TRANSCRIPT: House Committee Hearing to Assess Microsoft’s Cybersecurity Shortfalls
Gabby Miller / Jun 15, 2024On June 13, 2024, Microsoft President Brad Smith appeared before the House Committee on Homeland Security to address a series of cybersecurity incidents that left government agencies, public officials, and American citizens vulnerable to attacks by US foreign adversaries. The hearing, titled “A Cascade of Security Failures: Assessing Microsoft Corporation’s Cybersecurity Shortfalls and the Implications for Homeland Security,” focused on an April 2024 report released by the Cyber Safety Review Board detailing the “Microsoft Exchange Online” intrusion.
The incident, which occurred in summer 2023, involved a state-sponsored actor from China who gained access to the email accounts of high-ranking officials at the State Department and a member of Congress, among others. The threat actor accessed these accounts in summer 2023 by using authentication tokens signed by a stolen key Microsoft created in 2016. Committee members underlined many times throughout the hearing that it remains unclear, to both the public and the government, how the stolen key was obtained or why it was still active in 2023.
Additionally, last November, Microsoft unveiled its Secure Future Initiative, which intended to learn from past security incidents to improve its practices and prepare for the increasing scale of cyberattacks. Only months after its launch, in January, the company voluntarily disclosed that a team of state-sponsored Russian hackers had gained access to highly-sensitive Microsoft employees’ email accounts, some of which corresponded with government officials, using unsophisticated tactics. Referred to as SolarWinds, it was one of the largest cyberattacks in US history and occurred just months after the Microsoft Exchange Online compromise. In the CSRB’s reading, this ‘cascade of security failures’ demonstrated that “Microsoft has not yet implemented the necessary governance or prioritization of security” to address security weaknesses and prevent future incidents.
On the day of the Homeland Security Committee hearing, ProPublica published a piece outlining the ways Microsoft dismissed years of warnings from a former employee about a critical security flaw over fears it would lose government businesses; this flaw was what eventually led to the SolarWinds cyberattacks. While many committee members referenced the ProPublica bombshell in their five minutes for questions to Brad Smith, the Microsoft President mostly swept it aside. “Look, this is the classic, let's have an article published the morning of a hearing so we can spend the hearing talking about it,” said Smith. He added that he hadn’t “had a chance to read the article yet” as he was at the White House that morning. (The ProPublica article was published at 5 am Eastern Time, and the hearing was held at 1:15 pm later that day.)
Below is a lightly edited transcript of the hearing. Please refer to the official video of the hearing when quoting speakers. Brad Smith’s written testimony can be found here.
Chairman Mark Green (R-TN):
The Committee on Homeland Security will come to order without objection. The chair may declare the committee in recess at any point. The purpose of this hearing is to examine the Department of Homeland Security Cyber Safety Review Board's recent report concerning the summer 2023 Microsoft Exchange online cyber incident. Specifically we'll examine Microsoft's view regarding the company's security practices and challenges encountered in preventing significant cyber intrusions by suspected nation state actors and its plans to strengthen security and measures moving forward. I now recognize myself for an opening statement
Each and every day the United States depends upon Microsoft cloud services, productivity tools, operating systems to carry out an array of critical missions. Microsoft is deeply integrated into our nation's digital infrastructure, a presence that carries heightened respect and heightened responsibility. We're holding this hearing today because of the latest department of Homeland Security Cyber Safety Review Board, CSRB, report. The report attributed last summer's Microsoft Exchange online hack by Storm-0558, which is backed by the Chinese Communist Party to, and I quote, a cascade of security failures at Microsoft. The determinations were based on a number of findings detailed in the report and I have the report and would like to introduce it into the record and so ordered.
Specifically Storm-0558 accessed Microsoft Exchange accounts using authentication tokens signed by an inactive private encryption key that Microsoft created in 2016. The Beijing backed actor obtained tens of thousands of individual US government emails by compromising the Microsoft Exchange email accounts of US officials working on national security matters relating to China. The CSRB concluded that this intrusion would've been prevented had Microsoft cultivated a strong security culture, which the CSRB said, and I quote, requires an overhaul particularly in light of the company's centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations. By any measure, this cyber intrusion was not sophisticated. It did not involve advanced techniques of cutting edge technologies. Instead, Storm-0558 exploited basic well-known vulnerabilities that could have been avoided through basic cyber hygiene. In other words, this was avoidable, this extremely concerning and falls to this committee to do the due diligence and determine just where Microsoft sits and how it's taken this report to heart.
Our goals today are simple. We want to give the company we put so much faith in as a government the opportunity to discuss the lessons learned, the actions taken, and of course to share where they feel the report could have been wrong. To be clear, the US government would never expect a private company to work alone in protecting itself against a nation state actor. We need to do more work to define roles and responsibilities for public and private sector actors in the event of nation attacks. Our nation's adversaries possess advanced cyber capabilities and substantial resources often exceeding the defense. The defensive cybersecurity measures available to even the most sophisticated companies. However, we do expect government vendors to implement basic cybersecurity practices.
Since this is not the first time Microsoft has been the victim of an avoidable cyber attack and in light of the report, it's now Congress's responsibility to examine the response to this report, we must restore the trust of the American people who depend on Microsoft products every day. We must also address broader questions regarding the mitigation of economic and national security risks. This hearing aims to shed light on these issues and ensure Microsoft has implemented the CSRB's recommendations to safeguard us from future breaches. As we dive into these issues, we need to keep three things in mind. First, closing the cyber workforce gap. My top priority for the committee this year, the security challenges we face as a nation are compounded by the persistent shortage of cybersecurity professionals. As Microsoft continues its work to invest in our cyber workforce, we must harken back to the lessons from the report.
Our cyber professionals must be trained to think about security first. We must equip them with the right skills to protect our networks and to build our systems security. Second, we need to define the role of public and private sector entities and protect our networks against nation state actors and I think the federal government has been silent for too long on this. These attacks have become increasingly common rather than anomalies. We need clearly defined responsibilities so that we can effectively respond to nation state attacks on our networks in a private public partnership. Finally, we must address a fundamental issue, the economic incentives that drive cybersecurity investments. As a CSRB report recently revealed, underinvestment in essential security measures exposed critical vulnerabilities. Changing the economic incentives for cybersecurity investment is not about imposing onerous regulations or stifling innovation. It's about creating an environment where the costs of neglecting cybersecurity are outweighed by the potential benefits of comprehensive security measures.
Today we will explore the steps Microsoft is taking to strengthen its security culture through its secure future initiative. While I commend Microsoft for announcing steps to reform its security practices, I want to hear today what Microsoft's follow through has been on those commitments on its past responses to other significant cyber incidents such as SolarWinds. One of my biggest concerns is Microsoft's presence in China, our nation's primary strategic adversary and the regime's responsibility for the hack we're discussing today. Over the years, Microsoft has invested heavily in China, setting up research and development centers, including the Microsoft Research Asia Center in Beijing. Microsoft's presence in China creates a set of complex challenges and risks and we have to talk about that today as a part of our discussion on the security issue. Mr. Smith is a longtime key leader within Microsoft. I anticipate that you'll help us understand the gaps that enabled these recent cyber intrusions.
The American people as well as the numerous federal agencies that depend on Microsoft deserve those assurances that their data and their operations will be protected. And Mr. Smith, we appreciate your presence here today and look forward to your testimony. I also would like to let the members of the committee know, and listen up team, that should your question require an answer that would necessitate movement to a secure location, Mr. Smith will be the only one who knows that answer once you ask the question, look, China and Russia, Beijing and Moscow are watching us right now, and if you don't think that's true, you're naive. The last thing we want to do is empower our adversaries in any way, Members. If Mr. Smith says the answer would require a secure facility, please accept this and ask another question. The committee staff will determine the best way or mechanism to get you the answer in a secure and classified manner. With that, I yield now and I recognize the ranking member for his opening statement.
Ranking Member Bennie Thompson (D-MS):
Thank you very much Mr. Chairman. I'd like to thank you for holding this on the Cyber Safety Review Board investigation of an intrusion into federal networks involving Microsoft. At the outset, I want to be clear this is not a gotcha hearing. It's not the committee's goal to shame, embarrassed or discredit the witness, Microsoft or any other entity mentioned in the CSRB report. We have three objectives today. Accountability securing federal networks and securing the broader internet ecosystem. Last year we were disturbed to learn that a state sponsored threat actor from China had accessed the email accounts of high ranking officials at the Department of State and Commerce and an email account of a member of Congress among others. As the investigation unfolded, we learned that the threat actor assessed these accounts by forging tokens using a stolen key from 2016 and that the State Department, not Microsoft, had discovered the intrusion by August.
Secretary Mayorkas announced that the CSRB would review the Microsoft Exchange online intrusion and the malicious targeting of cloud environments. The CSRB engaged in a thorough and expeditious review and its report was released earlier this year, and I might add the chair just included a copy of that report in the record. The CSRB did exactly the kind of review it was supposed to do, and it did so in a manner only the government can. The CSRB examined a serious incident and made pointed findings and recommendations that will ultimately improve how Microsoft, other cloud service providers and the government approach security. It is incumbent on this committee to hold Microsoft, one of the fellow government's most prominent IT vendors and security partners accountable for the findings and recommendations in the report. Microsoft deserves credit for cooperating with the board's investigation, but make no mistake, it's Congress's expectation that Microsoft or any similar situated company would do just the same.
Microsoft is one of the largest technology suppliers in the world and its products are used by governments and private sector entities alike. The company provides an estimated 85% of the productivity software used by the federal government. Microsoft also sells security tools and is one of the government's top cloud service providers. Moreover, a reported 25 to 30% of its government revenue comes from non- competitive contracts, at least in part due to the terms of its licensing agreements. Any company with such a significant footprint in our federal network has an obligation to cooperate with a government review of how a Chinese threat actor assessed sensitive information by exploiting vulnerabilities in one of their products turned into the reports findings. The CSRB determined that last summer's intrusion was, and I quote, preventable and never should have occurred. Additionally, it found that Microsoft's security culture was inadequate and requires an overhaul as someone responsible for overseeing the security of federal networks that rely heavily on Microsoft and as a user of Microsoft products myself, I find these observations deeply troubling.
