
00:44:41on updating the blog post on the root cause of how the Chinese threat actor got the key? What
00:44:48would you do differently in an existing attack? You know, we get a lot of times people say,
00:44:57why do you update things so often? You know, you lose people's attention. I think the answer is
00:45:03because we need to. And we updated that particular blog four times. It was at least one time too few.
00:45:12We should have updated it again. And so I just think that the lesson learned is, yeah, maybe
00:45:18it's something you see a lot in life. It's hard to over-communicate. Let's work even harder to
00:45:23over-communicate. You discuss in your written testimony the growing connection between nation-
00:45:28state activity and ransomware. A city in my congressional district, Hayward, was hit very hard
00:45:35and experienced a ransomware attack last year where the city's online operations were crippled
00:45:40and a state of emergency was declared. Where do you see these ransomware attacks happening and
00:45:45what types of targets in the United States do you see as most at risk? Well, this is a critical issue.
00:45:50I hope this committee and we all can find new ways to work on it because it was last July in
00:45:54Hayward where, as you know, systems went offline for two weeks. In Hines County, you know, in the
00:46:00second district of Mississippi, they had a similar problem. They had to write a check for $600,000.
00:46:06I suspect it had to be converted to cryptocurrency and it was probably mailed to Moscow,
00:46:12even if it was over the internet. This is a scourge. And the number one vulnerability right
00:46:19now, and it's just, I think, so disconcerting, is that ransomware operators are focused on
00:46:26hospitals, rural hospitals. There were 389 health care institutions last year that were victimized.
00:46:35And so some of the suggestions that the chairman and ranking member Thompson alluded to at the
00:46:40beginning, I think, require that we all come together to help these institutions. We launched
00:46:46an initiative just three days ago and we weren't alone. The White House did it. Google did it.
00:46:52We all need to do this together. But I also think we need to send a message.
00:46:58I think that message has to be sent to Moscow. We need to remind them that when we fought with them
00:47:0680 years ago, it was to protect people. And it was reflected four years later in the Geneva
00:47:14Convention that said even in times of war, governments have to protect civilians.
00:47:19And this is supposed to be a time of peace, at least between our two countries. And what are
00:47:23they doing? They are enabling their employees to use the tools they get at work and go home
00:47:30and run these ransomware operations and target hospitals or cities and counties, schools,
00:47:38the Jackson School District, the Vicksburg-Warner School District. This is unconscionable. And I
00:47:44think we have to find our voice, not only for ourselves, but with our allies and not only as
00:47:48governments, but with the tech sector, with the business community. And we have to find a way as
00:47:55a country to create a deterrent reaction. Because right now, this is just open season. It's open
00:48:04season on the most vulnerable people in our country. And we have to find a way to change that.
00:48:10Thank you, Mr. Schmidt. The gentleman yields. I now recognize Mr. Jimenez
00:48:15for five minutes of questioning. Thank you, Mr. Chairman. And I know a lot of other committee
00:48:21members are going to home in on the security breach. I'm more interested in Microsoft's
00:48:26presence in China, which I consider to be the greatest existential threat to our security here
00:48:31in the United States. Your presence in China, is that a joint venture or is that fully owned by
00:48:37Microsoft? What's the nature of that relationship? I don't recall all of the precise
00:48:44corporate structures. We do operate as a subsidiary. We also do have a joint, we have at least one joint
00:48:50venture for certain activities. Are you aware of the 2017 National Intelligence Law in China? Yes,
00:48:57I am. Do you know what that law states? If I remember correctly, one of the things it states
00:49:04is that when an organization finds a vulnerability, it has to... No, sir, that's not the one. That's
00:49:10not where I'm going. Okay. So here, I just happen to have AI myself. Hopefully, it's ours. Oh,
00:49:17yeah. I don't know. If it is, it's pretty bad for you. Because it says this. Okay. Yep. In China,
00:49:23there is a law called the National Intelligence Law that was implemented in 2017. This law requires
00:49:30all organizations and citizens to cooperate with China's intelligence agencies, including the
00:49:35People's Liberation Army, in matters of national security. While the law does not specifically
00:49:40mention companies working in China, it does apply to all organizations operating within the country,
00:49:47including foreign companies. Do you operate in China? Yes, we do. Do you comply with this law?
00:49:53No, we do not. How is it you got away with not complying with the law? Do you have a waiver from
00:49:58the Chinese government saying you don't have to comply with this law? No, we do not. You do not?
00:50:03But there are many laws. There are two types of countries in the world. Those that apply every
00:50:09law they enact, and those that enact certain laws but don't always apply them. And in this context,
00:50:16China, for that law, is in the second category. Do you really believe that? Because I'm getting...
00:50:21Look, I sit on the Select Committee on China, and that's not the information that we get,
00:50:26is that all companies in China have to cooperate with the intelligence agencies of China and the
00:50:31People's Liberation Army. You operate in China, and you're sitting there telling me that you don't
00:50:36have to comply with the laws of China? I will tell you that there are days when questions are put
00:50:41to Microsoft, and they come across my desk, and I say no.
00:50:48We will not do certain things. But you're complied by Chinese law to do it.
00:50:54And the people in China that work for Microsoft are violating Chinese law when they don't do it.
00:51:00And I always make sure that it's clear to the Chinese government that if the Chinese government
00:51:04wants to sue somebody, they need to sue me. It's not about suing. In China, they don't sue you, man.
00:51:09They arrest you, okay? Do you understand that? And we make clear that there's no point in
00:51:16arresting people who have no authority to do these things. They have the authority to do those things
00:51:23because it's their law. You're in China. No, I'm talking about our employees. Okay, yeah, your
00:51:28employees in China are subject to Chinese law, are they not? But they don't have the ability
00:51:35to make these decisions. We've taken that out of their hands. I'm sorry. I just, for some reason,
00:51:43I just don't trust what you're saying to me, okay? You're operating in China. You have a cozy
00:51:47relationship in China. You're there. They allow you to be there. And I can't believe that they're
00:51:53going to say, yeah, okay, no problem. You don't have to comply with our law that everybody else
00:51:57does. Every other foreign company has to, but not Microsoft. I'll take you at your word.
00:52:05But I'm just demonstrating to you the problems that we have with American companies working in
00:52:13China. And that for 1% of your resources or of your income, is it really worth it to be
00:52:24in communist China? Especially when you have such a law that says you have to comply with
00:52:28their intelligence agencies and the PLA. The thing I would ask all of us to think about, and I, look,
00:52:34I appreciate your questions and the seriousness of them. We think constantly about these things.
00:52:41I do think that there's two valuable reasons for us to be in China. And I think they both serve
00:52:47the interests of the United States. The first is to protect American information,
00:52:52American trade secrets of American companies who are doing business in China. And the second
00:52:59is to ensure that we're always learning from what's going on in the rest of the world.
00:53:05Could I, I only have 13 seconds. Could I say this? Those American companies and all these American
00:53:10secrets that are working in China, they have to comply with the same law. Do you think they all do?
00:53:16Thank you. And I yield back. Gentlemen, yields. I now recognize Mr. Correa for five minutes
00:53:20of questioning. Thank you, Mr. Chairman. I just welcome you, Mr. Smith. And also,
00:53:27as ranking members said, this is not a shaming situation. But yet, you know, reading on this
00:53:34issue, I've been on homeland for eight years. This is very disturbing.
00:53:41That statement is an understatement as to how I'm feeling right now.
00:53:47What do I tell my constituents back home that actually pay you for your services?
00:53:54That an unsophisticated password spray, password key, well-known vulnerabilities enable this to
00:54:02happen? I think, I would hope you would tell them. I'm asking you. Oh, what should I tell them?
00:54:10What should I tell them? I would hope that you would share with them
00:54:16that we acknowledge these issues. They're paying you for your service. It's not a freebie. They're
00:54:22paying you. I pay you. I run your service up here and at home. I also pay you for service.
00:54:28And I would, I want people to know on the one hand. Not one hand or the other. Just tell me
00:54:35straight up. Okay. What's the message? The message has two parts. First, we see our customers attacked
00:54:42more than 300 million times every day. And we have people who work 24 by 7. Are we doing our job as
00:54:49the federal government in helping you? Or is there something else we can do to help you do your job
00:54:55better? I think that there are all things that we could do more together. And I would love to see
00:55:00the federal government focus on a few key things. I think that the investment in cybersecurity
00:55:06training that the chairman mentioned at the outset is an imperative. I think we have done a lot.
00:55:12We have trained as a company, 203,000 people in this nation in the last four years on cybersecurity.
00:55:18But we need the federal government to do more. I think we need federal assistance to help our
00:55:22critical infrastructure providers upgrade their technology. I think we need the kind of. Do you as
00:55:30Microsoft need to invest more in this area? We are investing more. We've increased our investment.
00:55:38But more than that, I think it's. Do you believe that Microsoft responded on a timely basis to
00:55:46these known breaches? We both responded immediately with people who work 24 by 7,
00:55:55pretty much around the clock. As soon as you found out this stuff was happening, you responded.
00:56:00I'm sorry? As soon as you found out or you'd find out these breaches are occurring, you respond.
00:56:08Oh, absolutely. One thing I would love for you all just to know is that despite these tens of
00:56:15millions of attacks every year. Do you respond to known vulnerabilities immediately? Yes, we do.
00:56:23We respond to every intrusion. We address vulnerabilities.
00:56:32We know the challenges that our competitors around the world pose to us, friendly and unfriendly.
00:56:40And I would love to talk to you sometime in the SCIF to tell us exactly what it is that we need to do
00:56:49to make sure this doesn't happen again. As I am beyond shocked to read about this situation.
00:56:59You have our trust, our business, both at the public and the private sector. And to hear about
00:57:07what's going on here is very disturbing at best. I hear you saying, you know what,
00:57:14we're here to cooperate fully. The damage though, I've got constituents back home that have been
00:57:22lost money because of malware, so on and so forth. It's painful, the private sector.
00:57:31You're, they run on your platforms. They trust on you being on top of your game.
00:57:43Any thoughts? We are determined. We start by acknowledging where we fell short and we are
00:57:54focused. I had the last comment made with our board of directors yesterday was by the senior
00:58:00engineer leading what we call the Secure Future Initiatives and her last words to our board were,
00:58:05we want you to know our engineers are energized by this. And my last nine seconds, I would ask you,
00:58:13you know, we often say here that the chain is only as strong as its weakest link. Are you going to
00:58:21strengthen up? Are you going to do a better job over there? Absolutely. And let me just say this
00:58:26in closing. I would hope that you would share with your constituents, we never take their trust
00:58:33for granted. Chair, I'm out of time. Gentleman yields. Point of clarification for the record,
00:58:40it was 300 million attacks a day. Did I hear that correctly? Yes, that's correct. Against
00:58:46our customers that we observe, we detect more than 300 million such attacks every day.
00:58:52Okay. Just clarifying for the record, I now recognize Mr. Pfluger for five minutes of
00:58:58questioning. Thank you, Mr. Chairman. Mr. Smith, thanks for being here. I want to talk about the
00:59:04collaboration. In many committees on Capitol Hill, we're talking about this balance and tension
00:59:11between safety and security and liberty and, you know, private enterprises. And so what I really
00:59:18want to hear from you is talk to us about the relationship with CISA. I know you've mentioned
00:59:25this in testimony written and also today, but just talk to us about how that relationship is,
00:59:33what can be better from your side? What can be better, what you expect from the government?
00:59:38Is it a mandate for reporting from the government? Is it, you know, voluntary roundtables in a
00:59:45classified setting? I'd like to hear a little bit about that and I have some follow-on questions.
00:59:50Yeah, I think CISA is a critical agency. It's been moving in a positive direction overall. I think
00:59:55the CSRB plays an important part of this. I think that ultimately we would benefit from finding more
01:00:02ways to keep working together across the tech sector and then with the CISA and other agencies
01:00:09in the U.S. government and frankly with our allies because it's an entire ecosystem that
01:00:16we're seeking to defend and nobody can do it by themselves. And I think fundamentally just as,
01:00:24you know, the CSRB's words were well taken by us. We needed to focus on our culture.
01:00:30I think we have a collective culture and it's a collective culture that we need to work on by
01:00:36inspiring more collaboration not just with the government but frankly across our industry
01:00:44so that, you know, people can compete. Somebody said there's no plan B. I think about two-thirds
01:00:48of the folks who are sitting behind me in this room are trying to sell plan B to you in one way
01:00:53or another and that's okay. But there's a higher calling here as well and I like to say, you know,
01:01:02the truth is when shots are being fired, people end up being hit and they take their turn being
01:01:08the patient in the back of the ambulance. Everybody else, you're either going to be an
01:01:12ambulance driver or you're going to be an ambulance chaser. Let's be ambulance drivers together.