The CSRB report exhaustively described how last summer's incident occurred and includes a thorough history of the threats act of previous activities. Importantly, the report observed that the security community has been tracking the threat actor for over 20 years. Over that time, the threat actor has demonstrated tactics and objectives like those we saw in last summer's attack dating back to Operation Aurora in 2009. In an RSA compromise in 2011, the threat actor has a well-documented interest compromising cloud identity systems, stealing sign-in keys, and forging tokens that would enable access to targeted customer accounts. For over a decade, every technology provider in the world has been on notice and should have stepped up their approach to securing identity and authentication accordingly. But the CSRB found Microsoft did not do so, and while Microsoft did cooperate with the CSRB investigation, the board found the company was slow to be fully transparent with the public, most notably about how the threat actor obtained the sign-in key.
To this day, we still do not know how the threat actor accessed the sign-in key. Microsoft's explanations about why the key was still active in 2023 and why it worked for both consumer and enterprise accounts. As I remain troubled that Microsoft was reluctant to be transparent with the public, it was not confident about the root cause of the incident. My concerns about whether we can rely on Microsoft to be transparent were heightened this morning when I read a ProPublica article about how an employee alerted Microsoft's leadership to a vulnerability in its active directory federation services before security researchers publicly reported it in 2017. That vulnerability, which Microsoft chose not to fix, was ultimately used by Russian hackers to carry out secondary phases of the solar winds attack in 2020. Even more troubling, the article recounts Microsoft's testimony before the Senate in 2021, which denied that any Microsoft vulnerability was exploited in SolarWinds.
Transparency is a foundation of trust and Microsoft needs to be more transparent. In 2002, Bill Gates said When we face a choice between adding features and resolving security issues, we need to choose security. The CSRB found that Microsoft had drifted away from this ethos. I agree. Last November, Microsoft announced a Secure Future Initiative, touting a reinvigorated approach to security, but in January, Microsoft itself was compromised by Russian threat actors who used unsophisticated tactics to assess the emails of high level employees. Unfortunately, those emails included correspondence with government officials and put the security of federal networks at risk. Once again, basic cybersecurity tools that were not enabled would've thwarted this intrusion in May. Following the CSRB report, Microsoft announced an expansion of the Secure Future Initiative that committed to making security a top priority. But the same month Microsoft announced Recall, a new feature that takes and stores periodic snapshots of a user's computer screen, which has raised concerns among both privacy and security experts.
I understand that last Friday Microsoft modified the rollout of Recall in order to incorporate significant changes. I hope it will continue to consider these concerns of security and privacy as it rolls out new products. On a final note, I've been warned that the committee's oversight of this incident will chill private sector cooperation with the board in the future. That cannot and should not be the case. I want to put future subjects of CSRB investigations on notice. This committee will not tolerate refusals to cooperate with legitimate investigations undertaken by the board, particularly when federal networks are involved. Any effort to obstruct CSRB investigations into a cyber incident would invite significant scrutiny by this committee and would certainly force expedited consideration of proposals to grant CSRB greater investigatory powers. Microsoft is one of the fellow government's most important technology and security partners, but we cannot afford to allow the importance of that relationship to enable complacency or interfere with our oversight. National security demands that technology provide us continue the evolution toward transparency so we can better secure the digital ecosystem. With that, I look forward, Mr. Chairman, to a productive conversation today about how Microsoft will improve its security culture and thereby the security of its customers. And I yield back.
Chairman Mark Green (R-TN):
I thank the ranking member for his opening remarks. Other members of the committee are reminded that opening statements may be submitted to the record. I'm pleased to have a distinguished witness here before us today and I ask that our witness please rise and raise his right hand. Do you solemnly swear the testimony you will give before the Committee on Homeland Security, the United States House of Representatives will be the truth, the whole truth, and nothing but the truth, so help you God? I do let the record reflect that the witness has answered in the affirmative. I would now like to formally introduce our witness. Mr. Brad Smith, who currently serves as the vice chair and president of Microsoft Corporation where he plays a pivotal role in steering the company's strategic direction in legal affairs. He joined Microsoft in 1993, initially leading the legal and corporate affairs team in Paris and later held various senior roles in the legal and corporate affairs department.
Under his leadership, Microsoft has tackled significant legal challenges and been at the forefront of critical policy debates including cybersecurity, privacy and artificial intelligence. Among other issues, he has testified numerous times before the United States Congress and other governments on these key policy issues. Before joining Microsoft, Mr. Smith worked as an associate and then partner at Covington & Burling, a prestigious law firm here in Washington. He holds a bachelor's degree from Princeton University and a law degree from Columbia University. I thank the witness for being here and I now recognize Mr. Smith for five minutes to summarize his opening statement.
Brad Smith:
Well thank you Mr. Chairman and thank you Ranking Minority Member Thompson. Thank you to all of you for the opportunity to be here today. I think the two of you captured it so well, so much of what is so important for us to talk about this afternoon. A lot of times in life the most important words to heed are words that are difficult to hear. So as you can imagine, as I listened to the two of you just now, it wasn't how I hoped I might spend an afternoon in June when the year began, but we're here for an important reason. It starts with the role this committee plays, the protection of the homeland security of the United States, and the reality is you cannot protect the homeland security of this country without protecting the cybersecurity of it as well. And that is a shared responsibility between the public and private sectors.
And hence what you do to oversee us and others in the private sector is critical. I think the most important thing for me to say, the most important thing for me to write in my written testimony is that we accept responsibility for each and every finding in the CSRB report. As you can imagine, you get a report, you look at it, it's difficult to read. You sort of think how are you going to react? And when I sat down with Satya Nadella, Microsoft's chairman and CEO, we both resolved immediately that we would react without any defensiveness, without equivocation, without hesitation, and we would instead use this report to make Microsoft and the cybersecurity protection of this country better. That's our goal. And part of that frankly involves accepting responsibility, apologizing to those that were impacted. As I have done in person, it involves reminding our employees of something that I often say to them, no one ever died of humility.
Use the mistakes you make so you can learn from them and get better. Of course, that only works if you actually use what you learn and you do get better and I appreciate that's where both of you are pushing quite rightly. And that involves two things. It involves strategy and it involves culture. So from a strategic perspective, we did start last November to apply the lessons we were learning already from Storm-0558. That's why we launched the Secure Future Initiative. But I think here what's most important is the CSRB's recommendations. There are 25 of them, 16 are really applicable to us or only to us, 12 to all cloud services and other technology providers. So we have mapped all 16 of those recommendations onto our plan for our Secure Future Initiatives so that we will do each and every one of them and we're making progress, but we're not stopping there.
There's 18 other concrete recommendations that we have incorporated as part of this plan and we have measurable milestones. In fact, we now have the equivalent full-time of 34,000 engineers working on this project. This is the largest engineering project focused on cybersecurity in the history of digital technology. But I think you ask a second question as well, is that enough? And I think if we did that alone, it would not be. That's what you're saying. And those are words I heed as well. And that is why we're focused on changing strengthening and building a world-class security culture. And I look forward to talking about that. It starts with the tone of the top. It needs to reach all of our employees and just yesterday, our board of directors approved two new steps. One will change the compensation of our most senior people so that annual bonuses are tied in-part to cybersecurity with an exclusive focus on it.
But second, I think even more than that, that this will become part of the biannual review for every employee at Microsoft, what they're doing on cybersecurity. And then I would conclude by saying that I think the two of you captured it so well. Everything else we need to think about here because if we improve Microsoft alone, that won't be enough. We're dealing with four formidable foes in China, Russia, North Korea, Iran, and they're getting better. They're getting more aggressive. We should all expect them to work together. They're waging attacks at an extraordinary rate. So I welcome the opportunity to ask ourselves to learn together. What can we do in that space as well. You frame some excellent ideas in your two openings. I look forward to talking about them. Thank you.
Chairman Mark Green (R-TN):
Thank you. Mr. Smith members will be recognized in order of seniority for their five minutes of questioning. I want to remind everyone to please keep their questioning to five minutes. An additional round of questioning may be called after all members have been recognized, I now recognize myself for five minutes of questioning. I was intrigued from your statement and your written testimony about the-- lemme start by saying this. We as human beings respond to initiatives or incentives, I'm sorry, incentives. Economics is about the study of incentives and you mentioned the recent payroll changes for your senior executives and I wonder if you're at liberty to discuss how deep that goes, what level of leadership, and I think that's a novel approach and I'd love to hear more about that.
Brad Smith:
Sure. Let me say two things. First, the board of directors took the first step yesterday and it acted a bit ahead of schedule. We ordinarily make these decisions in July, August, but for the 16 most senior people in the company including our CEO, including me and others, with the new fiscal year, which starts July 1, one third of the individual performance element of our bonus will be about one thing and one thing only: cybersecurity. So that's the first thing. Second, the board did note that when it awards bonuses for the fiscal year--that ends at the end of this month--it will take the cybersecurity performance of the individual executive into account. But the thing we probably spent the most time as a senior leadership team talking about the last month or so is how to create incentives for everybody. And of course it's based on the culture of the company and our processes.
So twice a year, every employee has a form and a conversation with their manager. We call it a connect form, and they first reflect and show what they've done and then the manager comments and they talk about it. And so what we've created is a new piece of this that everyone will have to address on cybersecurity. And the thing I like about it most, to be honest, is it gives every employee at Microsoft the opportunity to think, what have I done? What could I do? How am I doing? And then be rewarded at the end of the year based on that.
Chairman Mark Green (R-TN):
That's encouraging. Having run a company myself, I think about how you tie the incentives that drives the performance and what people make the priority, so I appreciate that. Let me ask a little bit about your involvement in China. I'd love to get a little bit more detail of granularity on where you are right now. What's your current posture and what are you sharing with the Chinese people or to the Chinese government? I mean are you having to give up code and what the involvement there is, if you don't mind elaborating on that a little bit?
Brad Smith:
Sure. It's a broad topic. We have a few different activities in China. It's not a major source of revenue for Microsoft globally. It accounts for about 1.4, 1.5% of our revenue. We do have an engineering team that we have been reducing and we announced most recently that we were offering about 700 or 800 people the opportunity to move out of China, and they were going to need to move out of China in order to keep the job they have. So we've been reducing our engineering presence. There are two things that we do that we believe are very important. First, we do run some data centers, cloud services, principally I would say for the benefit of multinational companies who do business in China. And we're not alone. Others in our industry do the same thing. But the reason I think this is so important is if you're an American automobile company, an aircraft company, a pharmaceutical company, a coffee company, you need to use the cloud when you're in China, we want their American trade secrets to be stored in an American data center in China.