01:01:18Well, let's drill down to that and the relationship that you have with the U.S.
01:01:23intelligence community, with DOD. The thing that's unique about Microsoft is you pretty much
01:01:29cover every sector, every industry, every, you know, households, businesses, but when you
01:01:35look at the relationship with the national security entities, tell us what the biggest
01:01:39gaps are right now to making sure that they can stay secure in their operations.
01:01:46The thing to think about is that defenders too often work in silos. Every company thinks about
01:01:53their products. Every agency thinks about what they have. Attackers look for the seams between
01:02:00the silos. The more silos you have, the more seams you have. And just as there are seams in different
01:02:07technology products because most customers deploy them together, there are seams across the
01:02:13government. So a lot of times one of the challenges for us is that the parts of the government when
01:02:21this information is coming in about, say, an active cyber attack from a place like China,
01:02:26that information doesn't necessarily flow from one part of the federal government to another.
01:02:31And there's a lot of work being done to address this, but I think that needs to be
01:02:36advanced more quickly as a matter of priority. 300 million attacks a day. That's incredible.
01:02:43Finally, let me just talk about that. I think this is a committee on homeland security. We're
01:02:47very worried about what nation-state actors and non-nation-state actors are doing and how that
01:02:52affects our homeland. Obviously the PRC and the CCP's attempts to undermine this country,
01:02:59our government industries, intellectual property, all of it is a massive concern. And so I know
01:03:06you've mentioned this before here today, but just talk to us a little bit about the relationship
01:03:12with the PRC. How does that affect intellectual property, things that you have that could be
01:03:19either exploited for their benefit to undermine the United States of America? I would say two
01:03:26things. I mean, first, any company that has valuable intellectual property has to be very
01:03:32careful to protect it from theft, unless it's IP that they're publishing, and a lot of code is
01:03:38published in open source form. But you have to think about how to protect it so it doesn't go
01:03:43where it should not. And there are certain intrusions, especially from, say, a place like
01:03:49the PRC, that are focused on discovering trade secrets. And knowing that, is Microsoft taking
01:03:56steps to improve what you're protecting? Absolutely, absolutely. I mean, it's...
01:04:03The other thing just to know, is that the adversaries are constantly changing their tactics.
01:04:10If this were a case of just saying, gee, this is what was done in like 2022, let's all go fix what
01:04:16was done in 2022, then you'd feel good. But I guarantee that what is done in 2025 is going to
01:04:23be different from what is being done in 2024. You constantly have to learn, adapt, and change,
01:04:30which is what we're doing. Thank you. My time's expired. I have more questions. We'll submit them
01:04:35for the record. Mr. Chairman, I yield back. The gentleman yields. I now recognize Mr. Carter
01:04:39for five minutes of questioning. Mr. Chairman, thank you very much. And Mr. Smith, thank you
01:04:46for being here. Mr. Smith, it's no secret that our critical infrastructure is being targeted.
01:04:52I'm particularly worried about rural hospitals and how they continue to be targeted and attacked
01:04:58by nation state threat actors. Just this week, Microsoft announced a new rural hospital
01:05:04cybersecurity program. One of the hospitals in my district, St. James Parish Hospital,
01:05:10is a participant. Would you describe this program and how it will help the nation's
01:05:15rural hospitals defend against attacks? Yes, thank you. And we talked a little bit about
01:05:21this before, obviously, and I just think it's a critical priority for the whole country,
01:05:25because people's lives literally are at stake. What we have launched this week is first a program
01:05:32to provide technology assistance to hospitals, especially rural hospitals,
01:05:37giving them security tools at the lowest possible price. In some cases, it's a 75% discount. In some
01:05:45cases, it's free of charge for a year. The second thing we're doing is then going in and helping
01:05:51with, call it know-how, advisors, technology assessments, so we can work with people.
01:05:57The third thing we're focused on is then trying to help them use technology so that they can be
01:06:03more effective. As I'm sure you're seeing, right now there are a lot of rural hospitals in this
01:06:09country that are barely afloat. And when a rural hospital closes, not only do people lose access
01:06:16to local health care, but some of the good jobs in the community are destroyed at the same time.
01:06:22And there's a shortage of people to work in these hospitals. So one of the things we're
01:06:27trying to focus on is how can we use digital technology, especially AI, you know, to improve
01:06:33the quality of rural health care, reduce the costs, not just for the patients, but for the operators
01:06:41of these especially small hospitals with, say, 25 or fewer beds.
01:06:46So we're trying to put together a holistic approach that we think could make a difference.
01:06:51What about HBCUs or other small organizations that could likewise use technical assistance
01:06:58and the help that might be in a similar situation financially as a rural hospital?
01:07:04Well, we have educational pricing in general, but I would say there's two categories in
01:07:08the educational community that deserve special priority, and we're trying to give them
01:07:13special priority. One is HBCUs, and therefore we've created a special program to invest in them,
01:07:22to provide scholarships, to work on cybersecurity training and the like.
01:07:27The second is the nation's community colleges. I feel that this is the great resource that 1,000
01:07:35plus community colleges in this country, we need to equip them and send them into this battle,
01:07:42and that requires three things. One is equipping them with the curriculum, which we can do,
01:07:46and other tech companies have done a good job as well. I want to spread credit.
01:07:50Let me do this. I don't want to interrupt you, but I've got a few more questions,
01:07:52a little bit of time. Okay, I'll let you go. I'd be happy to talk to you anytime.
01:07:57Was that a yes? Yes.
01:07:58That is a yes. You are prepared to and have programs to work with
01:08:02other disadvantaged organizations, particularly HBCUs. Okay, great. Increasing frequency and
01:08:09sophistication of nation-state cyber attacks in the United States. Do you agree that the country
01:08:16is currently lacking in having successful deterrence strategy? If so, what steps are
01:08:21needed to enhance deterrence, and what can we do in addition to partner with you to do that?
01:08:26This is a critical and hard problem we need to solve as a nation, and it requires we do three
01:08:32things. First, we've got to draw the red lines so it's clear to the world what they cannot do
01:08:39without accountability. Second, we need transparency. We need collective action with
01:08:47the private and public sector and with allied governments so that when those red lines are
01:08:51crossed, there is a public response and people know what has happened. Third, we need to start
01:08:58defining some consequences because right now these threat actors are living in a world where
01:09:04they are not facing consequences. Real quickly, I've got 30 seconds and I've got a really important
01:09:10question. I'm going to read this because I want to make sure I get it right. Earlier this year,
01:09:13I was briefed by members of the Cyber Safety Review Board about its review of last summer's
01:09:19incident, and I wanted to raise an issue we discussed there on value logging. Members of
01:09:25this committee have for years raised concerns that Microsoft was charging extra money for
01:09:30customers to gain access to basic logging data, and customers need to identify and investigate
01:09:36cyber incidents. When you or one of your representatives testified before the committee
01:09:42in the aftermath of the solar wind breach, they explained that everything that we do
01:09:47is designed to generate a return other than philanthropic work. The State Department paid
01:09:54for extra logging, generating a profit for Microsoft, and ultimately using these lost logs
01:10:00to detect this attack. But not every customer had that logging capability enabled. Last summer,
01:10:06Microsoft finally announced that it would provide free logging to customers, and in February made
01:10:11those logs available for all federal customers. Why did it take so long to make this decision,
01:10:17and what went into your changing your mind? Well, in fact, we've even gone a little bit
01:10:23farther than... But that's fine, but could you just answer the question I asked?
01:10:30I wish we had moved faster and had gone farther. I think there was a focus on the real costs
01:10:36associated with keeping and retaining logs, but we should have recognized sooner, especially as
01:10:42the threat landscape changed, that we would be best served, I think, as we are now by not just
01:10:48retaining but providing these logs for free. So what's the status on providing free logs to all
01:10:55customers and not just federal agencies? Basically, what we've decided is for all of our so-called
01:11:00enterprise offerings, there's three layers, and for all of them, we retain the logs for six months,
01:11:06which is what the CSRB recommended, and we will provide those logs. Say these are individual
01:11:12customer logs. We will provide them to those customers. They get access to them when they
01:11:17need them at no additional cost. Would you agree that it's as important for Microsoft, the company,
01:11:25to have this level of security for its customers as it is for customers to, in fact, have the
01:11:30security? Yes. Thank you. My time has expired. The gentleman's time has expired. I now recognize
01:11:38Ms. Green for five minutes. Thank you, Mr. Chairman. Mr. Smith, this has been a very engaging,
01:11:45intriguing conversation. I'm a business owner, so I've been listening to this and, you know,
01:11:52taking it in and thinking about it through that lens. You started with something that I find
01:11:57impressive. You said you accept responsibility, and I just want to commend you for that. I
01:12:05appreciate it. We don't hear that very often here, but I think it's valuable, and I think it's
01:12:12right, so I just wanted to say thank you. I understand that Microsoft has a unique role to
01:12:16play in our cybersecurity landscape, as it's responsible for nearly 85 percent of the
01:12:22productivity software such as Word, Excel, and PowerPoint used by the U.S. government. Given the
01:12:28company's presence, Microsoft is, of course, at significant risk of cyberattacks, over 300 million
01:12:36a day. Is that true, 300 million a day? We detect 300 million a day against our customers,
01:12:43so that's what we get to see, given all of the telemetry we have. Last year, if you look at,
01:12:49you know, phishing attacks, we had 47 million against ourselves over the year.
01:12:54Wow. That's far more than I could have even comprehended. Of course, these are serious,
01:13:02and we're all, everyone here on the committee is recognizing that. As you stated in your testimony,
01:13:09cyberattacks have become more prolific, just as you stated, and as a result of the attack that
01:13:16your company went under, in May of 2021, the Biden administration released an executive order
01:13:23on improving the nation's cybersecurity, which required the establishment of the Cyber Safety
01:13:28Review Board under DHS. I want to talk to you a little bit about the board. I think, of course,
01:13:36oversight is important, but I think there should be more action taken by our government to prevent
01:13:44cyberattacks. Could we talk a little bit about the board? My understanding is the Cyber Safety
01:13:51Review Board is a mix of government and industry representatives. Is it true that Microsoft is not
01:13:59represented on the board? That's correct. Is any of your competitors on the board? Yes, they are.
01:14:08So, essentially, how did this work? When this attack happened, the board, can you talk a
01:14:16little bit about that process? Yeah, and you're getting at such a critical question, because I
01:14:20will say, first, I think we benefit from having this kind of organized effort. I think it's probably
01:14:26a mistake to put on the board people who work for competitors of, say, a company that is the subject
01:14:35of a review. The spirit of this, when it was created, was to create a community of people
01:14:41who could learn together, but I just don't, I'm less concerned about the way the process worked,
01:14:49and I just worry that where people want to take it in the future and just make hay out of others'
01:14:54mistakes, and I'm just not sure that's going to do us that much good.
01:14:59Right. So, did CSRB, did it share with Microsoft what your competitors said about their own
01:15:07security practices? I don't believe so. I don't know. I don't believe so. I could be wrong, but I
01:15:12don't believe so. Okay. And with your competitors on the board helping produce the report,
01:15:23was this used in any other way in the marketplace? Yeah, and I just, I want to say two things,
01:15:29because first, I think the most important thing for me to do and for Microsoft to do is what you
01:15:33said at the outset. I just want to be here and accept responsibility, and I don't want to deflect
01:15:38any of that responsibility, because we have the highest responsibility. But second, the words that
01:15:43I would offer, and I'll offer it to the folks in the back who work for our competitors, because
01:15:48there's a bunch of them here. It's fine. Go tell people that you have something better, but we have
01:15:56to have a higher cause here. We are not the adversaries with each other, even though we may
01:16:03compete with each other. The adversaries are our foreign foes. So let's try to exercise a little
01:16:10self-restraint about how we work in these processes, because I don't think that the next
01:16:17company that gets an invitation from the CSRB is likely to be necessarily as willing as we were to
01:16:24share everything, which we did. Well, I agree. I think competition is healthy in the business
01:16:32world. I think it's great, actually. I enjoyed it for years and years. But I think oversight is also
01:16:38extremely important, and of course, I think everyone in this room agrees that we do not want any
01:16:45foreign country gathering any of our information, whether it's from an American citizen to our
01:16:52government, of course. CISA also has a bad reputation, especially among Republicans.
01:17:00They colluded with big tech and social media companies, stripped many Americans of their First
01:17:05Amendment rights. So that was another reason why I wanted to ask you a little bit about the board
01:17:10and how that worked. But furthermore, I have more questions, but I'm out of time. I think
01:17:18it would be extremely important for there to be assistance from the federal government in protecting
01:17:25not only companies like yours, but mom-and-pop companies. I mean, across the board to regular
01:17:31citizens from cyber attacks. It's a serious problem, and it will continue. I'm out of time.
01:17:37The gentlelady yields. I now recognize Dr. Thanadar for his five minutes questioning.
01:17:44Thank you, Chairman. And thank you, Mr. Smith, for being here. I owned a small technology company
01:17:53before I came into public service, a much smaller technology company. And I was involved with some
01:18:01eight different acquisitions. Now, the CSRB raised questions about Microsoft's mergers and
01:18:11acquisitions compromise assessment program after it failed to detect that a laptop belonging to
01:18:19an employee of an acquired company had been compromised. The board went on to recommend that
01:18:26large enterprises develop robust M&A compromise assessment programs, recognizing adversaries
01:18:34might view the acquiring as an entry point to the parent company. How is Microsoft
01:18:44improving its M&A compromise assessment programs? Is there additional support or guidance the
01:18:53federal government should be providing the private sector regarding M&A compromise assessments?
01:19:00I'm not sure of the answer to your last part, but I do know that it's critical that we do more.
01:19:07We've been focused on this for a long time. It's sort of a, I'll even say, obvious thing that when
01:19:12you acquire a company, you have to take a close look at its cybersecurity controls, which we long
01:19:18have and do. And yet, as the CSRB report found, we had an inadequacy. So in part to address this,
01:19:29part of the governance change we're implementing is to have a new deputy chief information security
01:19:34officer focus solely on the integration of companies that are acquired. We clearly need
01:19:41to step it up and well. Thank you. Mr. Smith, as you state in your testimony, nation-state
01:19:48adversaries are becoming more aggressive. Countries like China, Russia, Iran, and North Korea present
01:19:56grave threats to our national security. And defending against them will require public-private
01:20:03cooperation that prioritizes strengthening cybersecurity across government networks and
01:20:09critical infrastructure. Considering our reliance on large IT vendors like Microsoft,
01:20:17our defenses will only be as strong as our technology providers are. That is why it was
01:20:23so disappointing to see the CSRB report that Microsoft had failed to properly secure its
01:20:31products. Microsoft must do better. And I expect that Microsoft will continue to update the committee
01:20:38on its progress. Congress must also do more to ensure the federal government has the resources
01:20:45to meet the goals of President Biden's ambitious national cybersecurity strategy. Mr. Smith,
01:20:53how is Microsoft improving its security to protect itself and its customers to address
01:21:00these increased foreign threats? Well, it's a multifaceted effort. And as I said in my written
01:21:09testimony, it really starts with what is today the largest engineering project focused on
01:21:14cybersecurity in the history of digital technology, with detailed milestones, 34 different
01:21:20categories. And I think that's critical. But it really is, I think, a new approach to cybersecurity
01:21:29culture. It's a new approach for Microsoft. And the more time I spend with it, with my colleagues,
01:21:36the more encouraged I am, because fundamentally, it's about taking security and making it part
01:21:41of the engineering process and every process, treat it like quality. And the cultural change,
01:21:49and several of you have commented about this, I just think it's so important. We want a culture
01:21:54that encourages every employee to look for problems, find problems, report problems,
01:22:00help fix problems, and then learn from the problems. That's what we need to do. And we
01:22:06need to do this in a way that doesn't put security in its own silo, although there are special
01:22:11security teams, but makes security part of everyone's job. I think that is one of the
01:22:17indispensable steps we are taking and really need to take. Thank you. And with my last 30 seconds,
01:22:24what investment should Congress prioritize to improve our national defenses against nation-state
01:22:31cyber threats? Invest in the American people. Invest in the training of the American people.
01:22:38Provide more scholarship assistance so that Americans can go to a community college,
01:22:45go to an historically black college or university, get a course, get a certificate,
01:22:56get a degree in cybersecurity. There are 400,000 open jobs in the United States today
01:23:04in cybersecurity. Help us fill those jobs. Thank you.
01:23:10The gentleman yields. I now recognize Mr. Gonzalez for five minutes of questioning.
01:23:15Thank you, Mr. Chairman. Mr. Smith, is Microsoft Teams a secure platform?
01:23:20I believe it is. I use it every day for lots of sensitive conversations.
01:23:25I would say I'm concerned. I'm concerned with the trust level that Americans have with Microsoft
01:23:31for a variety of different reasons. I believe Microsoft has been a trusted agent for a long
01:23:35time. And let me give an example. If you work for the Department of Defense, and let's say you want
01:23:42to communicate with others in an unclassified environment, but let's say it's in an official
01:23:49capacity, right, oftentimes the conversation is don't use Zoom or others like that because that's
01:23:56an unsecure platform. Let's use Microsoft Teams. And what I'm seeing, what I'm starting to hear
01:24:02is more and more government officials, government agencies, DOD-affiliated folks
01:24:09not trust that. So if Microsoft, if they don't trust that, what options do you have? Once again,
01:24:14I understand if it's a classified setting, but I'm talking about how do you reach people without a
01:24:19CAT card, without having to go down the CAT card route. Is there anything that is in the works in
01:24:26order to regain some of that, whether it's warranted or not, there is an eroding amount of
01:24:31trust within Microsoft? Is there anything in the pipeline that will regain that trust among DOD-
01:24:37affiliated organizations? Well, first of all, I appreciate the fundamental gravity of the
01:24:45question. I would say that we are continually and constantly focused as part of this work that
01:24:52we're doing in increasing the security for every aspect of what we do, including Teams and every
01:24:58aspect of it. And I feel comfortable talking with the DOD or others on Teams. I want them to feel
01:25:08comfortable and I want them to know that we are not stopping where we are because our adversaries
01:25:14are not stopping where they are. We are going to continue and are continuing to invest in hardening
01:25:19the security of Teams even more than it is has today. Thank you for that. A large part of what
01:25:26we do on this committee is try to get everyone out of silos. All these agencies are in silos.
01:25:31Every time there's a national security threat, you look back at these reports and it's always
01:25:36somebody knew something, but when did they know it? And part of that is the ability to communicate
01:25:41in a FOUO setting where you feel as if maybe it's not quite the classified level, but you feel
01:25:49not everyone's listening on it. I just would reiterate how important that is from a national
01:25:54security standpoint to ensure that the government has at least some platforms like Microsoft Teams.
01:26:00My final question is this, how is Microsoft planning to combine your SFI while ensuring tools
01:26:07and software remain user-friendly and accessible? Great. First of all, I want to just thank you for
01:26:13your first set of questions and I will quote you back in the company's headquarters. Second, the
01:26:20point that you make is also so critical because we have to make security first, the top priority,
01:26:27but we have to make it easy for people to use. And so we do need to synthesize these things.
01:26:35And I think one of the virtues of what we're doing is not just calling on deeply technical
01:26:42engineers, but also people say in the field of software design and elsewhere. And I think part
01:26:49of our quest, I think it's a great quest for all of us, not just at Microsoft, but across the industry
01:26:55is to continue to have what we call security by default so that when people get a new computer,
01:27:02a new software program, all of the security settings are on by default. They have what we
01:27:08call security by design so that it is designed so that it's not only effective, but easy for people
01:27:14to use and easy for people to know what is happening. So we're focused on all of those
01:27:20things and I'll just say there's, I think, a lot more coming. Thank you for that response. Trust
01:27:26is the name of the game and we have to make sure that Americans continue to trust these different
01:27:31platforms that are out there. So thank you once again for testifying before the committee and
01:27:36Chairman, I yield back. The gentleman yields. I now recognize Mr. Magaziner for five minutes of
01:27:41questioning. Thank you, Chairman. One of the joys of speaking in the order after our colleague
01:27:47from Georgia is that I'm often handed notes to correct incorrect statements that she made. So
01:27:53I just want to enter into the record that Microsoft's competitors were recused from
01:27:59the findings, the final report and the recommendations of the CSRB Microsoft
01:28:03investigation, just so that's in the record. Now, Mr. Smith, the article that Mr. Thompson,
01:28:09Ranking Member Thompson, referenced earlier had to do with the so-called solar winds breach
01:28:15in which Russian hackers infiltrated Microsoft's cloud service and was able to gain access to some
01:28:22of our country's most sensitive secrets, including information from the National Nuclear Security
01:28:29Administration, which oversees our nuclear stockpiles and the National Institute of Health.
01:28:33You provided testimony to the Senate Intelligence Committee in which you stated that the flaw that
01:28:40allowed that breach to occur only became known to cybersecurity professionals at Microsoft
01:28:46when it was published in a public paper in 2017. It has now been widely reported that
01:28:51former employee Andrew Harris discovered the flaw a year earlier, alerted his superiors and
01:28:57other company executives, proposed a series of solutions that were rejected. So can you now
01:29:03agree that the testimony that you offer to the Senate Intelligence Committee about what Microsoft
01:29:08knew about that flaw and when Microsoft knew it was incorrect? Well, look, the first thing I would
01:29:14say is I know that came out in an article this morning. I haven't had a chance to read the
01:29:17article yet. I was at the White House this morning. OK, so so if you can say I'll just
01:29:23note that the article cited numerous sources inside the company, not just that one individual.
01:29:28But if you're not prepared to say that, then we can move on. OK. I agree with what Chairman
01:29:35Green said earlier about the importance of incentives. And so I welcome the news that
01:29:39came out, I believe yesterday, that one third of the individual performance element of bonuses for
01:29:46senior executives will be tied to cybersecurity performance. How much of the total compensation
01:29:53package for senior executives is the individual performance element? It depends on the
01:29:59individual. It depends on the year, I'll say. Roughly? More than enough to get people's attention for sure.
01:30:05But roughly like ballpark? Of the cash portion, it's probably, I don't know, I will say about
01:30:1320% of if you add stock, it's much lower. All right. Well, if you could follow up on that,
01:30:19that'd be helpful, because just to be clear, you know, a third of the individual performance element
01:30:24sounds good, but it depends on how big the individual performance is as a part of the whole.
01:30:28If it's 10% of the total compensation package, then the cybersecurity incentive would only be
01:30:333% of the total package and would potentially count less toward the total than revenue targets
01:30:41or profitability targets or other things. On the other hand, if it was 60% of the whole, then that
01:30:47would be a much more meaningful incentive. So having some understanding of how large a percentage
01:30:52of the whole that individual performance element is would be instructive. Yeah, you're making a
01:30:59good point. The one thing I would just add is if there's one thing that's true at Microsoft and
01:31:03across the tech sector, people like to get good grades. Yeah. This is, this is one, let me just say,
01:31:09this is one, one third of their total. If you don't have the information now, that's fine. I
01:31:13have a few more questions. On that individual performance incentive, that portion of the
01:31:20compensation, is it restricted stock? Is it something that can be clawed back? And if so,
01:31:25do you know how far back the clawback can be exercised? Some of these details are still to
01:31:30be refined, but the, this is the bonus, the cash bonus that people get each year. I would just
01:31:36suggest, you know, since it's still being refined, if it's a cash bonus, then that suggests it would
01:31:42be difficult to claw back. And a cybersecurity lapse may not become known until years after the
01:31:49fact. And so I would suggest that perhaps some sort of a clawback mechanism could make the
01:31:54incentive more powerful. Finally, piggybacking on the, on the chairman's question, the article that
01:32:00was published today stated, quote, product managers at Microsoft, product managers, not
01:32:05senior executives, had little motivation to act fast, if at all, to address these security flaws,
01:32:12since compensation was tied to the release of a new revenue generating product and features.
01:32:17With one former employee stating, you will get a promotion because you released the new shiny
01:32:22thing. You are not going to get a promotion because you fixed a bunch of security bugs.