Chairman Mark Green (R-TN):
Let me, if I could jump in, what access does the Chinese government have to that?
Brad Smith:
None.
Chairman Mark Green (R-TN):
Okay.
Brad Smith:
And believe me, every time there is anything remotely close to a request, I always ensure we say no.
Chairman Mark Green (R-TN):
Okay. Very specifically on this hack because it did come from China. Can you talk how you are with your presence in China, ensuring that that source isn't going to use your location in China as a vector if you can? What are you doing there to prevent that?
Brad Smith:
I think it involves having a very direct understanding yourself of what your guardrails are, what your limits are, what you can do and what you won't do. You have to know your own mind. We do. Second, you've got to be prepared to look people in the eye and say no to them. And that's something I do myself.I was in Beijing in December. I got pushed because there was unhappiness about reports that we've made publicly about attacks from China, about US critical infrastructure and about influence operations. And I said there are lines that we don't believe governments should cross. We're going to be principled and we're going to be public and there are many things we're not going to do in China and there'll be things we're not allowed to do in China. But I think at the end of the day we have to know our principles.
Chairman Mark Green (R-TN):
Thank you. My time has expired and I now recognize the ranking member for his five minutes of questioning.
Ranking Member Bennie Thompson (D-MS):
Thank you very much Mr. Chairman. I'd like to enter into the record the ProPublica article entitled "Microsoft Chose Profit Over Security and left US Government Vulnerable to Russian Hack, Whistleblower Says."
Chairman Mark Green (R-TN):
So ordered.
Ranking Member Bennie Thompson (D-MS):
And I'm sure you are somewhat familiar with that article and the fact that we were left vulnerable with that situation. Can you say to us or commit to us that you have established a process or ombudsman to ensure that employee concerns about security at Microsoft or their products are prioritized and addressed?
Brad Smith:
Well, one of the changes we've just made as part of the Secure Future Initiative is a new governance structure. It takes our chief information security officer, or CISO as it's called in the industry, creates an office and then puts Deputy CISOs in every part of the company. And the job of these individuals is to constantly monitor and assess and pick up feedback and apply a principled approach to address these things. So I would hope that that would address part of what you're referring to. I would say one other thing though, the fundamental cultural change that we are seeking to make is to integrate security into every process as we've really thought a lot over the last couple months. What's the key to getting better when your adversary is investing and constantly changing? And the thing that we have really concluded is there's a lot that we can learn from what's called total quality management. This really came out of American business thinking and then Toyota really innovated in the 1980s and the basic process was to empower every employee to focus on continuous employment, sorry, continuous improvement and speak up. And that's what we're trying to do, empower every employee to be able to speak up and there's going to be debates. I mean I don't think one can say that the debates will end, but to ensure that those voices are heard and heated.
Ranking Member Bennie Thompson (D-MS):
Well, and I trust based on what you've said, that that will be--going forward, that anybody who comes forward with something they will be at least heard and responded to with respect to that. We are here because of Storm-0558 as it's commonly referred to. And the real concern is Microsoft didn't find the problem. It was the State Department. Help us out.
Brad Smith:
That's a great question and the one thing I'd ask all of us to think about is that's the way it should work. No one entity in the ecosystem can see everything. So we all need to work together. And the way networks are, people will see specific endpoints. In this case, as you know, it was the individuals at the State Department who saw the intrusion into the State Department email system. First of all, you ought to give those folks a medal. In all seriousness, that is fantastic. That is real innovation and great professionalism at work. And so they let us know, and by the way, we're the ones, interestingly enough, at the same time, who identified the Chinese intrusions into electricity companies, water companies, air traffic control systems. We're all going to see different things. And so when somebody else sees it, we should applaud and say thank you. Not say, oh, I wish I had found it instead.
Ranking Member Bennie Thompson (D-MS):
Well, I wish it was that simple. But we have a real challenge. And because you are such a big customer of government, we rely heavily on your product and it's not our job to find the culprits. That's what we are paying you for. So I want you to, don't switch the role.
Brad Smith:
I'm not switching it at all. I appreciate what you're saying for sure.
Ranking Member Bennie Thompson (D-MS):
Right. So maybe we'll have another round, Mr. Chair -- So the fellow government is one of your largest customers. As I said, how can you earn back the trust that this situation has caused?
Brad Smith:
I think it's just critical that we acknowledge shortcomings, accept responsibility, devise a strategy to address them, change the culture, be transparent about what we're doing, and always listen to feedback.
Ranking Member Bennie Thompson (D-MS):
Thank you.
Chairman Mark Green (R-TN):
Gentleman yields. I now recognize the gentleman from Louisiana, Mr. Higgins, for his five minutes of questioning.
Rep. Clay Higgins (R-LA):
Thank you, Mr. Chairman. Mr. Smith, congratulations on your company's success. In fact, it's the success of Microsoft that makes you such a big target, isn't it?
Brad Smith:
That's certainly a part of it.
Rep. Clay Higgins (R-LA):
Would you generally agree that Microsoft has grown so massive because of your own technological advancements that you have driven from within your company and because of the trust that has been extended to Microsoft products through the decades?
Brad Smith:
Yeah, I think that's fair. I think success comes from many things, but of all of the factors that we place the most importance on, I would say earning and retaining the trust of our customers.
Rep. Clay Higgins (R-LA):
So we're in agreement and Microsoft's a great company. Everybody in here has some kind of interaction with Microsoft. We really don't have much choice. So it is critical that this committee gets this right. And quite frankly, the American people, myself included, we have some issues with what has happened and how it happened and what has transpired since. And yet there's no plan B really we have to address with you is what that means. Sometimes life comes down to, my dad used to say there's always one guy. It's always one guy. And today, congratulations. You're the one guy.
Brad Smith:
I'm the guy. I get it.
Rep. Clay Higgins (R-LA):
So I have a couple of difficult questions and I apologize for any discomfort. I am a gentleman, but again, you're the guy. Why did Microsoft not update its blog post after the hack they call, it's very fancy here, America called an intrusion? But after the hack did 2023, Microsoft online exchange intrusion, why did it take six months for Microsoft to update the means by which most Americans would sort of be made aware of such a hack?
Brad Smith:
Well, first of all, I appreciate the question. It's one that I asked our team when I read the CSRB report. It's the part of the report that surprised me the most. We had five versions of that blog, the original and then four updates. And we do a lot of updates of these reports. And when I asked the team, they said the specific thing that had changed, namely a theory, a hypothesis about the cause of the intrusion changed over time, but it didn't change in a way that would give anyone useful or actionable information that they could apply.
Rep. Clay Higgins (R-LA):
Okay? So you see Mr. Smith respectfully, that answer does not encourage trust and regular Americans listening are going to have to move the tape back on the Microsoft instrument and listen to what you said again, but you didn't do it. I mean your Microsoft, you had a major thing happen and the means by which you communicate with your customers was not updated for six months. So I'm just going to say I don't really accept that answer as thoroughly honest, but I need to move on to another question,
Brad Smith:
Could I just add -- then could I just say to -- I said the same thing and we had the same conversation inside the company.
Rep. Clay Higgins (R-LA):
Okay. I accept that, that you did. So bigger question: China. I mean you go to China, you meet with you like went to China, I guess you made many trips there. You're doing business there that's fun. But you meet with Chinese Communist party officials and you reiterated Microsoft support for helping the CCP achieve technological advancements. I believe this is your quote. I'm asking you to actively participate in the digital transformation of China's economy. I believe that was your statement. And my question is does it strike you as contradictory that you'd make that statement just months after China sponsored the attack that we're discussing? And I yield for your answer, sir.
Brad Smith:
The reality is that was not my statement. I chose my words more carefully. That was the statement made by an official of the Chinese government attributing it to me.
Rep. Clay Higgins (R-LA):
So that was not your quote?
Brad Smith:
Let me just say I was more careful and precise in what I said and that was not my quote.
Rep. Clay Higgins (R-LA):
So you find it contradictory, or?
Brad Smith:
Sorry?
Rep. Clay Higgins (R-LA):
You say that's not your quote, but was that the position of Microsoft?
Brad Smith:
What I said --
Rep. Clay Higgins (R-LA):
My time has expired. I'm just trying to complete this answer.
Brad Smith:
I'll just thank you for giving me the opportunity. I explained in a meeting that there were areas where we thought it was appropriate and even important for us to be present and participate, but I did not choose or use the words. When I saw that quote appear, I was like, interesting.
Rep. Clay Higgins (R-LA):
Thank you, sir. My time has far expired. I yield.
Chairman Mark Green (R-TN):
Gentleman yields. I now recognize Mr. Swalwell for his five minutes of questioning.
Rep. Eric Swalwell (D-CA):
Thank you chairman. And I wanted to echo the ranking members' sentiment that I don't view this hearing as a shaming of any particular company, but rather an opportunity to learn from mistakes in the past so that we can better secure the digital ecosystem, especially with a company that has such a large footprint in that ecosystem. And so first, Mr. Smith, I was hoping we could go back to the ProPublica story where an employee alleges that a vulnerability was discussed and it was at the same time you were seeking government business and knowing that you do have so many government clients today, as we sit here today, are there any vulnerabilities within your operating system that have been expressed to you similar to what was alleged in the past that would affect any government system that you're aware of?
Brad Smith:
What I would say is that everything that we're doing is focused on identifying every vulnerability that we can find, every vulnerability our employees can find, so we can go address them. And given the diversity of digital technology, given the complexity, I'm not sitting here today aware of anything that fits your description, but I am constantly hoping that every day we'll have people who find something and raise it so we can fix it. That's the culture we need, I think,
Rep. Eric Swalwell (D-CA):
So we can fix it, which I think is the theme here today in that spirit of what can we fix? What did you learn from the internal decision making process on updating the blog post on the root cause of how the Chinese threat actor got the key? What would you do differently in an existing attack?
Brad Smith:
A lot of times people say, why do you update things so often? You lose people's attention. I think the answer is because we need to, and we updated that particular blog four times, it was at least one time too few. We should have updated it again. And so I just think that the lesson learned is maybe it's something you see a lot in life. It's hard to over communicate, let's work even harder to over communicate.