01:32:27So given the importance of people at the product manager level, is there any plan for their
01:32:33compensation to be tied, at least in part, to meeting cybersecurity goals? One of the things,
01:32:40the answer is yes. One of the decisions that was announced yesterday that I provided in my addendum
01:32:45is every single Microsoft employee, as we get to the new fiscal year, will have as part of their
01:32:51biannual review, a mandatory part to talk about cybersecurity to do precisely what you just
01:32:57described. If you indulge me for a second. So part of their review, but is there sort of a portion of
01:33:03their compensation that's directly tied to the cyber portion, to the cyber factor, as will be
01:33:09the case with senior executives to some extent? It won't be as formulaic, but everybody knows
01:33:16that the bonuses, the compensation, we call them rewards that you get at the end of the year,
01:33:22are based on those reviews and how people do over the year. I know I'm over, but I'll just say I
01:33:29want to state I do believe it is a positive and I think a good example that we are integrating
01:33:34cyber into compensation packages. I just want to make sure that we're doing it in a way that
01:33:38that is really going to be impactful. So I'll yield back. The gentleman yields. I now recognize
01:33:44Mr. Garbarino for his five minutes of questioning. Thank you, Mr. Chairman. Good to see Ms. Smith.
01:33:53In its report, CSRB's overarching conclusion is that Microsoft's security culture requires an
01:33:58overhaul given its centrality in the technology ecosystem, and I believe a lot of the recommendations
01:34:04that they've, they recommended, you're already, you're already putting into place.
01:34:10With the series of the findings of the CSRB report and the recommendations provided,
01:34:16and now, and how the report was written, and now that we're all here having a hearing on it,
01:34:23how do you anticipate future voluntary cooperation with the board's request for information? Because
01:34:28the CSRB is not created, it's not in statute. They really have, they have, they have to go,
01:34:35they can only get the information that is provided to them by people who come, who comply like your,
01:34:39like your company. What do you anticipate happening now in the future with other requests?
01:34:46Well, I guess the short answer is I don't know, but I hope three things will ensue.
01:34:53One is that people will remember that we collaborated and provided everything that
01:35:01the CSRB asked for. Two, that I came here today and we acted as a company
01:35:10with a real spirit, I hope you'll see, of humility, of accepting responsibility,
01:35:18of avoiding being defensive or defiant. And three, then I hope that people will look back
01:35:25six and 12 months from now and say, and that you all hope others will do the same. Because I think
01:35:32if you all can help us encourage that kind of spirit of responsibility, that's how we'll get
01:35:39better. Because our, we know our adversaries are going to get better, so we have to find ways to
01:35:44get better too. I appreciate that and I do appreciate you being here and all the meetings
01:35:51that we've had and discussions and I know you've been working with CISA as well and the CSRB board.
01:35:58You brought up Secure by Design in one of your last questions and I've had a lot of conversations
01:36:03about that. I think we're actually, my committee's actually going to have a hearing on Secure by
01:36:07Design. Can you talk about what Microsoft's doing? Can you go into a little further about with the
01:36:13Secure by Design? Yeah, there's, Secure by Design actually connects with, you know, I would say
01:36:19several of the pillars of what we call our Secure Future Initiative. You know, we're focused on our
01:36:25engineering systems and our production systems and then those really come together, in my view,
01:36:31to encourage our software developers to integrate security into the design of new products.
01:36:39So that, as we say, it's baked in and I think one of the key things that we've really sought to
01:36:46internalize is, as I've said here, to make security part of everybody's job and not just part of the
01:36:54work of the security team. In hindsight, I think that's one of the mistakes that we, I think,
01:36:59rely almost too much on the security experts and didn't do enough to ask everybody to make
01:37:06security part of their job. So, you know, some of you have asked about this recall feature. I think
01:37:12it's a great lesson. I mean, we're trying to apply it as a lesson learned. So if somebody's creating
01:37:17the recall feature, they need to think about the security aspects of the recall feature. It hasn't
01:37:22even been launched yet. So we've had the time to do this right. But it's a, we're trying to,
01:37:29you know, focus on culture change. Culture change requires constant role modeling and practice.
01:37:35And so each time we go through this, we're talking very publicly so that everybody can
01:37:41see inside and outside Microsoft quite tangibly how people can weave this into the design decisions
01:37:49they're making. Well, I think secure by design is very important. You know, as we all know with
01:37:54cybersecurity, a lot of the intrusions come from end user error and you're only as strong as your
01:38:00weakest link. So I think having more secure by design in these products is, having secure
01:38:06by design implemented would be great for everybody, every user of the Microsoft product or any product.
01:38:12And you just, finally, you mentioned to, you know, you had the question what we should,
01:38:18what should we invest in? And you said America, the people, you know, scholarships. You know,
01:38:22I think that's true. And I know the chairman is working on a piece of legislation that would
01:38:26do just that. What is Microsoft doing on that end? I know we can, we can do stuff. What is
01:38:31Microsoft doing to help with workforce? Well, we've, we provided free curriculum,
01:38:36but more than that, we provided free training to 203,000 Americans on cybersecurity. Over the last
01:38:42four years, we've provided 21,000 scholarships. And the thing I would leave with you all is,
01:38:47as you all may know, if you work with community colleges, the students in these colleges are not
01:38:53well-to-do. They're usually, you know, trying to earn a living and go to college at the same time.
01:38:58And, you know, if something goes wrong in their life, it can just throw them out of the ability
01:39:03to go to community college. These don't have to be hugely expensive scholarships,
01:39:09but they are so impactful. And I would really hope and ask and encourage you all, I know Mr.
01:39:16Megan Zener is a sponsor on one of these bills, the chairman, you're crafting these things.
01:39:22If you can make it a priority, it will help everybody. Thank you very much. I know I'm a
01:39:27little over. I yield back. The gentleman yields. I now recognize Mr. Ivey for five minutes of
01:39:33questioning. Thank you, Mr. Chairman. I appreciate that. Mr. Smith, thank you for being here today.
01:39:38We appreciate your presence. I wanted to ask, this might be a little off the beaten path here,
01:39:44but about AI. The representative from New York, Ms. Clark, allowed me to join onto a bill of hers
01:39:51that goes to AI deep fakes and the like. And we're, you know, we've got legislative efforts
01:39:57to fix these issues. Part of it might entail litigation and the like, but my sense of this
01:40:02is that as a remedy, it just takes too long to implement it in a way to address one of these
01:40:10things. On the radio the other day, they were talking about middle school bullying is now using
01:40:18sexual deep fakes. Guys are putting up pictures of preteen girls in some instances with, you know,
01:40:26that are deeply psychologically damaging to them. So since litigation and legislation, we have to
01:40:31make those adjustments to address the problem. But I mean, I think a bigger part of it's going
01:40:38to have to be technological. And to address the AI aspect of it, it seems to me that we need an AI
01:40:46counter to that. I don't know what's coming along those lines, but I'd like to know if Microsoft
01:40:53or any, if you're aware of anything that's being developed that could help with that
01:40:58to address that issue in the very near future. Yes. And I mean, first of all, I appreciate your
01:41:04focus on this. I was watching the hearing you all had a couple weeks ago on AI and you were raising
01:41:09it there. And I think that's a good thing. First, I think we need to understand the problem. I think
01:41:15you captured it well. We are seeing the creation of AI based deep fakes, you know, in a way that
01:41:21can threaten candidates, all of you, to be honest, this year. Well, I'll come to elections in a
01:41:26minute. Okay. Yeah. But but as well as a teenage girls, women, many others. So the solution is
01:41:32threefold. One, put in place more guardrails around our legitimate products. So it's harder
01:41:37for people to use it for abusive purposes. The second is use AI. Give me an example of the
01:41:43guardrails. Basically, when we have products, we have some ourselves, Microsoft designer,
01:41:50you build in an architecture, it has classifiers, so that if someone is going to do something,
01:41:55you detect what they're doing. And in certain cases, you stop them from doing it. So if they
01:42:01you know, feed up, they try to take a photo of someone and remove their clothes, you say no,
01:42:08that's not allowed. I mean, things as about as straightforward as that. But you know,
01:42:13there's a complex and I think very sophisticated architecture involved. Second, AI is very good
01:42:20at detecting the use of AI to create images. And it's always going to be a cat and mouse game. And
01:42:26you get debates among the technology experts. But I have a level of optimism myself about what I
01:42:34see our people in our AI for good lab doing to detect these problems. Third, you got to be able
01:42:39to respond, you've got to be able to use AI then to stop it or to take it off a platform. And we do
01:42:47need good old fashioned education so that people are aware so that parents are aware of what their
01:42:52kids might be doing or the problems the abuses their kids may be facing those. It's really
01:42:58multifaceted. Well, let's back up to number two. And that's detection, which I take it would be
01:43:02not so much you have to rely on the parents or even the individual who's the target, because it
01:43:07might be a while before they even become aware of the issue. What sorts of detection mechanisms
01:43:12are on the near horizon that could be implemented? Well, we have detection mechanisms that we have
01:43:18in place today. And we're focused on specific problems in particular, if I could, one of them
01:43:25is elections. How widely available are they? Well, we are offering free training for every candidate
01:43:33for office in the United States. We've done this in 20 other countries, we have a website, let me
01:43:38back up, I want to go back to because the Okay, we're going to look out for ourselves at some
01:43:43point. So I because we have the ability to do that. I'm more worried about the deep fakes,
01:43:47or especially, you know, teenage girls and the like, what's available for them?
01:43:53Probably not as much as we need, is what I would say. Okay, what steps can we take? How can we move?
01:44:00I think we put in place guardrails, you're you're asking a good question. Let me take it back. And
01:44:08let me ask our folks, what could we create for more people that would empower them to do what
01:44:16every candidate can now do namely report a deep fake about themselves? Okay, I appreciate that
01:44:22very, very much. Last question with respect to elections and misinformation, disinformation,
01:44:27especially the stuff that's coming out, maybe even on election day or during that time period
01:44:32when elections are have begun. Is there a sufficient process in place that coordinates
01:44:39private sector, the public sector, and potentially voters to address this concern? I apologize to
01:44:45the chair for running over. I'll just say I think a lot of progress has been made. And as we get
01:44:51into the summer months in the two conventions, it's a really important question for all of us
01:44:56to have together in a way that is genuinely bipartisan. You know, we're working with there's a
01:45:02National Association of State Election Directors. You know, we're working with them. We're working
01:45:08with them so that they can protect their infrastructure, that there are means to
01:45:13educate people about deep fakes and the like. Frankly, what we're hoping can happen at both
01:45:19of the political conventions is some conversations about how we can enter the election season, say
01:45:26that starts on Labor Day, you know, with all the protections that we're going to need. And we're
01:45:30basing that on a lot of work. We were in Taiwan for that election. We've been in Europe for this
01:45:35spring. We'll be in the UK and France. And we're trying to take everything we learn each step of
01:45:41the way and apply it. I thank you for your answer. I look forward to hearing back from you. And Mr.
01:45:46Chairman, I appreciate your indulgence. Absolutely. The gentleman yields and I now recognize the
01:45:51gentleman from Mississippi, Mr. Ezell. Thank you, Mr. Chairman. And thank you, Mr. Smith,
01:45:56for being here. And thank you for holding this hearing today. The federal government and many
01:46:00Americans trust Microsoft to protect our critical cybersecurity infrastructure. Unfortunately,
01:46:06we're here today because Microsoft has fallen short in some of these areas, especially worried
01:46:14about our national security. A recent report to Congress from the U.S.-China Economic and Security
01:46:20Review Commission linked multiple cyber attacks to the CCP. The report directly calls out breaches
01:46:27of Microsoft's email servers at the U.S. Department of State and the Department of Commerce. Of course,
01:46:34the CSRB report in greater detail describes Microsoft's cultural issues related to security,
01:46:42which we have highlighted. Mr. Smith, with the CCP and the Russian Federation backing state-sponsored
01:46:51cyber attackers, all organizations face this threat, regardless of their resources or reputation.
01:46:59Breaches are inevitable, and I acknowledge the federal government has a role that we've got to
01:47:04play here. However, despite being known as a leader in defending against attacks, it appears
01:47:10that Microsoft has had some failures, which could have been avoidable. And I know you've addressed
01:47:18this, but I want to discuss the company's other investments, specifically its AI offerings,
01:47:24and how it could relate to your plan to improve its cyber capabilities. I'll start by asking you,
01:47:32do you believe that AI becomes integrated into more products and services, the potential for
01:47:40attacks increases? I think we'll see two things almost inevitably, and perhaps we sooner already
01:47:48are. One is our adversaries will use AI to try to pursue more sophisticated attacks. But second,
01:47:55we are already using AI to strengthen security defenses. And I have to say, I'm very optimistic
01:48:03about what AI can and already is being used to do to strengthen cybersecurity protection in two
01:48:10ways. One, AI is especially good at detecting anomalies in data, looking for patterns. And we
01:48:20have threat hunting teams at Microsoft, we probably have more threat hunting teams than anybody else.
01:48:27But seeing what people can do when they have AI to help them detect these patterns, that is key,
01:48:32and that's gonna be important across the industry. The second is to help the chief information
01:48:37security officers, the CISOs, the cybersecurity professionals across the country. So you know,
01:48:43we've got a product, a cybersecurity copilot, others will have similar things. It basically
01:48:49takes a lot of work that these folks have to do. And it helps them do it faster, it helps them do
01:48:55it better. And I think that that's going to be a good step as well. Go back to this, this gap,
01:49:03the 400,000 open jobs, hopefully what AI will do is in effect, lower the barrier to entry,
01:49:11because an individual who wants to join this profession, and I hope more people will,
01:49:16they'll say, hey, I don't have to learn everything I might have had to learn five years ago, because
01:49:21now I have an AI tool that will help me as well. And I think we're gonna see we're seeing that now
01:49:26we're going to see it accelerate in the next couple of years. Thank you. What specific cybersecurity
01:49:32measures is Microsoft implementing to protect the additional surface for attacks? What are you
01:49:39doing additionally to protect? Your question goes to detection. Yeah. And that's a critical piece.
01:49:48And it's one of the six pillars that we have in the secure future initiative that I mentioned.
01:49:54And I will tell you, we have I'm very proud of the teams we have, you know, great people who
01:50:02are just so committed to the mission. But it sort of goes back to then using more technology
01:50:10and more AI. So we can make them more effective. We get so much data that we've got to be basically
01:50:18integrate all of the data that we have. So it's more usable by our threat hunters. And then we
01:50:25need to use AI to make it easier for our threat hunters to find things faster. So I think this,
01:50:33this cutting of silos, you know, connecting what we call data graphs, using AI, I think it's going
01:50:40to make our people I think every company that does this, you know, we'll find that it can get
01:50:45it can get better with these approaches. Quickly, one of the things I'd like to follow up with
01:50:51what Mr. Ivey was saying was talking about some of these generated photographs. And as a local
01:50:58county sheriff, many times, we had parents that would come in and their teenage daughter had been
01:51:07victimized. And we basically had nowhere to go to investigate, to follow up, to catch some of
01:51:16these bad actors that are doing this thing. I would ask you as part of your training,
01:51:21to infiltrate these local sheriffs and police officers, especially in the rural areas,
01:51:26that have limited opportunities to have the use of some of the things that we've described,
01:51:33talked about today, because it breaks my heart to see a child go through that, when it's been
01:51:42a totally false accusation, and then for them to go back to school. So I would really encourage you
01:51:48to put that on the front burner, so that we can help our local law enforcement to try to
01:51:53stop some of this. I would just say, and I know our time is out, but yes, we will. And you're
01:51:59right in two fundamental ways. First, I appreciate it. I mean, some of the most
01:52:04moving things that I've seen over the years have been information from police officers,
01:52:10local law enforcement, who are working to protect kids who are being victimized,
01:52:14in the way you just described. And second, the other group I should have mentioned when Mr. Ivey
01:52:19asked, is the National Center for Missing and Exploited Children, NCMEC. These are, in my view,
01:52:24real heroes for all of us. We all work together and support them and rely on them. And I think
01:52:30this is this great alliance we have in this country between law enforcement, NCMEC, and then
01:52:36tech companies. And our competitors are part of this. This is one area where I think the industry
01:52:41is pretty united, and the world's better for it. The gentleman yields. I now recognize Ms. Ramirez
01:52:47for five minutes of questioning. Thank you, Chairman. Good afternoon, Mr. Smith. I'm freezing
01:52:53here, but I think you might be a little warmer. You've been a little more active. So, you know,
01:52:59I've been hearing our conversation today in the hearing. And for us, it's pretty clear we have
01:53:04two homeland security threats that this hearing is really trying to take up. One of those is
01:53:10cybersecurity attacks, and the other is concerning tech monopolies and monocultures driven by profit,
01:53:17sometimes supremacy and secrecy. And I feel like both are existential threats to the health and
01:53:24well-being of our democracy. When incidents like the 2023 Microsoft exchange breach happened,
01:53:32and the bombshell damning reports like what was published by ProPublica today,
01:53:37they bring us to this reckoning moment. And it's not just for Microsoft, but that we've been
01:53:42entrusting with our nation's most sensitive information, and also for this committee,
01:53:48this desperate need for the pursuit of accountability when our nation's homeland
01:53:52security has been compromised. The ranking member mentioned that the ProPublica article published
01:53:59earlier today described how Microsoft had dismissed an employee's concerns about a vulnerability
01:54:05in Active Directory that was eventually leveraged by the Russians during solar winds.
01:54:10Then Microsoft denied that any vulnerabilities in its systems had contributed to the attack.
01:54:16So when my colleague, Congressman Correa, asked you earlier how quickly you address vulnerabilities,
01:54:23you said immediately. But ProPublica reported today that an employee alerted Microsoft to the
01:54:31golden SAML, the SAML vulnerability years before the solar winds. So I guess my question to you,
01:54:39Mr. Smith, is what is your definition of immediately? It's right away. And let me just
01:54:45say, and look, look, this is the classic, let's have an article published the morning of a hearing
01:54:52so we can spend the hearing talking about it. And then by a week from now, I'll actually have a
01:54:55chance to go back and learn about everything in it. I am, I am generally familiar with that
01:55:03situation. Let's remember a couple of things. One, that solar winds intrusion was by the Russian
01:55:10government into a SolarWinds Orion product, not a Microsoft product. And that Orion product was
01:55:18distributed to more than 30,000 customers. Microsoft was one. And because of what the Russians
01:55:23had done to change the software code of the Orion product, the Russians immediately had an entry
01:55:29point into all of these networks. Let's also remember that when FireEye brought us in, that
01:55:35was the beginning. This was I think in November of 2020. We worked with FireEye. And we came up
01:55:42with a technology tool that in effect blasted that entry point. So Mr. Smith, but I have short time.
01:55:50So I actually, you might have a little opportunity to talk more about that here. Because yes,
01:55:55Microsoft expanded the secure future initiative, and has said that security teams will have an
01:56:00elevated role in the product development. Maybe tell me how the employees concerns that were
01:56:07expressed about a vulnerability in Active Directory would have been handled differently today.
01:56:14Well, I would say two things. First, I would hope that if there is an issue that needs to be
01:56:19addressed, it will be woven into our engineering processes, it will be escalated, it will be
01:56:24decided, and people will be evaluated based on how they did. Second, though, I would like to go
01:56:30back for one second. On this so called Active Directory, what we're really talking about here,
01:56:36it is what was called SAML, it was an industry standard. And it was a security vulnerability in
01:56:45the entire industry standard. And what ensued was a conversation across the industry about the best
01:56:53way to address it. And I think this is where, like I said, a week from now, I'll bet we can pull
01:57:00together information and have a much more informed conversation about this. And I would welcome that
01:57:04opportunity. But I think what's most important for today is simply to note how we are changing
01:57:11our engineering processes, how we are integrating security by design, how we are changing the way
01:57:18employees review themselves, how we elevate these issues, and reward people for finding reporting
01:57:27and helping to fix problems. Good, good. So I have a few seconds and so a few sentences. I'm going to
01:57:33shift gears for a second. How do you ensure that your bundling practices do not limit the ability
01:57:39of customers to prioritize security in their purchasing decisions? I'm sorry, I couldn't hear
01:57:45the, go ahead. Yeah, let me do that again if I can get a few seconds more. Chairman, how do you ensure that
01:57:50your bundling practices, when you're bundling practices, that you don't limit the ability
01:57:56of your customers to be able to prioritize security in their purchasing decisions? So when they're
01:58:01purchasing, that they're able to prioritize their security when you're providing
01:58:06these bundling practices? Let me just say, I don't, I'm not aware of any so-called bundling practices that
01:58:14limit what our customers can do in terms of cybersecurity protection. And if you look at
01:58:22the market for cybersecurity protection, frankly, a very robust part of it is about providing
01:58:28tools and services to enable customers to manage the security of their networks when they have
01:58:34solutions that come from so many different vendors. Microsoft accounts for about three percent of the
01:58:41federal IT budget. What that tells you is that there's 97 percent that's being spent elsewhere,
01:58:46and that's pretty typical when you look at it. And so a lot of what we're doing across the industry,
01:58:53I think, especially with industry standards and the like, is to enable, I think, the kinds
01:58:59of customer choices that I think you read quite rightly are encouraging. Well, thank you, Mr. Smith.
01:59:04I ran out of time. If we get another round, I'll ask you to follow up. Thank you. That'd be best.
01:59:09One quick note. If you're like two seconds from your time limit, guys, that's not the time to
01:59:14start a new question, right? So, you know, I give a lot of grace. I give a lot of grace.
01:59:19But if you're, you know, in a process and all that, we're going to let that
01:59:26question continue on, and we'll give you a little extra time for that. So, and you aren't, Mr.
01:59:32Ramirez, Mr. Ezell was just as bad, and he literally had two seconds left when he started that new.
01:59:37So, I now recognize Mr. D'Esposito for five minutes of questioning. Well, thank you, Mr.
01:59:43Chairman. Mr. Smith, the CSRB report stated that Storm 0558 had access to some of these
01:59:51cloud-based mailboxes for at least six weeks. Can you tell us who discovered that the system
01:59:56had been compromised and how they did so? Well, I think Ranking Member Thompson identified this
02:00:03early on in the hearing that, in fact, I think we got notification from the State Department that
02:00:10they had seen an anomaly in their email system. So, they informed us of this last June. Our initial
02:00:18reaction was that this was, you know, something that was, you know, a token that was being
02:00:25generated through a stolen key at the State Department or in the government. I remember
02:00:317.30 in the morning, I was notified about this on a Saturday morning,
02:00:36and I was on the phone with Satya Nadella, our CEO, probably within 30 to 60 minutes,
02:00:41but we thought it was confined to that. It took somewhere between a few days to
02:00:47a week or more for us to come to the conclusion that it was broader than that.
02:00:51Okay, and obviously, do you believe that Microsoft should have been able to
02:01:00realize that you were compromised before the State Department?
02:01:05You always want to be the first in life in everything.
02:01:10Well, that depends. So, I would, well, yes, that's true. That's a very good qualification.
02:01:13You always want to be the first in everything good in life. And so, I have to, on the one hand,
02:01:20say yes, but on the other hand, I have to say, especially given the nature of networks and how
02:01:25they're distributed and different people see different things, mostly I just want to celebrate
02:01:31the fact that people are finding different things and we're sharing them with each other.
02:01:35So, putting the celebration aside, are you confident that moving forward,
02:01:41Microsoft has the ability to quickly detect and react to an intrusion like this?
02:01:45Well, I will tell you, I feel very confident that we have the strongest
02:01:52threat detection system that you're going to find in quite possibly any organization,
02:01:58private or public, on the planet. Well, that always means that we will be the first to find
02:02:03everything. Well, no, that doesn't work that way, but I feel very good about what we have
02:02:08and I feel very confident about what we're building. And now, obviously, Microsoft is
02:02:12seeing a lot of what these cyber criminals and nation-state actors are doing in the ecosphere.
02:02:18How do you go about sharing information that you collect or identify with law enforcement?
02:02:26We have a variety of different steps we take, some of which are probably not best talked about
02:02:32in a public hearing that, as the chairman said, is probably being watched in Beijing and Moscow.
02:02:38But we collaborate with the FBI. We collaborate with local law enforcement all the time. We
02:02:43collaborate both with the different agencies of the U.S. government and
02:02:47other governments that are allies of the United States.
02:02:50Okay. Now, I know that many of our staffs use Microsoft for their email, amongst
02:02:54many other applications. Can you give us an idea as to the size of the share of government
02:03:00contracts for networking, cybersecurity, and other matters in this space that Microsoft has?
02:03:08I don't know the precise number for that precise definition. I know, as I was mentioning,
02:03:14that we account for about 3 percent of the federal IT budget. I know that the U.S. government has
02:03:21many choices when it comes to cybersecurity services, and I think it takes advantage of
02:03:25them. And we're one of them. I don't, frankly, know how we compare to some of the others.
02:03:30Okay. And, obviously, like you said, the government has many choices. So,
02:03:33with that said, why should they continue to use Microsoft?