Rep. Eric Swalwell (D-CA):
You discussed in your written testimony the growing connection between nation state activity and ransomware. A city in my congressional district, Hayward, was hit very hard and experienced a ransomware attack last year where the city's online operations were crippled and a state of emergency was declared. Where do you see these ransomware attacks happening and what types of targets in the United States do you see as most at risk?
Brad Smith:
Well, this is a critical issue. I hope this committee and we all can find new ways to work on it, because it was last July in Hayward where as you know, systems went offline for two weeks. In Hinds County in the second district of Mississippi. They had a similar problem. They had to write a check for $600,000. I suspect it had to be converted to cryptocurrency and it was probably mailed to Moscow even if it was over the internet. This is a scourge and the number one vulnerability right now, and it's just I think so disconcerting, is that ransomware operators are focused on hospitals, rural hospitals. There were 389 healthcare institutions last year that were victimized. And so some of the suggestions that the chairman and Ranking Member Thompson alluded to at the beginning, I think require that we all come together to help these institutions.
We launched an initiative just three days ago and we weren't alone. The White House did it, Google did it. We all need to do this together, but I also think we need to send a message. I think that message has to be sent to Moscow. We need to remind them that when we fought with them 80 years ago, it was to protect people. And it was reflected four years later in the Geneva Convention that said, even in times of war, governments have to protect civilians. And this is supposed to be a time of peace, at least between our two countries. And what are they doing? They are enabling their employees to use the tools they get at work and go home and run these ransomware operations and target hospitals or cities and counties, schools, the Jackson School District, the Vicksburg Warner School District. This is unconscionable. And I think we have to find our voice not only for ourselves, but with our allies, and not only as governments, but with the tech sector, with the business community. And we have to find a way as a country to create a deterrent reaction because right now this is just open season. It's open season on the most vulnerable people in our country, and we have to find a way to change that. Thank you, Mr. Smith. I yield.
Chairman Mark Green (R-TN):
Gentleman yields. I now recognize Mr. Jimenez for five minutes of questioning.
Rep. Carlos Gimenez (R-FL):
Thank you, Mr. Chairman. And I know a lot of other committee members are going to hone in on the security breach. I'm more interested in Microsoft's presence in China, which I consider to be the greatest existential threat to our security here in the United States. Your presence in China, is that a joint venture or is that fully owned by Microsoft? What's the nature of that relationship?
Brad Smith:
I don't recall all of the precise corporate structures. We do operate as a subsidiary. We also do have a joint, we have at least one joint venture for certain activities.
Rep. Carlos Gimenez (R-FL):
Are you aware of the 2017 National Intelligence Law in China?
Brad Smith:
Yes, I am.
Rep. Carlos Gimenez (R-FL):
Do you know what that law states?
Brad Smith:
If I remember correctly, one of the things it states is that when an organization finds a vulnerability, it has to report it.
Rep. Carlos Gimenez (R-FL):
No, sir. That's not the one, that's not where I'm going. Okay, so here I just happen to have AI myself.
Brad Smith:
Hopefully it's ours.
Rep. Carlos Gimenez (R-FL):
Oh yeah. I don't know, if it is, it's pretty bad for you. It says this, okay. Okay. Yep. In China, there is a law called the National Intelligence Law that was implemented in 2017. This law requires all organizations and citizens to cooperate with China's intelligence agencies, including the People's Liberation Army in matters of national security. While the law does not specifically mention companies working in China, it does apply to all organizations operating within the country, including foreign companies. Do you operate in China?
Brad Smith:
Yes, we do.
Rep. Carlos Gimenez (R-FL):
Do you comply with this law?
Brad Smith:
No, we do not.
Rep. Carlos Gimenez (R-FL):
How is it you got away with not complying with the law? Do you have a waiver from the Chinese government saying that you don't have to comply with this law?
Brad Smith:
No, we do not. But there are many laws--
Rep. Carlos Gimenez (R-FL):
You do not.
Brad Smith:
But there are many laws -- there are two types of countries in the world, those that apply every law they enact and those that enact certain laws, but don't always apply them. And in this context, China, for that law is in the second category.
Rep. Carlos Gimenez (R-FL):
Do you really believe that? Because look, I sit on the Select Committee on China, and that's not the information that we get, is that all companies in China have to cooperate with the intelligence agencies of China and the People's Liberation Army. You operate in China and you're sitting there telling me that you don't have to comply with the laws of China.
Brad Smith:
I will tell you that there are days when questions are put to Microsoft and they come across my desk and I say, no, we will not do certain things,
Rep. Carlos Gimenez (R-FL):
But you're compelled by Chinese law to do it. And the people in China that work for Microsoft are violating Chinese law when they don't do it.
Brad Smith:
And I always make sure that it's clear to the Chinese government that if the Chinese government wants to sue somebody, they need to sue me.
Rep. Carlos Gimenez (R-FL):
It's not about suing you. In China, they don't sue you, man, they arrest you. Okay? Do you understand that?
Brad Smith:
Clear. And we make clear that there's no point in arresting people who have no authority to do these things.
Rep. Carlos Gimenez (R-FL):
They have the authority to do those things because it's their law. You're in China.
Brad Smith:
I'm talking about our employees.
Rep. Carlos Gimenez (R-FL):
Okay. Yeah. Your employees in China are subject to Chinese law, are they not?
Brad Smith:
But they don't have the ability to make these decisions. We've taken that out of their hands.
Rep. Carlos Gimenez (R-FL):
I'm sorry. I just, for some reason, I just don't trust what you're saying to me. Okay, you're operating in China. You have a cozy relationship in China. You're there. They allow you to be there, and I can't believe that they're going to say, yeah, okay. No problem. You don't have to comply with our law that everybody else does. Every other foreign company has to, but not Microsoft. I'll take you at your word. I'm just demonstrating to you the problems that we have with American companies working in China and that for 1% of your resources or of your income, is it really worth it to be in communist China, especially when you have such a law that says you have to comply with their intelligence agencies and the PLA?
Brad Smith:
The thing I would ask all of us to think about, and look, I appreciate your questions and the seriousness of them. We think constantly about these things. I do think that there's two valuable reasons for us to be in China, and I think they both serve the interests of the United States. The first is to protect American information, American trade secrets of American companies who are doing business in China. And the second is to ensure that we're always learning from what's going on in the rest of the world.
Rep. Carlos Gimenez (R-FL):
I only have 13 seconds. Could I say this? Those American companies and all these American secrets that are working in China, they have to comply with the same law. Do you think they all do? Thank you. And I yield back,
Chairman Mark Green (R-TN):
Gentlemen yields, I now recognize Mr. Correa for five minutes of questioning.
Rep. Lou Correa (D-CA):
Thank you, Mr. Chairman. I just welcome you Mr. Smith. And also, as ranking members said, this is not a shaming situation, but yet reading on this issue, I've been on homeland for eight years. This is very disturbing. That statement is an understatement as to how I'm feeling right now. What do I tell my constituents back home that actually pay you for your services? That an unsophisticated password spray, password key, well-known vulnerabilities enabled this to happen?
Brad Smith:
I think, I would hope you would tell them --
Rep. Lou Correa (D-CA):
I'm asking you.
Brad Smith:
Oh, what should I tell them?
Rep. Lou Correa (D-CA):
What should I tell them?
Brad Smith:
I would hope that you would share with them that we acknowledge these issues.
Rep. Lou Correa (D-CA):
They're paying you for your service. It's not a freebie. They're paying you. I pay you. I run your service up here and at home. I also pay you for service.
Brad Smith:
I want people to know on the one hand--
Rep. Lou Correa (D-CA):
Not one hand or the other, just tell me straight up, what's the message?
Brad Smith:
The message has two parts. First, we see our customers attacked more than 300 million times every day, and we have people who work 24/7 –
Rep. Lou Correa (D-CA):
Are we doing our job as the federal government in helping you?Or is there something else we can do to help you do your job better?
Brad Smith:
I think that there are all things that we could do more together, and I would love to see the federal government focus on a few key things. I think that the investment in cybersecurity training that the chairman mentioned at the outset is an imperative. I think we have done a lot. We have trained as a company, 203,00 people in this nation in the last four years on cybersecurity, but we need the federal government to do more. I think we need federal assistance to help our critical infrastructure providers upgrade their technology. I think we need a kind of collective response--
Rep. Lou Correa (D-CA):
Do you and Microsoft need to invest more in this area?
Brad Smith:
We are investing more. We've increased our investment, but more than that, I think it's--
Rep. Lou Correa (D-CA):
Do you believe that Microsoft responded on a timely basis to these known breaches?
Brad Smith:
We both responded immediately with people who worked 24/7 pretty much around the clock.
Rep. Lou Correa (D-CA):
As soon as you found out this stuff was happening, you responded?
Brad Smith:
I'm sorry?
Rep. Lou Correa (D-CA):
As soon as you found out or you find out these breaches are occurring, you respond?
Brad Smith:
Oh, absolutely. One thing I would love for you all just to know is that despite these tens of millions of attacks every year--
Rep. Lou Correa (D-CA):
Do you respond to known vulnerabilities immediately?
Brad Smith:
Yes. We respond to every intrusion. We address vulnerabilities.
Rep. Lou Correa (D-CA):
We know the challenges that our competitors around the world pose to us, friendly and unfriendly, and I would love to talk to you sometime in the skiff to tell us exactly what it is that we need to do to make sure this doesn't happen again. As I am beyond shocked to read about this situation, you have our trust, our business, both at the public and the private sector, and to hear about what's going on here is very disturbing at best. I hear you saying, you know what, we are here to cooperate fully. The damage, though, I've got constituents back home that have lost money because of malware, so on and so forth. It's painful. The private sector, they run on your platforms. They trust you being on top of your game. Any thoughts?
Brad Smith:
We are determined. We start by acknowledging where we fell short and we are focused. I had the last comment made with our board of directors yesterday was by the senior engineer leading what we call the Secure Future Initiatives, and her last words to our board were, we want you to know our engineers are energized by this.
Rep. Lou Correa (D-CA):
My last nine seconds, I would ask you, we often say here that the chain is only as strong as its weakest length. Are you going to strengthen up? Are you going to do a better job over there?
Brad Smith:
Absolutely. And let me just say this in closing, I would hope that you would share with your constituents, we never take their trust for granted.
Rep. Lou Correa (D-CA):
Chair, I'm out of time.