02:03:37Because we are going to work harder than anybody else to earn the trust of our government
02:03:44and other allied governments every day. And we are making the changes that we need to make. We
02:03:50are learning the lessons that need to be learned. We're holding ourselves accountable. We will be
02:03:54transparent. And I hope that people will then look at what we've done and say this is something
02:04:03that they want to do with us. But I know we have to earn their trust every day.
02:04:07Okay. Mr. Chairman, I'm following the rules with that. I yield back.
02:04:10The gentleman yield. I now recognize Mr. Menendez for five minutes questioning.
02:04:14Thank you, Mr. Chair, and thank you, Mr. Smith, for appearing here today. In 2002,
02:04:21Bill Gates issued a memo to Microsoft employees which stated in part, quote,
02:04:25flaws in a single Microsoft product, service, or policy not only affect the quality of our
02:04:30platform and services overall, but also our customers' view of us as a company. So now,
02:04:36when we face a choice between adding features and resolving security issues, we need to choose
02:04:41security. 2002. Last month, Microsoft's chairman and CEO in a blog post to Microsoft employees
02:04:49stated if you're faced with a tradeoff between security and another priority, your answer is
02:04:54clear. Do security. 2024. Does last month's directive indicate that Microsoft had drifted
02:05:02from the security-first culture set forth in Mr. Gates' 2002 memo?
02:05:08You know, I was there in 2002 when Bill Gates was the CEO of the company and have been there
02:05:13every year since. And, you know, this is, you know, something I think one just has to be
02:05:19introspective about, because I've been in so many meetings every year where we've done
02:05:25so much to talk about where we are when it comes to security.
02:05:30I think that the biggest mistake we made was not the one that is being described that way. I think
02:05:37the biggest mistake we made. What do you mean described that way?
02:05:41That of drifting away from a security-first culture. I think the biggest mistake.
02:05:46I'm not asking if there's a biggest mistake. I'm just asking if you do believe
02:05:50that there was a style drift at Microsoft between 2002 and 2024.
02:05:54No, but let me say what I think perhaps happened. As we hired so many cybersecurity experts,
02:06:05it became possible for people who were not in the cybersecurity teams to think that they could rely
02:06:12on those people alone to do a job that we all needed to do together. See, in 2002, we didn't
02:06:20have all these large security teams. Cybersecurity didn't exist at that time the way it does today.
02:06:26So I think there's a profound lesson. I understand the makeup of Microsoft and
02:06:33the different departments may have changed, but this was a statement in 2002 about choosing
02:06:38security first, and then more or less the same statement made in 2024. That would to me at least
02:06:43indicate that perhaps there was a style that security first and maybe taking a backseat
02:06:49potentially. It'd be helpful if you could just describe to me and to the committee
02:06:53the Microsoft Security Response Center and how it sits within Microsoft's corporate structure.
02:07:00The Microsoft Security Response Center, or MSRC as we call it, reports up to, as I recall,
02:07:07our executive vice president for security, a fellow named Charlie Bell, who's on our senior
02:07:12leadership team, and it is part of a very large and, I think, robust security organization.
02:07:18And who makes determinations when something's raised to the
02:07:22Security Response Center as to whether they elevate it up to folks?
02:07:27I would have to go get the precise answer to that precise question. I will say this.
02:07:33We do try to and, frankly, we need to create an environment where bad news travels fast.
02:07:41That's what we aspire to do. And I can definitely tell you, look, I can tell you in the case of
02:07:47Storm 558 or this midnight blizzard, we're talking minutes to hours gets to me. I usually,
02:07:54I'm the last stop before it gets to our CEO, Satya Nadella, and the time from me to him is
02:08:01in minutes, and it's not a large number of minutes.
02:08:04Great. I appreciate that. The CSRB described various approaches cloud service providers
02:08:09use to manage and secure identity and authentication systems. I note in particular
02:08:14changes they made following Operation Aurora in 2010. I'm glad that Microsoft agreed to
02:08:18transform how it manages and secures its identity systems. I'd like to unpack that a little.
02:08:23Does Microsoft plan to make significant changes to the architecture of its core digital identity
02:08:27systems? I think the answer is yes.
02:08:33And be quick with this, Chairman. As part of its review, the CSRB issued numerous recommendations
02:08:39for cloud service providers generally in certain federal agencies. The CSRB also issued four
02:08:44recommendations specific to Microsoft. Microsoft updated secure future initiatives subsequent to
02:08:50the CSRB's report, and I'd like to discuss how Microsoft plans to implement a couple of those
02:08:54Microsoft-specific recommendations. The CSRB recommended that Microsoft share publicly a plan
02:09:00with specific deadlines for security-based reforms. Does Microsoft plan to implement
02:09:04the CSRB's recommendation and publicly release deadlines for implementation?
02:09:08The answer is yes, and in fact, one of the things that I mentioned in my written testimony is we've
02:09:13invited CISA to send a team out to our headquarters outside of Seattle in Redmond, go through all the
02:09:19details of everything that we're doing. We want to show them all of the details, and then I think
02:09:25one of the things we'll need to, you know, frankly assess together with CISA is how much or at what
02:09:31altitude we should be publishing things, because if we publish them, good news is every American
02:09:37can read them. The bad news is everyone in Moscow can as well, and then I'll just say we recognize
02:09:43the oversight role that you and this committee play, so, you know, we're interested and happy to
02:09:50share more with you than of course we would share with the general public. We just need to do it in
02:09:54a secure way. I appreciate it. Thank you so much for appearing here today, and look forward to
02:09:57working with you. And we'll have some staff look at your microphone. We don't want that to happen
02:10:03to you yet. You get another five minutes. Good try. The chair now recognizes the gentlelady from
02:10:11Florida, Ms. Lee, for five minutes of questions.
02:10:15Good afternoon, Mr. Smith. Good afternoon. I'd like to follow up on one of the lines of
02:10:20questions from Mr. Menendez. You've testified today that in the wake of the CSRB report that
02:10:26Microsoft is committed to prioritizing security first over product and feature development,
02:10:32but that is something that is easy to say and no doubt very difficult to do with far-reaching
02:10:37implications for your company. So, I'd like to hear a little bit more about the specifics,
02:10:42whether you are standing down on product development while you refactor codebase,
02:10:46or what other specific ways in which you're throttling or pausing feature release or
02:10:52product release to ensure a focus on the security first as you describe.
02:10:57It's a really good question, and I would answer it in two parts. First, in the short term, yes,
02:11:02we have reallocated resources. We've moved people. We've told them to reprioritize,
02:11:10and by definition, that means that other things may have slowed down or stopped, so this can
02:11:15speed up, and that's the right thing to do. I think the real challenge is how you achieve
02:11:23effective, lasting culture change. This is true in any organization, and especially when you
02:11:30have a company like ours. We have 225,924 employees. This has to be real and reach every
02:11:40one of them, and we're calling on a lot of what we've learned as a company in the last decade.
02:11:45We've gone through a lot of culture change, and I think people feel it's benefited us well.
02:11:50I think you define a North Star, which is this notion of do security first.
02:11:56You then have to change your accountability mechanisms, and that's why compensation is
02:12:01so important, but fundamentally what we're really gravitating towards is to treat security as the
02:12:08highest priority in quality. So would it be correct to say then that you've reallocated people
02:12:14and resources in furtherance of that objective? Yes. And has it also affected your revenue
02:12:21projections, I would think? I would say so far I'm not aware of it changing any of our revenue
02:12:28projections. Let me just put it this way. I was in Stockholm last Monday. This is a country that,
02:12:35as you know, has just joined NATO, and I met with about 25 customers, government customers,
02:12:42corporate customers, and what I found was really interesting. They asked a lot of tough questions,
02:12:47as you all are. Bad news for the folks who want to sell Plan B. They don't want to switch.
02:12:54They want us to get it right, and we have to get it right to deserve their business,
02:13:00but I think they see that we really are committed to doing that. I know it's come up a couple of
02:13:06times today, but I'd like to return to a discussion of the recently released recall feature. You
02:13:12mentioned security by default, but that endeavor is something that, if I understand correctly,
02:13:17presented a security exposure for users who might not have understood the nature of how it operated,
02:13:24so I'd like to hear more about the status of that product rollout and how it is consistent with the
02:13:30security-first approach and what's being done to make sure users are aware of the potential
02:13:34exposures or risks from using it. Yeah, I think I would start with this product hasn't yet been
02:13:40launched. The feature hasn't yet been finished, and we've had a process to share information and
02:13:45take lots of feedback. We've designed it so it's off by default, so that people have to
02:13:53choose to turn it on, and we can share information with them before they make that decision.
02:13:58We've designed the feature so that the information always stays on one's own PC. It doesn't go to
02:14:05Microsoft. It doesn't go anywhere else. We've combined it with a hardening of the security in
02:14:10Windows for every part of the computer and not just this feature alone, and then we've added
02:14:18additional features that encrypt data, that decrypt it just in time, so we're trying to take a very
02:14:25comprehensive approach to addressing all of the security and privacy issues as well, and we're
02:14:32trying to do it in a dialogue, because when you do create technology, I think one of the mistakes you
02:14:38can make is to think that you have all the answers. You only get to the best answers when you have
02:14:42these kinds of collective and public conversations. So in an attempt to comply with the Chairman's
02:14:48guidance, I'll touch on my last question, which is a bit of a shift in gears, and that is I'd like to
02:14:55hear more about one of the things that was identified in the report as an area in need of
02:14:58improvement was victim notification. So I'd like for you to elaborate a little bit more on your
02:15:03thoughts and going forward plan on how to improve victim notification. Let me try briefly to address
02:15:09this, because this is a really important topic, and it's a hard one for us and everybody. When we find
02:15:15that someone has been a victim of an attack, it doesn't mean that the fault was ours. It's just
02:15:20that our threat detection system may have found it. We need to let them know. Well, how do you let
02:15:26somebody know? If it's an enterprise, we probably have a connection. There's probably somebody there
02:15:31we can call. But if it's a consumer, like a consumer-based email system, we don't necessarily
02:15:37know who the human is. We just have an email address. So we send an email. There was a member
02:15:43of Congress we sent an email to last year. That member of Congress did what you sort of expect.
02:15:49They said, well, that's not really Microsoft, is it? It's spam. And then we call somebody. Believe
02:15:55me, we've called people, and they say, oh, give me a break. You're not Microsoft. You're just one more,
02:16:00you know, fraud enterprise. That's the world in which we live. And so the CSRB report has a great
02:16:08recommendation on this. It's to create the equivalent of the Amber Alert. But it will
02:16:14require support from Congress that CISA lead this, that the tech sector and probably the
02:16:22telecommunications companies and the phone makers and the phone operating system makers all come
02:16:28together. This would be a huge step forward. The gentlelady yields. I now recognize Mr. Suozzi for
02:16:35his five minutes of testimony. Thank you, Mr. Chairman. I want to thank you and the ranking
02:16:40member for holding this hearing. Holding Microsoft accountable is a good idea, and I think that Mr.
02:16:45Smith has demonstrated he's taken his father's advice. I think he said it was your father that
02:16:49said nobody ever died by using humility. I don't know if he said it, but he definitely, he's still
02:16:55alive today. He's probably watching this, for gosh sakes. Well, it is definitely something he taught
02:17:00me. You've definitely taken accountability here today, and we appreciate that. And let me just
02:17:05ask, what percentage of Microsoft's business comes from governments? If I had to guess, it's less than
02:17:1410% globally. And so what percentage of it is from just the federal government itself?
02:17:20Not that much. We love the federal government. It is a big customer. It's one of our biggest,
02:17:25and it's the one that we're most devoted to, but it's not the big source of our revenue.
02:17:32So you mentioned earlier that there are 300 million cyber attacks a day.
02:17:38Are the sources from state-sponsored adversaries of ours, like China, Russia, Iran, and Korea?
02:17:45Is it from organized crime, or is it from individuals who are doing this? I would say
02:17:51most of it comes either from those four nation-states or ransomware operators. We track
02:17:58over 300 organizations, and those 300 account for by far the highest percentage.
02:18:08Can you give a percentage for how much is from the state actors versus the ransomware
02:18:12people? Or the state actors, sometimes ransomware activists also? I can. I'm forgetting off the top
02:18:20of my head, but we can easily get that to you. I will say, in addition to being a substantial
02:18:25percentage, they're by far the most sophisticated and serious.