Chairman Mark Green (R-TN):
Gentleman yields. A point of clarification, for the record, it was 300 million attacks a day. Did I hear that correctly?
Brad Smith:
Yes, that's correct. Against our customers that we observe, we detect more than 300 million such attacks every day.
Chairman Mark Green (R-TN):
Okay. Just clarifying for the record, I now recognize Mr. Pfluger for five minutes of questioning.
Rep. August Pfluger (R-TX):
Thank you, Mr. Chairman. Mr. Smith, thanks for being here. I want to talk about the collaboration in many committees on Capitol Hill. We're talking about this balance in tension between safety and security and liberty and private enterprises. And so what I really want to hear from you is talk to us about the relationship with CISA. I know you've mentioned this in testimony written and also today, but just talk to us about how that relationship is, what can be better from your side? What can be better? What you expect from the government? Is it a mandate for reporting from the government? Is it voluntary round tables in a classified setting? I'd like to hear a little bit about that and I have some follow on questions.
Brad Smith:
Yeah, I think CISA is a critical agency. It's been moving in a positive direction overall. I think the CSRB plays an important part of this. I think that ultimately we would benefit from finding more ways to keep working together across the tech sector and then with the, and other agencies in the US government, and frankly with our allies, because it's an entire ecosystem that we're seeking to defend and nobody can do it by themselves. And I think fundamentally, just as the CSRB's words were well taken by us, we needed to focus on our culture. I think we have a collective culture, and it's a collective culture that we need to work on by inspiring more collaboration, not just with the government, but frankly across our industry so that people can compete. Somebody said there's no plan B, I think about two thirds of the folks who are sitting behind me in this room are trying to sell plan B to you in one way or another, and that's okay, but there's a higher calling here as well. And I like to say the truth is when shots are being fired, people end up being hit and they take their turn being the patient in the back of the ambulance, everybody else, you're either going to be an ambulance driver or you're going to be an ambulance chaser. Let's be ambulance drivers together.
Rep. August Pfluger (R-TX):
Well, let's drill down to that and the relationship that you have with the US intelligence community with DoD. The thing that's unique about Microsoft is you pretty much cover every sector, every industry, every household, businesses, but when you look at the relationship with the national security entities, tell us what the biggest gaps are right now to making sure that they can stay secure in their operations.
Brad Smith:
The thing to think about is that defenders too often work in silos. Every company thinks about their products. Every agency thinks about what they have. Attackers look for the seams between the silos. The more silos you have, the more seams you have, and just as there are seams in different technology products, because most customers deploy them together, there are seams across the government. So a lot of times, one of the challenges for us is that the parts of the government, when this information is coming in about, say, an active cyber attack from a place like China, that information doesn't necessarily flow from one part of the federal government to another. And there's a lot of work being done to address this, but I think that needs to be advanced more quickly as a matter of priority.
Rep. August Pfluger (R-TX):
300 million attacks a day, that's incredible. Finally, lemme just talk about, I think, this is the Committee on Homeland Security, we're very worried about what nation state actors and non-nation state actors are doing and how that affects our homeland. Obviously the PRC and the CCP’s attempts to undermine this country, our government industries, intellectual property, all of it is a massive concern. And so I know you've mentioned this before here today, but just talk to us a little bit about the relationship with the PRC. How does that affect intellectual property, things that you have that could be either exploited for their benefit to undermine the United States of America?
Brad Smith:
I would say two things. I mean, first, any company that has valuable intellectual property has to be very careful to protect it from theft unless it's IP that they're publishing. And a lot of code is published in open source form, but you have to think about how to protect it so it doesn't go where it should not. And there are certain intrusions, especially from say, a place like the PRC that are focused on discovering trade secrets.
Rep. August Pfluger (R-TX):
And knowing that is Microsoft taking steps to improve what you're protecting and seeing?
Brad Smith:
Absolutely. Absolutely. I mean, the other thing just to know is that the adversaries are constantly changing their tactics. If this were a case of just saying, gee, this is what were done was done in 2022, let's all go fix what was done in 2022, then you'd feel good. But I guarantee that what is done in 2025 is going to be different from what is being done in 2024. You constantly have to learn, adapt, and change, which is what we're doing.
Rep. August Pfluger (R-TX):
Thank you. My time's expired. I have more questions. We'll submit 'em for the record. Mr. Chairman, I yield back.
Chairman Mark Green (R-TN):
Gentleman yields. I now recognize Mr. Carter for five minutes of questioning.
Rep. Troy Carter (D-LA):
Mr. Chairman, thank you very much. And Mr. Smith, thank you for being here. Mr. Smith, it's no secret that our critical infrastructure is being targeted. I'm particularly worried about rural hospitals and how they continue to be targeted and attacked by nation state threat actors. Just this week, Microsoft announced a new rural hospital cybersecurity program. One of the hospitals in my district, St. James Parish Hospital, is a participant. Would you describe this program and how it will help the nation's rural hospitals defend against attacks?
Brad Smith:
Yes. Thank you. And we talked a little bit about this before, obviously, and I just think it's a critical priority for the whole country because people's lives literally are at stake. What we have launched this week is first a program to provide technology assistance to hospitals, especially rural hospitals, giving them security tools at the lowest possible price. In some cases, it's a 75% discount. In some cases it's free of charge for a year. The second thing we're doing is then going in and helping with, call it know-how advisors, technology assessments so we can work with people. The third thing we're focused on is then trying to help them use technology so that they can be more effective. As I'm sure you are seeing right now, there are a lot of rural hospitals in this country that are barely afloat. And when a rural hospital closes, not only do people lose access to local healthcare, but some of the good jobs in a community are destroyed at the same time. And there's a shortage of people to work in these hospitals. So one of the things we're trying to focus on is how can we use digital technology, especially AI, to improve the quality of rural healthcare, reduce the costs, not just for the patients, but for the operators of these, especially small hospitals with say, 25 or fewer beds. So we're trying to put together a holistic approach that we think could make a difference.
Rep. Troy Carter (D-LA):
What about HBCUs or other small organizations that could likewise use technical assistance and the help that might be in a similar situation financially as a rural hospital?
Brad Smith:
Well, we have educational pricing in general, but I would say there's two categories in the educational community that deserve special priority, and we're trying to give them special priority. One is HBCUs and therefore we've created a special program to invest in them to provide scholarships to work on cybersecurity training. And the second is the nation's community colleges. I feel that this is the great resource, the 1,000 plus community colleges in this country. We need to equip them and send them into this battle, and that requires three things. One is equipping them with the curriculum, which we can do, and other tech companies have done a good job as well. I want to spread credit.
Rep. Troy Carter (D-LA):
Lemme do this. I don't want to interrupt you, but we've got a few more questions and a little bit of time.
Brad Smith:
Okay. I'll let you go real quick. I'd be happy to talk to you any time.
Rep. Troy Carter (D-LA):
Was that a yes?
Brad Smith:
Yes, that is a yes, absolutely.
Rep. Troy Carter (D-LA):
That you are prepared to and have programs to work with other disadvantaged opportunity organizations, particularly the HBCUs?
Brad Smith:
Yes.
Rep. Troy Carter (D-LA):
Okay, great. Increasing frequency and sophistication of nation state cyber attacks in the United States. Do you agree that the country's currently lacking in having successful deterrent strategy? So what steps are needed to enhance deterrence and what can we do in addition to partner with you to do that?
Brad Smith:
This is a critical and hard problem we need to solve as a nation, and it requires we do three things. First, we've got to draw the red lines so it's clear to the world what they cannot do without accountability. Second, we need transparency. We need collective action with the private and public sector and with allied governments so that when those red lines are crossed, there is a public response and people know what has happened. Third, we need to start defining some consequences because right now these threat actors are living in a world where they are not facing consequences.
Rep. Troy Carter (D-LA):
Real quickly, I've got 30 seconds and I've got a real important question. I'm going to read this because I want to make sure I get it right. Earlier this year I was briefed by members of the Cyber Safety Review Board about its review of last summer's incident, and I wanted to raise an issue we discussed there on value logging. Members of this committee have for years raised concerns that Microsoft was charging extra money for customers to gain access to basic logging data, and customers need to identify and investigate cyber incidents. When you or one of your representatives testify before the committee in the aftermath of the SolarWind breach, they explain that everything that we do is designed to generate a return other than philanthropic work. The state department paid for extra logging, generating a profit for Microsoft and ultimately using these laws to logs to detect this attack. But not every customer had that logging capability enabled. Last summer, Microsoft finally announced that it would provide free logging to customers and in February made those logs available for all federal customers. Why did it take so long to make this decision and what went into changing your mind?
Brad Smith:
Well, in fact, we've even gone a little bit farther than what you described.
Rep. Troy Carter (D-LA):
That's fine. Could you just answer the question I asked?
Brad Smith:
I wish we had moved faster and had gone farther. I think there was a focus on the real costs associated with keeping and retaining logs, but we should have recognized sooner, especially as the threat landscape changed that we would be best served, I think, as we are now by not just retaining but providing these logs for free.
Rep. Troy Carter (D-LA):
So what's the status of providing free logs to all customers and not just federal agencies?
Brad Smith:
Basically what we've decided is for all of our so-called enterprise offerings, there's three layers and for all of them, we retain the logs for six months, which is what the CSRB recommended, and we will provide those logs, say these are individual customer logs, we will provide them to those customers. They get access to them when they need them at no additional cost.
Rep. Troy Carter (D-LA):
Would you agree that it's as important for Microsoft, the company to have this level of security for its customers as it is for customers to in fact have the security?
Brad Smith:
Yes.
Rep. Troy Carter (D-LA):
Thank you. My time has expired.
Chairman Mark Green (R-TN):
Gentleman's time has expired. I now recognize Ms. Green for five minutes.
Rep. Marjorie Taylor Green (R-LA):
Thank you, Mr. Chairman. Mr. Smith, this has been a very engaging, intriguing conversation. I'm a business owner, so I've been listening to this and taking it in and thinking about it through that lens. You started with something that I find impressive. You said you accept responsibility and I just want to commend you for that. I appreciate it. We don't hear that very often here, but I think it's valuable and I think it's right. So I just wanted to say thank you. I understand that Microsoft has a unique role to play in our cybersecurity landscape as it's responsible for nearly 85% of the productivity software such as Word, Excel, and PowerPoint used by the US government. Given the company's presence, Microsoft is of course at significant risk of cyber attacks over 300 million a day. Is that true? 300 million a day.