02:18:28So my big concern for our country is how divided we are. And our country is divided because
02:18:34of our members of Congress. There's 435 of us. 380 of them are in safe seats, so they don't have
02:18:40to worry about the people, per se. They only have to worry about the people in primaries. So they
02:18:44pander to their base. That divides us. And then social media, the people who get the most attention
02:18:49on social media, people say the most extreme things. And then cable news, you know,
02:18:55Tucker Carlson was the most followed person on Fox before he left. Rachel Maddow, they've got
02:19:004 million viewers, 3 million viewers. They're kind of playing to the extremes. But our foreign
02:19:05adversaries, Chinese Communist Party, Russia, Iran, and North Korea, are taking disinformation
02:19:12and trying to divide us every day by taking messages that we're fighting about already
02:19:17and blowing them up bigger than ever. We need the great corporate citizen, Microsoft,
02:19:24and other great corporate citizens to team up with the people of the United States of America
02:19:29and their governments to figure out how we're going to stop this attack. Because
02:19:33they're trying to destroy us from within by dividing us using technology and disinformation
02:19:40and cybersecurity attacks on a regular basis to destroy us. So what can we do to team up
02:19:45more effectively? And what are the partners other than the United States government
02:19:50and Microsoft should we try and bring into this partnership to try and save our country
02:19:54from this division that is being exacerbated by our foreign adversaries? Well, there's lots of
02:19:59great companies in our industry that are doing great things in all areas of the industry. And
02:20:05the good news is, especially there's this extraordinary CISO, Chief Information Security
02:20:11community where people work together across industry boundaries. We need to advise the
02:20:16public about what's happening. Exactly. And I think we need processes to do that. And I would
02:20:22say at the end of the day, look, I think the point you just made is maybe the most important point
02:20:28that could be made at this hearing. Because the greatest threat to this country in this space
02:20:33comes if our adversaries coordinate and unite. And we should assume that they not only can,
02:20:38but they will. They are. And the greatest weakness of this country is that we're divided,
02:20:46not just politically, but in the industry as well. And we just always have to remember
02:20:54that if we can find a way to summon the ability to work together, you all, if you can work together
02:20:59across the aisle, and we in our industry can work across the industry, and then we unite together
02:21:06with new processes that are probably government-sponsored, and some of them exist,
02:21:10including through CISA, so we can do what you just described and, among other things, help people
02:21:16learn and also take the steps to hold these adversaries accountable so we can start to
02:21:23change what they are doing. Thank you, Mr. Smith. Mr. Chairman, I would, oh, Ms. Chairman,
02:21:29I'd like to participate in an effort by this committee, bipartisan in some way, working with
02:21:34industry to come together as a team to figure out what we can do as a country to identify these
02:21:41threats, notify the public as to what's happening to them on a regular basis, and how we as a
02:21:46country, corporate-public-private partnership, can unite to fight against our foreign adversaries
02:21:53that are trying to destroy our country. Thank you, Mr. Smith. The gentleman yields back. Thank you,
02:21:58Mr. Suozzi. The gentleman from Texas is recognized for five minutes. Thank you, Madam Chairman.
02:22:05Good afternoon, Mr. Smith. Let's just chat a bit, five, ten years downstream. Tell me how Microsoft
02:22:11secures the network from nefarious or bad actors globally. What is the, and I won't say end game,
02:22:17because I don't ever think there's going to be a finish line when it comes to just the artificial
02:22:21intelligent machine learning or the cyber space. What is Microsoft doing in, you know, the kill
02:22:28chain results from this little guy right here, but maybe there's nothing we can do to stop
02:22:36the amount of actors that attack this every single day, but we may not be able to be able to talk
02:22:42about an open setting, but is there an end game? Is there a way to secure the network where bad
02:22:47actors cannot have these breaches? I would say two things. First, you know, if you look at the
02:22:55current course and speed, this is probably for the time being and until the geopolitical
02:23:00environment in the world changes, a bit of a forever war in cyberspace with constant combat.
02:23:07And I would hope that that would change, but we can't assume that it will. So what can we
02:23:13collectively change? Well, first at Microsoft, I would not just hope, but fundamentally believe
02:23:19that say five years from now, we're going to have production systems, engineering systems,
02:23:25networking identity systems that make it extraordinarily difficult and just beyond
02:23:33the economic reach of our most sophisticated and well-resourced adversaries to attack and breach.
02:23:40Is that moving the infrastructure completely to a cloud-based system?
02:23:45I do believe it is. I do think that the cloud is part of the answer, just not only for us,
02:23:50but for the other companies who are in the cloud services business.
02:23:54And I think that, you know, in addition to what we do as a company, I would hope,
02:23:59look, just as we learn from our competitors, and that's a good thing that we'll share what
02:24:03we're learning and our competitors will adapt as well. I think the thing we're going to have
02:24:09to do the most to internalize is just recognize that we'll do a lot of good things. Let's say
02:24:15we do every single thing that the CSRB has recommended, because that's what we are going
02:24:19to do. It won't be enough, because two years from now, our adversaries will have done more.
02:24:26So what we need to create is a process where we collectively always learn from what is happening.
02:24:32We do a better job of anticipating and predicting. And I do think that AI will be one of the great
02:24:39game changers, and we need to ensure that AI benefits the United States and our allies
02:24:45and the defense of people at a faster rate than it can be used by our foes to attack them.
02:24:52Inevitably, it's going to be the human variable that's removed from the cybersecurity space,
02:24:56and it's inevitably going to be completely AI-based. Is that a fair statement?
02:25:02I am very sure.
02:25:08There's a word out there I'm looking for, but I don't have it. Computation-based. I'm sorry.
02:25:12The computer systems are the ones going to be running forward with this, which they already do.
02:25:16Let me just say, I am optimistic about what AI can do to strengthen cybersecurity defenses, but
02:25:23I think sometimes people in the world of technology actually
02:25:27run the risk of underestimating the power of people. What we should really bet on—
02:25:33Let me say this. As a congressional member, I would never do that. I don't want everybody to
02:25:38know that. What we should bet on and what we should pursue as a country and as an industry
02:25:44is the opportunity to enable people to stand on the shoulders of better technology.
02:25:52If we can do that with AI, if that's the stronger foundation, we will enable our people,
02:25:58especially in this profession, to achieve so much more. We know that in Moscow and other places,
02:26:07they'll be trying to do the same thing. We've just got to do it better, and we've got to do
02:26:10it faster, and we can never take a day off. That's the reality.
02:26:16Thank you. Mr. Chairman, I yield back.
02:26:19The gentleman yields. I now recognize Mr. Garcia for five minutes of questioning.
02:26:25Thank you, Mr. Chairman. I want to thank everybody. Sir, I had a chance to be here
02:26:29for the first half of this hearing, and I rushed to the floor and rushed back, so thank you for
02:26:34answering all of our questions. I want to just take one step back and
02:26:38kind of absorb some of what I heard in the first half as well. I mean, clearly, I think you
02:26:43understand I appreciate you taking responsibility for the security failures and concerns that I
02:26:48think all of us have. I think that's important. I also want to just broadly thank you. I mean,
02:26:53Microsoft and so many other companies have done incredible work to change the lives of Americans.
02:27:00Obviously, as someone that really believes in the power of technology and the incredible
02:27:05economic driver that you are to my state in California and other places, I don't want to
02:27:12sweep that part under the rug as well, so I thank you for your continued work,
02:27:15and this is an important, serious topic that we're discussing today.
02:27:18Every company, every government faces serious threats from hackers, from foreign intelligence
02:27:24services. I think we all know that that's been established. Russia and China and other
02:27:28countries are trying to steal secrets, steal technology, steal patents, and it's not just
02:27:33within your company, but it's in companies, of course, all across our nation. It's important
02:27:39that we're here on a bipartisan basis. I also want to note, you know, the report that we're
02:27:44reviewing today is a report from CISA, and I want to encourage us to support CISA as an
02:27:49organization. There have been some of my colleagues that want to abolish CISA. They've wanted to
02:27:55reduce support for strengthening cybersecurity in our country, and I think that would be a huge
02:28:00mistake, and so I would encourage us to continue to work with CISA and other agencies to make our
02:28:06systems more secure. I also want to just note that what I believe is that we need more federal
02:28:12intervention and partnerships, not less, with Microsoft and other technology companies.
02:28:17It's important that we continue to work. Before I got here, I was the mayor of Long Beach,
02:28:22California for eight years, and I consistently remember the numerous attacks that we got,
02:28:29the cyber attacks we would receive from a city perspective, and the challenges for municipalities
02:28:34and governments and smaller governments that are not the federal government to deal with those
02:28:38effectively, and so I encourage you to continue to work not just at the federal level, but there's so
02:28:43many small cities and towns that don't have the capacity to actually deal with some of these cyber
02:28:50threats that we have. I also just want to have an initial question. You answered it partly earlier.
02:28:57We know that there are an extraordinary number of cyber attacks from nation-state actors. We talked
02:29:00about those today. If you want to boil that down, what do you attribute these direct attacks?
02:29:05Why are they attacking Microsoft systems? Let me just first thank you for your comments,
02:29:11and I do want to underscore, so it's clear if there's any doubt, we support CISA as well. I
02:29:16support CISA, and there's always debates about exactly one piece or another, but it's really
02:29:21doing important and good work for the country. I think it's really important to look at the
02:29:28motivations of nation-state actors as well as criminal enterprises and just understand what
02:29:33they're doing, and I would say over the last year, we've seen on the nation-state side, broadly
02:29:40speaking, three kinds of motivations. One is access to information surveillance, including of
02:29:48other governments, but not governments alone, and so of course they go to where the information is
02:29:53located, which does include our cloud services. The second, and I think this is extraordinarily
02:30:00disconcerting, is we've seen from China in particular this pre-positioning of so-called
02:30:09web shells, think of it as tunnels, into our water system, our electrical grid, into the air traffic
02:30:16control system, the kind of thing that you look at and you say this is only useful for one thing,
02:30:20and that's they have it in place in the event of a war or hostilities. The third thing that you see
02:30:25from nation-states is something that is very unique to North Korea. They have a very different
02:30:30approach to budgeting. They let ministries employ hackers, and then the ministries work to steal
02:30:36money, and then the ministries get to keep the money that they get, so it's an oddity. That's the
02:30:42nation-state side, and think about those. And briefly, sir, because I want to ask one more
02:30:47question. We're running out of time, but continue. Okay, on ransomware, it's all about making money,
02:30:52unfortunately. No, I appreciate that, and I just want to take a moment to also commend the State
02:30:56Department security operations. They've been involved with you and a lot of other organizations.
02:31:01Their infrastructure, which needs to be strengthened, does a lot of this work,
02:31:06and so I want to uplift them as well. You know, lastly, I wanted to mention in the CSRB report,
02:31:11there was a recommendation to create some type of amber alert system, some kind of notification
02:31:16system. We're all concerned about these cybersecurity threats. Does Microsoft support
02:31:21this recommendation, and can you expand a little bit on that? Yes, and I was talking about this a
02:31:26little bit when you had to leave. I think it could be extraordinarily helpful for our entire
02:31:32industry, for everybody who uses technology, for consumers in particular. I hope that we will find
02:31:38a way to work together to make it a reality. Well, thank you. I yield back. Gentlemen,
02:31:43yields. I now recognize Mr. Strong for five minutes of questioning. Mr. Smith, I appreciate
02:31:49you being here today, and most of all, I appreciate your humbleness. We've had people sit right before
02:31:54this committee, cabinet members tell us that the southern border, that they've got it under
02:32:02control, and three years later, three and a half years later, they sit right there and tell us
02:32:06more than 10 million people have illegally crossed that southern border, so you've served
02:32:12Microsoft well today, and I appreciate how you presented yourself. As you may know, I also serve
02:32:17on the House Armed Services Committee, and specifically the Cyber Information Technologies
02:32:22and Innovation Subcommittee. I'm aware of the DOD's cyber challenges and needs. The recent
02:32:29cyber attacks impacting Microsoft demonstrate how vulnerabilities within a single vendor can be
02:32:36exploited to gain access to sensitive information and systems, potentially compromising national
02:32:42security. Can you please explain from your perspective the risk posed by the DOD's reliance
02:32:49on a single source vendor? Well, I guess the first thing I would say is,
02:32:57I don't see the DOD moving to rely on anybody as a single source in the technology space. There's a
02:33:05lot of competition that's alive and well at the DOD, and I think that's a good thing, and then
02:33:12the other thing I would say is, just as there is risk in relying on one vendor,
02:33:19there's risks in relying on multiple vendors. I would still rely on multiple, so I don't want
02:33:25anybody to be thinking I'm saying something I'm not, but when you have what we call a heterogeneous
02:33:33environment, meaning technology from lots of different suppliers, you create a lot of different
02:33:38seams, so then you need to have technology and people who can knit it all together, and then the
02:33:43thing we should remember is that a lot of what, say, the SVR, the Russian Foreign Intelligence
02:33:50Agency does, or the GRU, their military, they look for the seams, because those are the places that
02:33:56are easiest for them to get in. So fundamentally, whether you have one vendor or several,
02:34:02the challenge is similar. We all need to work together and just keep making progress.
02:34:08Thank you. Would you agree that the vendor responsible for developing and running hardware
02:34:14and software programs for the DOD should not be the same vendor responsible for testing,
02:34:20security, conducting security audits, or reporting on security?
02:34:26I'd want to think a little bit about the precise formulation of your question. It's a very good one.
02:34:31Mostly what I would say is I think it's well thought out to focus on testing of solutions
02:34:39and how you have, it's almost a first principle in governance, I would say, as somebody who's
02:34:44responsible for a lot of the governance at Microsoft. You want checks and balances. If
02:34:50one group is performing, you want a separate group to be auditing and assessing,
02:34:56and I think that's true in a company. It's maybe even more necessary in a government.
02:35:00I agree. My friend from New York briefly touched on this. Specifically,
02:35:04what are the security implications of China and other potential threat actors
02:35:10having access into your network for so long? What is the threat of that? Thank goodness it was
02:35:17discovered, but what is the threat do you see for them being in your system for so long without
02:35:23being noticed? I would just like to qualify a little bit of the premise, because I noticed
02:35:30in some of the questions that were floating around this week that people suggested that
02:35:35because the Chinese had acquired this key in 2021, and we didn't find it until 2023,
02:35:44that they must have had access for two years. I think that, in fact, they kept it in storage
02:35:52until they were ready to use it, knowing that once they did, it would likely be discovered quickly.
02:36:00Thank you, and that leads to my next question. Are the Chinese still able to access Microsoft's
02:36:05corporate network today? No, not with anything we did before, and we'll do everything we can
02:36:11to ensure that they don't get in any other way. Thank you, and again, I thank you for the way
02:36:16that you've represented yourself and your company today. Mr. Chairman, I yield back.
02:36:21Gentlemen, I now recognize Mr. Crane for five minutes of questioning.
02:36:26Thank you, Mr. Chairman. Mr. Smith, thank you for preparing and coming before the Homeland
02:36:31Security Committee today. Mr. Smith, you're the president of Microsoft, is that correct?
02:36:36That's correct. You're here today to discuss some leaks and vulnerabilities that Microsoft
02:36:42has had in the past and what you guys are going to do to fix them in the future, is that correct?
02:36:46Yes, that's right. Mr. Smith, you said earlier in the hearing that some of your competitors
02:36:51are in this very hearing room, is that correct? So I've been told. They could raise their hands
02:36:57if you ask them, but it's probably not the best use of time. Okay, so would it be fair to say,
02:37:02Mr. Smith, that you understand the importance of being strong and formidable today with some of
02:37:06your opponents or competitors in the room? I'm sorry, I didn't hear. Do you understand the
02:37:14importance of appearing strong and formidable today because some of your opponents and
02:37:18competitors are in the room? I think the reason that, I don't know if I would use the word strong
02:37:24or formidable, I think the reason we need to be responsible and resolute is because of our
02:37:30adversaries abroad, not so much the competition. Okay, about this, Mr. Smith, have you ever heard
02:37:36the saying that weakness is provocative? I've heard similar things. I don't know if I've heard
02:37:41that one in particular, but I understand it. Well, you're running one of the most powerful
02:37:45corporations in the world, so I'm sure that that's something that's not completely alien to you, right?
02:37:53Yeah, it's those, you know, let me put it this way. Size brings power, but mostly what it brings is
02:38:01responsibility. I would much rather focus on the need to be responsible than anything else. Okay,
02:38:05fair enough. Mr. Smith, would you say that attacks against the United States in the cyber field have
02:38:13increased in the last couple years? Absolutely. Didn't you say in your testimony earlier, sir,
02:38:17that it felt like it was open season? Yeah, or yes, I did say that, and I think that's right,
02:38:23and it is an open season on U.S. targets by certain foreign adversaries. How many attacks
02:38:29are you guys seeing a day, Mr. Smith? I had the precise number in my written testimony, what I've
02:38:34been saying here, which is reflected there is more than 300 million per day. 300 million per day? Yes.
02:38:40Wow. Mr. Smith, you're aware you're in the Homeland Security Committee, is that correct?
02:38:44Yes, absolutely. So, you understand that the scope of the Homeland Security Committee is
02:38:48much larger than just cyber attacks, is that correct? Absolutely. Good. Are you aware, Mr.
02:38:55Smith, that there was a reporting just this last week that eight individuals with ties to ISIS were
02:39:01arrested this week in multiple U.S. cities? Did you hear that story? Actually, I was not until you
02:39:06just told me. Okay, well, that happened this week. How about this one, Mr. Smith? Are you aware that
02:39:11of the reporting that Russian ships were 30 miles off the coast of Florida just this week as well?
02:39:16I did hear that or read about it. Yeah. One of my colleagues asked you, sir, he said,
02:39:22what can we do to help you? And nobody really wants to say it in this room, but I'm just going
02:39:26to say it. One of the things that we can do to help you is actually get stronger leadership that's
02:39:31respected around the world. That's actually one of the big problems here, and I think everybody in
02:39:35this room actually knows that. And so that is one of the things that I think that we're going to be
02:39:40doing. But the other thing I wanted to point out, Mr. Smith, is this isn't an isolated incident,
02:39:44right? All these increased cyber attacks that we're seeing, right? We're seeing attacks across
02:39:49the board, and everybody in this room knows it. We're seeing it at the border. We're seeing Russian
02:39:54ships off the coast of Florida. Just this week, eight individuals with affiliation to ISIS were
02:40:00captured in multiple U.S. cities, and that's why I started my questioning, sir, with weakness is
02:40:06provocative, and if you knew what that meant and what it meant to you. Yeah, I understand. Let me
02:40:13just be clear. I have expertise in one field, not in every field, but I understand what it means in
02:40:19my field. I know. I know you do, sir. And we've said this for a long time in this country,
02:40:25peace through strength. There is something to that. And when the United States senses that we're
02:40:30weak, we're feckless, and we have weak and feckless leadership, these are the types of things that we
02:40:36see. And so I'm hoping that not only this body, but the American people can work together to get
02:40:42better leadership for this country, because I know it's going to impact your business.
02:40:46And I want to say one more time, I appreciate you actually coming here today,
02:40:49taking ownership and responsibility, because as some of my colleagues have said, it's not
02:40:53something that we see every day. So thank you, sir. Appreciate it. Well, thank you. And then let
02:40:57me just conclude, because I think this gets us through the entire committee. I would just underscore
02:41:04what I've tried to say throughout. We do understand the importance of what you all do on this
02:41:10committee, what the CSRB and what CISA have do, the importance of this report, and we are committed
02:41:17to addressing every part of it.
02:41:21I now recognize the ranking member for his five-minute closing statement.
02:41:25Thank you very much, Mr. Chairman.
02:41:31Mr. Smith, you've done a creditable job in representing your company. You do understand
02:41:37that there are some challenges with running a company like that, and it's only one thing
02:41:48can create a real problem, and I think you've addressed it thus far. So let me thank you for
02:41:56that testimony and committing to participating in the committee's ongoing oversight. Microsoft has
02:42:04an enormous footprint in both government and critical infrastructure networks. It is our
02:42:11shared interest that the security issues raised by the CSRB are addressed quickly, and you've said
02:42:19that the main things you've already done, we appreciate it. This hearing was important
02:42:26to understand last summer's cyber incident and Microsoft's approach to security.
02:42:33In my view, it's just the beginning of an ongoing oversight to ensure that the technology products
02:42:40used by the federal government are secure and that federal vendors take the security obligation
02:42:47seriously. We've had that discussion in my office, and I'm sure you've talked with other members
02:42:54about that. So in that spirit, I got a couple final questions. I told you there's no
02:43:01gotcha kind of thing. If you can say yes or no, that's good, but if you need a little time,
02:43:06I understand that too. Will Microsoft commit to being transparent with its customers,
02:43:13particularly the government, about vulnerabilities in its products, including cloud products?
02:43:21The answer is yes, and the only qualification I would offer is we need to do it in a way where
02:43:26we share information with the right people in the right governments and do it in a way that
02:43:31it doesn't make that same sensitive information available to our adversaries. I'm sure we can do
02:43:38that. If it's a classified setting, as the chairman said, we're fine with it. Yeah. Okay,
02:43:44thank you. Will Microsoft commit to being transparent with its customers about its
02:43:50investigation into cyber incidents, including related to root cause, the scope of impact,
02:43:59and any political ongoing associated threat? Yes, and obviously the same qualification as before,
02:44:06and then I would just add, and we are working to do that, a lot of what we're doing by adding to
02:44:11our chief information security officer infrastructure, governance structure, is an
02:44:16ability and really a desire to get out and share more information with customers the way you describe.
02:44:22Thank you. So will Microsoft commit to establishing benchmarks and time frames for implementation
02:44:29of the CSRB recommendations and the Secure Future Initiative and commit to proactively
02:44:36keeping this committee informed of its progress? Yes. Will Microsoft commit to performing an ongoing
02:44:45and transparent evaluation of risk associated with business ventures in adversarial nations?
02:44:53Yes, I think we need to. Well, I look forward to the committee's ongoing oversight
02:44:59and continued engagement with Microsoft, and one of the things that we're tasked with is
02:45:09looking at keeping America safe, both from foreign and domestic adversaries,
02:45:16and obviously cyber is, in everybody's opinion, a major threat, and so,
02:45:27but you have to talk to us. Believe me, I will. You have just defined not just the mission,
02:45:34but the cause. Thank you. That I think unites all of us. Thank you. I yield back.
02:45:39Gentleman yields. Thank you, Mr. Smith, for coming today, and I'll talk a little bit more
02:45:44about that. I also want to thank our members for what I think was a very collaborative and
02:45:49cooperative, good-tone set of questions. We had, you know, some important things to do here,
02:45:57ask questions of accountability and to determine the responsiveness of the company to the report,
02:46:05but we also had to protect because the bad guys were watching, and so we had to be careful. I want
02:46:12to thank you, too, for the time you've spent in our office just going over some of this stuff as
02:46:16well. I know you made yourself available, both to the Ranking Member and myself, and
02:46:20really appreciate that. He asked, actually asked most of my questions about transparency and things
02:46:27like that, so I just will say this, and I, you know, sometimes government in this public
02:46:35private partnership that we talked about a couple of times, several members brought it up,
02:46:39sometimes government can kind of get in the way, too, and I want to ask that you,
02:46:45you know, educate us as much as possible. I'll give you an example, you know, the SEC ruling
02:46:49on a four-day report for a breach and those kinds of things. I'm under, you know, some of the big
02:46:54cybersecurity companies, I mean, the biggest in the nation, have told me it's a seven or eight
02:46:58day to fix a breach. If we're announcing to the world that at four days we got a hole in the wall
02:47:04and it takes seven days to close the hole, we're inviting, this is government
02:47:08forcing companies across the country to invite the enemy to come in, right? So that's a stupid
02:47:14regulation, and so we need help on understanding where the government also creates problems.
02:47:21So I'd appreciate any, anything comes to mind over, you pick up the phone and call us, okay?
02:47:26And one of the initiatives here, we talked about cyber workforce, one of the other initiatives is
02:47:31the synchronization of the regulations that are out there and to make sure that we're not
02:47:35duplicitous and that we're not contradictory, and as I understand it, there are some regulations
02:47:40that are, so again, we'd ask your company to help us and the competitors who are in the room
02:47:46to understand where government kind of gets in the way of actual cybersecurity, because if we're
02:47:53causing you to have duplicitous effort, that's money that could be spent on real cybersecurity.
02:48:01So in this partnership, we need communication, not just on the issues that are brought up here
02:48:07with this breach that was identified, but, you know, how we can make things better and work
02:48:14better on how we regulate and create compliance requirements, things like that. Thank you again
02:48:21for your time. I thank the witness for his valuable testimony and the members for the
02:48:24questions. The members of the committee may have some additional questions, and by the way, I did
02:48:28already get one that will probably require a classified mechanism, and we can discuss with you
02:48:33and the staff on how we best do that, and we would ask that the witness
02:48:37respond to these questions in writing.