Brad Smith:
We detect 300 million a day against our customers, so that's what we get to see given all of the telemetry we have last year. If you look at phishing attacks, we had 47 million against ourselves over the year.
Rep. Marjorie Taylor Green (R-LA):
Wow, that's far more than I could have even comprehended. And of course these are serious and we're all, everyone here on the committee is recognizing that as you stated in your testimony, cyber attacks have become more prolific. Just as you stated and as a result of the attack that your company went under in May of 2021, the Biden administration released an executive order on improving the nation's cybersecurity, which required the establishment of the Cyber Safety Review Board under DHS. I'd want to talk to you a little bit about the board. I think of course oversight is important, but I think there should be more action taken by our government to prevent cyber attacks. So could we talk a little bit about the board and my understanding is the Cyber Safety Review Board is a mix of government and industry representatives. Is it true that Microsoft is not represented on the board?
Brad Smith:
That's correct.
Rep. Marjorie Taylor Green (R-LA):
Are any of your competitors on the board?
Brad Smith:
Yes, they are.
Rep. Marjorie Taylor Green (R-LA):
So essentially, so how did this work when this attack happened, the board? Can you talk a little bit about that process?
Brad Smith:
Yeah, and you're getting at such a critical question because I will say first I think we benefit from having this kind of organized effort. I think it's probably a mistake to put on the board people who work for competitors of say a company that is the subject of a review. The spirit of this when it was created was to create a community of people who could learn together, but I just don't, I'm less concerned about the way the process worked, and I just worry that where people want to take it in the future and just make hay out of others' mistakes and I'm just not sure that's going to do us that much good.
Rep. Marjorie Taylor Green (R-LA):
Right. So did CSRB, did it share with Microsoft what your competitors said about their own security practices?
Brad Smith:
I don't believe so. I don't know. I don't believe so. I could be wrong, but I don't believe so.
Rep. Marjorie Taylor Green (R-LA):
And with your competitors on the board helping produce the report, was this used in any other way in the marketplace?
Brad Smith:
Yeah, and I want to say two things because first I think the most important thing for me to do and for Microsoft to do is what you said at the outset. I just want to be here and accept responsibility and I don't want to deflect any of that responsibility. We have the highest responsibility, but second, the words that I would offer and I'll offer it to the folks in the back who work for our competitors because there's a bunch of them here. It's fine. Go tell people that you have something better, but we have to have a higher cause here. We are not the adversaries with each other, even though we may compete with each other. The adversaries are our foreign foes. So let's try to exercise a little self restraint about how we work these processes because I don't think that the next company that gets an invitation from the CSRB is likely to be necessarily as willing as we were to share everything which we did.
Rep. Marjorie Taylor Green (R-LA):
Well, I agree. I think competition is healthy. I do too. In the business world, I think it's great, actually. I enjoyed it for years and years, but I think oversight is also extremely important. And of course, I think everyone in this room agrees that we do not want any foreign country gathering any of our information, whether it's from an American citizen to our government. Of course, CISA also has a bad reputation, especially among Republicans. They colluded with big tech and social media companies, stripped many Americans of their First Amendment rights. So that was another reason why I wanted to ask you a little bit about the board and how that worked. But furthermore, I have more questions, but I'm out of time. I think it would be extremely important for there to be assistance from the federal government and protecting not only companies like yours but mom and pop companies. I mean across the board to regular citizens from cyber attacks. It's a serious problem and it will continue. I'm out of time. Thank you.
Chairman Mark Green (R-TN):
The gentlelady yields. I now recognize Doctor Odar for his five minutes of questioning.
Rep. Shri Thanedar (D-MI):
Thank you Chairman. And thank you Mr. Smith for being here. I owned a small technology company before I came into public service, a much smaller technology company, and I was involved with some eight different acquisitions. Now the CSRB raised questions about Microsoft's mergers and acquisitions, compromise assessment program, after it failed to detect that a laptop belonging to an employee of an acquired company had been compromised, the board went on to recommend that large enterprises develop robust M&A Compromise Assessment Programs, recognizing adversaries might view the inquiry as an entry point to the patent company. How is Microsoft improving its M&A Compromise Assessment Programs? Is there additional support or guidance the federal government should be providing the private sector regarding M&A Compromise Assessments?
Brad Smith:
I'm not sure of the answer to your last part, but I do know that it's critical that we do more. We've been focused on this for a long time and it's sort of, I'll even say obvious thing, that when you acquire a company, you have to take a close look at its cybersecurity controls, which we long have and do. And yet as the CSRB report found, we had an inadequacy. So in part to address this, part of the governance change we're implementing is to have a new deputy chief Information security officer focus solely on the integration of companies that are acquired. We clearly need to step it up and will.
Rep. Shri Thanedar (D-MI):
Thank you Mr. Smith. As you state in your testimony, nation state adversaries are becoming more aggressive. Countries like China, Russia, Iran, and North Korea present grave threats to our national security and defending against them will require public private cooperation that prioritizes strengthening cybersecurity across government networks and critical infrastructure. Considering our reliance on large IT vendors like Microsoft, our defenses will only be as strong as our technology providers are. That is why it was so disappointing to see the CSRB report that Microsoft had failed to properly secure its products. Microsoft must do better, and I expect that Microsoft will continue to update the committee on its progress. Congress must also do more to ensure the federal government has the resources to meet the goals of President Biden's ambitious national cybersecurity strategy. Mr. Smith, how is Microsoft improving its security to protect itself and its customers to address these increased foreign threats?
Brad Smith:
Well, it's a multifaceted effort and as I said in my written testimony, it really starts with what is today the largest engineering project focused on cybersecurity in the history of digital technology with detailed milestones, 34 different categories. And I think that's critical, but it really is, I think a new approach to cybersecurity culture. It's a new approach for Microsoft, and the more time I spend with it with my colleagues, the more encouraged I am. Because fundamentally, it's about taking security and making it part of the engineering process and every process treats it like quality and cultural change. And several of you have commented about this, I just think it's so important. We want a culture that encourages every employee to look for problems, find problems, report problems, help fix problems, and then learn from the problems. That's what we need to do and we need to do this in a way that doesn't put security in its own silo, although there are special security teams, but make security part of everyone's job. I think that is one of the indispensable steps we are taking and really need to take.
Rep. Shri Thanedar (D-MI):
Thank you. And with my last 30 seconds, what investment should Congress prioritize to improve our national defenses against nation state cyber threats,
Brad Smith:
Invest in the American people, invest in the training of the American people, provide more scholarship assistance so that Americans can go to a community college, go to and historically black college or university, get a course, get a certificate, get a degree in cybersecurity. There are 400,000 open jobs in the United States today in cybersecurity. Help us fill those jobs.
Rep. Shri Thanedar (D-MI):
Thank you.
Chairman Mark Green (R-TN):
The gentleman yields. I now recognize Mr. Gonzalez for five minutes of questioning.
Rep. Tony Gonzales (R-TX):
Oh, thank you Mr. Chairman. Mr. Smith is Microsoft Teams a secure platform?
Brad Smith:
I believe it is. I use it every day for lots of sensitive conversations.
Rep. Tony Gonzales (R-TX):
I would say I'm concerned. I'm concerned with the trust level that Americans have with Microsoft for a variety of different reasons. I believe Microsoft has been a trusted agent for a long time. And lemme give you an example. If you work for the Department of Defense, you, and let's say you want to communicate with others in an unclassified environment, but let's say it's in a official capacity, oftentimes the conversation is don't use Zoom or others like that because that's an unsecured platform. Let's use Microsoft Teams. And what I'm seeing, what I'm starting to hear is more and more government officials, government agencies, DoD affiliated folks, not trust that. So if Microsoft, if they don't trust that, what options do you have? Once again, I understand if it's a classified setting, but I'm talking about how do you reach people without a CAT card, without having to go down the CAT card route. Is there anything that is in the works in order to regain some of that, whether it's warranted or not, there is an eroding amount of trust within Microsoft. Is there anything in the pipeline that will regain that trust among DoD affiliated organizations?
Brad Smith:
Well, first of all, I appreciate the fundamental gravity of the question. I would say that we are continually and constantly focused as part of this work that we're doing in increasing the security for every aspect of what we do, including teams and every aspect of it. And I feel comfortable talking with the DoD or others on Teams. I want them to feel comfortable and I want them to know that we are not stopping where we are because our adversaries are not stopping where they are. We are going to continue and are continuing to invest in hardening the security of teams even more than it has today.
Rep. Tony Gonzales (R-TX):
Thank you for that. A large part of what we do on this committee is try to get everyone out of silos, right? All these agencies are in silos. Every time there's a national security threat, you look back at these reports and it's always somebody knew something, but when did they know it? And part of that is the ability to communicate in a FOUO setting where you feel as if maybe it's not quite the classified level, but you feel not everyone's listening on it. I just would reiterate how important that is from a national security standpoint to ensure that the government has at least some platforms like Microsoft Teams. My final question is this. How is Microsoft planning to combine your SFI while ensuring tools and software remain user-friendly and accessible?
Brad Smith:
Great. First of all, I want to just thank you for your first set of questions and I will quote you back in the company's headquarters. Second, the point that you make is also so critical because we have to make security first the top priority, but we have to make it easy for people to use. And so we do need to synthesize these things and I think one of the virtues of what we're doing is not just calling on deeply technical engineers, but also people say in the field of software design and elsewhere. And I think part of our quest, I think it's a great quest for all of us, not just at Microsoft, but across the industry, is to continue to have what we call security by default. So that when people get a new computer, a new software program, all of the security settings are on by default. They have what we call security by design so that it is designed so that it's not only effective but easy for people to use and easy for people to know what is happening. So we're focused on all of those things and I'll just say there's, I think a lot more coming.
Rep. Tony Gonzales (R-TX):
Thank you for that response. Trust is the name of the game and we have to make sure that Americans continue to trust these different platforms that are out there. So thank you once again for testifying before the committee and chairman, I yield back.
Chairman Mark Green (R-TN):
The gentleman yields. I now recognize Mr. Magaziner for five minutes of questioning.
Rep. Seth Magaziner (D-RI):
Thank you, chairman. One of the joys of speaking in the order after our colleague from Georgia is that I'm often handed notes to correct incorrect statements that she made. So I just want to enter into the record that Microsoft's competitors were recused from the findings, the final report and the recommendations of the CSRB Microsoft investigation. Just so that's in the record.Now, Mr. Smith, the article that Mr. Thompson, Ranking Member Thompson referenced earlier had to do with the so-called Solar Winds Breach, in which Russian hackers infiltrated Microsoft's cloud service and was able to gain access to some of our country's most sensitive secrets, including information from the National Nuclear Security Administration, which oversees our nuclear stockpiles and the National Institute of Health. You provided testimony to the Senate Intelligence Committee in which you stated that the flaw that allowed that breach to occur only became known to cybersecurity professionals at Microsoft when it was published in a public paper in 2017. It has now been widely reported that former employee, Andrew Harris, discovered the flaw a year earlier, alerted his superiors and other company executives proposed a series of solutions that were rejected. So can you now agree that the testimony that you offered to the Senate Intelligence Committee about what Microsoft knew about that flaw and when Microsoft knew it was incorrect?
Brad Smith:
Well, look, the first thing I would say is I know that came out in an article this morning, I haven't had a chance to read the article yet. I was at the White House this morning.
Rep. Seth Magaziner (D-RI):
Okay, so if you can't say, I'll just note that the article cited numerous sources inside the company, not just that one individual. But if you're not prepared to say that, then we can move on.
Brad Smith:
Okay.
Rep. Seth Magaziner (D-RI):
I agree with what Chairman Green said earlier about the importance of incentives, and so I welcome the news that came out, I believe yesterday, that one third of the individual performance element of bonuses for senior executives will be tied to cybersecurity performance. How much of the total compensation package for senior executives is the individual performance?
Brad Smith:
It depends on the individual. It depends on the year. I'll say roughly more than enough to get people's attention for sure.
Rep. Seth Magaziner (D-RI):
But roughly, like a ballpark.
Brad Smith:
Of the cash portion? It's probably, I don't know. I will say about 15 or 20% of. If you add stock, it's much lower.
Rep. Seth Magaziner (D-RI):
Alright, well if you could follow up on that, that'd be helpful because just to be clear, a third of the individual performance element sounds good, but it depends on how big the individual performance is as a part of the whole. If it's 10% of the total compensation package, then the cybersecurity incentive would only be 3% of the total package and would potentially count less toward the total than revenue targets or profitability targets or other things. On the other hand, if it was 60% of the whole, then that would be a much more meaningful incentive. So having some understanding of how large a percentage of the whole that individual performance element is would be instructive.
Brad Smith:
Yeah, you're making a good point. The one thing I would just add is if there's one thing that's true at Microsoft and across the tech sector, people like to get good grades. This is, lemme just say this is one third of their total grade.
Rep. Seth Magaziner (D-RI):
I asked a question, if you don't have the information now, that's fine. I have a few more questions. On that individual performance incentive, that portion of the compensation, is it restricted stock? Is it something that can be clawed back and if so, do you know how far back the claw back can be exercised?
Brad Smith:
Some of these details are still to be refined, but this is the bonus, the cash bonus that people get each
Rep. Seth Magaziner (D-RI):
Year. I would just suggest since it's still being refined, if it's a cash bonus, then that suggests it would be difficult to claw back and a cybersecurity lapse may not become known until years after the fact. And so I would suggest that perhaps some sort of a clawback mechanism could make the incentive more powerful. Finally, picking backing on the chairman's question. The article that was published today stated product managers at Microsoft product managers, not senior executives, had little motivation to act fast, if at all, to address these security flaws since compensation was tied to the release of a new revenue generating product and features with one former employee stating you will get a promotion because you released the new shiny thing, you are not going to get a promotion because you fixed a bunch of security bugs. So given the importance of people at the product manager level, is there any plan for their compensation to be tied, at least in part to meeting cybersecurity goals?
Brad Smith:
The answer is yes. One of the decisions that was announced yesterday that I provided in my addendum is that every single Microsoft employee as we get to the new fiscal year, will have as part of their biannual review, a mandatory part to talk about cybersecurity to do precisely what you just described.
Rep. Seth Magaziner (D-RI):
If you'll indulge me for a second, so part of their review, but is there sort of a portion of their compensation that's directly tied to the cyber portion--to the cyber factor, as will be the case with senior executives to some extent?
Brad Smith:
It won't be as formulaic, but everybody knows that the bonuses, the compensation we call them, rewards that you get at the end of the year are based on those reviews and how people do over the year.
Rep. Seth Magaziner (D-RI):
I know I'm over, but I'll just say I want to state, I do believe it is a positive and I think a good example that we are integrating cyber into compensation packages. I just want to make sure that we're doing it in a way that is really going to be impactful. So I'll yield back. Thank you
Chairman Mark Green (R-TN):
Gentlemen yields, I now recognize Mr. Garbarino for his five minutes of questioning.
Rep. Andrew Garbarino (R-NY):
Thank you Mr. Chairman, good to see you, Mr. Smith. In its report, CSRB's overarching conclusion is that Microsoft security culture requires an overhaul given its centrality in the technology ecosystem. And I believe a lot of the recommendations that they recommended you're already putting into place with the series of the findings of these CSRB report and the recommendations provided now and how the report was written. And now that we're all here having a hearing on it, how do you anticipate future voluntary cooperation with the board's request for information? Because the CSRB is not created -- it's not in statute, they can only get the information that is provided to them by people who complied like your company. What do you anticipate happening now in the future with other requests?
Brad Smith:
Well, I guess the short answer is I don't know, but I hope three things will ensue. One is that people will remember that we collaborated and provided everything that the CSRB asked for. Two that I came here today and we acted as a company with a real spirit. I hope you'll see of humility, of accepting responsibility, of avoiding being defensive or defiant. And three, then I hope that people will look back 6 and 12 months from now and say, and that you all hope others will do the same. Because I think if you all can help us encourage that kind of spirit of responsibility, that's how we'll get better because we know our adversaries are going to get better, so we have to find ways to get better too.
Rep. Andrew Garbarino (R-NY):
I appreciate that. I do appreciate you being here and all the meetings that we've had and discussions. And I know you've been working with CISA as well and the CSRB board, you brought up Secure by Design in one of your last questions and I've had a lot of conversations about that. I think my committee's actually going to have a hearing on Secure By Design. Can you talk about what Microsoft's doing? Can you go into a little further about what with Secure By Design?
Brad Smith:
Yeah, there's Secure By Design actually connects with I would say several of the pillars of what we call our Secure Future Initiative. We're focused on our engineering systems and our production systems and then those really come together in my view, to encourage our software developers to integrate security into the design of new products so that as we say, it's baked in. And I think one of the key things that we've really sought to internalize is, as I've said here, to make security part of everybody's job and not just part of the work of the security team. In hindsight, I think that's one of the mistakes that we, I think rely almost too on the security experts and didn't do enough to ask everybody to make security part of their job. So some of you have asked about this recall feature. I think it's a great lesson. I mean, we're trying to apply it as a lesson learned, so if somebody's creating the recall feature, they need to think about the security aspects of the recall feature. It hasn't even been launched yet, so we've had the time to do this right? But we're trying to focus on culture change. Culture change requires constant role modeling and practice. And so each time we go through this, we're talking very publicly so that everybody can see inside and outside Microsoft quite tangibly how people can weave this into the design decisions they're making.
Rep. Andrew Garbarino (R-NY):
Well, I think secure by design is very important. As we all know with cybersecurity, a lot of the intrusions come from end user error and you're only as strong as your weakest link. So I think having more secure by design in these products or having secure by design implemented would be great for everybody, every user of Microsoft product or any product. And just finally, you mentioned too, you had the question, what should we invest in? And you said the America, the people scholarships. I think that's true, and I know the chairman is working on a piece of legislation that would do just that. What is Microsoft doing on that end? We can do stuff. What is Microsoft doing to help with workforce?
Brad Smith:
Well, we've provided free curriculum, but more than that, we've provided free training to 203,000 Americans on cybersecurity over the last four years. We've provided 21,000 scholarships. And the thing I would leave with you all is, as you all may know, if you work with community colleges, the students in these colleges are not well to do. They're usually trying to earn a living and go to college at the same time, and if something goes wrong in their life, it can just throw them out of the ability to go to community college. These don't have to be hugely expensive scholarships, but they are so impactful and I would really hope and ask and encourage you all. I know Mr. Magaziner is a sponsor on one of these bills, the chairman, you're crafting these things. If you can make it a priority, it will help everybody.
Rep. Andrew Garbarino (R-NY):
Thank you very much. I know I'm a little over, I yield back
Chairman Mark Green (R-TN):
Gentleman yields. I now recognize Mr. Ivey for five minutes of questioning.
Rep. Glenn Ivey (D-MD):
Thank you, Mr. Chairman. I appreciate that. Mr. Smith, thank you for being here today. We appreciate your presence. I wanted to ask, this might be a little off the beaten path here, but about ai, the representative from New York, Ms. Clark allowed me to join onto a bill of hers. It goes to AI deepfakes and the like, and we've got legislative efforts to fix these. Part of it might entail litigation and the like, but my sense of this is that as a remedy, it just takes too long to implement it in a way to address one of these things. On the radio the other day they were talking about middle school bullying is now using sexual deepfakes. Guys are putting up pictures of preteen girls in some instances that are deeply psychologically damaging to them. So since litigation and legislation, we have to make those adjustments to address the problem. But I mean I think a bigger part of it's going to have to be technological and to address the AI aspect of it, it seems to me that we need an AI counter to that. I don't know what's coming along those lines, but I'd like to know if Microsoft or if you're aware of anything that's being developed that could help with that to address that issue in the very near future.
Brad Smith:
Yes, and I mean first of all, I appreciate your focus on this. I was watching the hearing you all had a couple of weeks ago on AI and you were raising it there and I think that's a good thing. First, I think we need to understand the problem. I think you captured it well. We are seeing the creation of AI based deepfakes in a way that can threaten candidates all of you, to be honest, this year.
Rep. Glenn Ivey (D-MD):
Well, I'll come to elections in a minute,
Brad Smith:
But as well as say teenage girls, women, many others, so the solution is threefold. One put in place more guardrails around our legitimate products, so it's harder for people to use it for abusive purposes. The second is --
Rep. Glenn Ivey (D-MD):
Give me an example of the guardrails.
Brad Smith:
Basically when we have products, we have some ourselves, Microsoft Designer, you build in an architecture, it has classifiers so that if someone is going to do something, you detect what they're doing and in certain cases you stop them from doing it. So if they feed up, they try to take a photo of someone and remove their clothes, you say, no, that's not allowed. I mean things as about as straightforward as that, but there's a complex and I think very sophisticated architecture involved. Second AI is very good at detecting the use of AI to create images and it's always going to be a cat and mouse game and you get debates among the technology experts, but I have a level of optimism myself about what I see our people in our AI for Good lab doing to detect these problems. Third, you've got to be able to respond. You've got to be able to use AI then to stop it or to take it off a platform, and we do need good old fashioned education so that people are aware, so that parents are aware of what their kids might be doing or the problems the abuses their kids may be. It's really multifaceted.
Rep. Glenn Ivey (D-MD):
Let's back up to number two and that's detection, which I take it would be not so much you have to rely on the parents or even the individual who's the target because it might be a while before they even become aware of the issue. What sorts of detection mechanisms are on the near horizon that could be implemented?
Brad Smith:
Well, we have detection mechanisms that we have in place today and we're focused on specific problems in particular. If I could, one of them is elections--
Rep. Glenn Ivey (D-MD):
How widely available are they?
Brad Smith:
Well, we are offering free training for every candidate for office in the United States. We've done this in 20 other countries. We have a website--
Rep. Glenn Ivey (D-MD):
Let me back up. I want to go back to, because we're going to look out for ourselves at some point because we have the ability to do that. I'm more worried about the deepfakes for especially teenage girls and the like, what's available for them?
Brad Smith:
Probably not as much as we need is what I would say.
Rep. Glenn Ivey (D-MD):
Okay, what steps can we take? How can we move?
Brad Smith:
Absolutely. I think we put in place guardrails. You're asking a good question. Let me take it back and let me ask our folks. What could we create for more people that would empower them to do what every candidate can now do, namely report a deepfake about themself.
Rep. Glenn Ivey (D-MD):
Okay, I appreciate that very, very much. Last question, with respect to elections and misinformation, disinformation, especially the stuff that's coming out, maybe even on election day or during that time period when elections have begun, is there a sufficient process in place that coordinates private sector, the public sector, and potentially voters to address this concern? I apologize to the chair for running over.
Brad Smith:
I'll just say I think a lot of progress has been made and as we get into the summer months and the two conventions, it's a really important question for all of us to have together in a way that is genuinely bipartisan. We're working with, there's a national association of state election directors. We're working with them, we're working with them so that they can protect their infrastructure, that there are means to educate people about deep fakes and the like. Frankly, what we're hoping can happen at both of the political conventions is some conversations about how we can enter the election season, say that starts on Labor Day with all the protections that we're going to need, and we're basing that on a lot of work. We were in Taiwan for that election. We've been in Europe for the spring. We'll be in the UK and France and we're trying to take everything we learn each step of the way and apply it.
Rep. Glenn Ivey (D-MD):
Thank you for your answer. I look forward to hearing back from you. And Mr. Chairman, I appreciate your indulgence. Absolutely.
Chairman Mark Green (R-TN):
The gentleman yields and I now recognize the gentleman from Mississippi, Mr. Ezell.
Rep. Mike Ezell (R-MS):
Thank you Mr. Chairman, and thank you Mr. Smith for being here and thank you for holding us here today. The federal government and many Americans trust Microsoft to protect our critical cybersecurity infrastructure. Unfortunately, we're here today because Microsoft has fallen, Microsoft has fallen short in some of these areas, especially worried about our national security. A recent report to Congress from the us China Economic and Security Review Commission linked multiple cyber attacks to the CCP. The report directly calls out breaches of Microsoft's emails, servers at the US Department of State and the Department of Commerce. Of course, the CSRB report in greater detail describes Microsoft's cultural issues related to security, which we have highlighted Mr. Smith with the CCP and the Russian Federation backing state sponsored cyber attackers. All organizations face this threat regardless of their resources or reputation. Breaches are inevitable, and I acknowledge the federal government has a role that we've got to play here. However, despite being known as a leader in defending against attacks, it appears that Microsoft Office had some failures which could have been avoidable. And I know you've addressed this, but I want to discuss the company's other investments, specifically its AI offerings and how it could relate to your plan to improve its cyber capabilities. I'll start by asking you, do you believe that AI becomes integrated into more products and services? The potential for attacks increases?
Brad Smith:
I think we'll see two things almost inevitably and perhaps we sooner already are. One is our adversaries will use AI to try to pursue more sophisticated attacks, but second, we are already using AI to strengthen security defenses. And I have to say I'm very optimistic about what AI can and already is being used to do to strengthen cybersecurity protection in two ways. One, AI is especially good at detecting anomalies in data, looking for patterns, and we have threat hunting teams at Microsoft. We probably have more threat hunting teams than anybody else, but seeing what people can do when they have AI to help them detect these patterns, that is key and that's going to be important across the industry. The second is to help the chief information security officers, the CISOs, the cybersecurity professionals across the country. So we've got a product, a cybersecurity copilot.
Others will have similar things. It basically takes a lot of work that these folks have to do and it helps them do it faster. It helps them do it better. And I think that that's going to be a good step as well go back to this gap, the 400,000 open jobs. Hopefully what AI will do is in effect lower the barrier to entry because an individual who wants to join this profession, and I hope more people will, they'll say, Hey, I don't have to learn everything I might've had to learn five years ago because now I have an AI tool that will help me as well. And I think we're seeing that now. We're going to see it accelerate in the next couple of years.
Rep. Mike Ezell (R-MS):
Thank you. What specific cybersecurity measures is Microsoft implementing to protect the additional surface for attacks? What are you doing additionally to protect?
Brad Smith:
Your question goes to detection and that's a critical piece and it's one of the six pillars that we have in the Secure Future Initiative that I mentioned. And I will tell you I'm very proud of the teams we have. Great people who are just so committed to the mission, but it sort of goes back to then using more technology and more AI so we can make them more effective. We get so much data that we've got to be basically integrate all of the data that we have so it's more usable by our threat hunters and that we need to use AI to make it easier for our threat hunters to find things faster. So I think this cutting of silos, connecting what we call data graphs using ai, I think it's going to make our people, I think every company that does this will find that it can get better with these approaches.
Rep. Mike Ezell (R-MS):
Quickly. One of the things I'd like to follow up with what Mr. Ivey was saying was talking about some of these generated photographs. And as a local county sheriff, for many times we had parents that would come in and their teenage daughter had been victimized, and we basically had nowhere to go to investigate to follow up to catch some of these bad actors that are doing this thing. I would ask you as part of your training to infiltrate these local sheriffs and police officers, especially in the rural areas that have limited opportunities to have the use of some of the things that we've described talked about today. Because it breaks my heart to see a child go through that when it's been a totally false accusation and then for them to go back to school. So I would really encourage you to put that on the front burner so that we could help our local law enforcement to try to stop some of this.
Brad Smith:
I would just say, and I know our time is out, but yes, we will. And you're right in two fundamental ways. First, I appreciate, I mean, some of the most moving things that I've seen over the years have been information from police officers, local law enforcement who are working to protect kids who are being victimized in the way you just described. And second, the other group I should have mentioned when Mr. Ivey asked is the National Center for Missing and Exploited Children, NCMEC. These are, in my view, real heroes for all of us. We all work together and support them and rely on them. And I think this is this great alliance we have in this country between law enforcement, NCMEC, and then tech companies and our competitors are part of this. This is one area where I think the industry's pretty united and the world's better for it.
Chairman Mark Green (R-TN):
Gentlemen yields, I now recognize Ms. Ramirez for five minutes of questioning.
Rep. Delia Ramirez (D-IL):
Thank you, chairman. Good afternoon, Mr. Smith. I'm freezing here, but I think you might be a little warmer. You've been a little more active. So I've been hearing our conversation today in the hearing, and for us, it's pretty clear we have two homeland security threats that this hearing is really trying to take up. One of those is cybersecurity attacks, and the other is concerning tech monopolies and monocultures driven by profit, sometimes supremacy and secrecy, and I feel like both are existential threats to the health and wellbeing of our democracy. When incidents like the 2023 Microsoft Exchange Breach happened and the bombshell damning reports like what was published by ProPublica today, they bring us to this reckoning moment, and it's not just for Microsoft, but that we've been entrusting with our nation's most sensitive information and also for this committee, this desperate need for the pursuit of accountability when our nation's Homeland Security has been compromised. The ranking member mentioned that the ProPublica article published earlier today described how Microsoft had dismissed employees' concerns about a vulnerability in the active directory that was eventually leveraged by the Russians during SolarWinds. Then Microsoft denied that any vulnerabilities in its systems had contributed to the attack. So when my colleague Congressman Correa asked you earlier how quickly you address vulnerabilities, you said immediately. But ProPublica reported today that an employee alerted Microsoft to the Golden SAML vulnerability years before SolarWinds. So I guess my question to you, Mr. Smith, is what is your definition of immediately?
Brad Smith:
It's right away. And let me just say and look. Look, this is the classic, let's have an article published the morning of a hearing so we can spend the hearing talking about it, and then by a week from now, I'll actually have a chance to go back and learn about everything in it. I am generally familiar with that situation. Let's remember a couple of things. One, that SolarWinds intrusion was by the Russian government into a SolarWinds Orion product, not a Microsoft product. And that Orion product was distributed to more than 30,000 customers. Microsoft was one. And because of what the Russians had done to change the software code of the Orion product, the Russians immediately had an entry point into all of these networks. Let's also remember that when FireEye brought us in, that was the beginning. This was, I think in November of 2020 we worked with FireEye and we came up with a technology tool that in effect blasted that entry point.
Rep. Delia Ramirez (D-IL):
So Mr. Smith, I have a short time, so actually you might have a little opportunity to talk more about that here. Yes, Microsoft expanded the Secure Future Initiative and has said that security teams will have an elevated row in product development. Maybe tell me how the employee's concerns that were expressed about our vulnerability in the active directory would've been handled differently today.
Brad Smith:
Well, I would say two things. First, I would hope that if there is an issue that needs to be addressed, it will be woven into our engineering processes. It will be escalated, it will be decided, and people will be evaluated based on how they did. Second though, I would like to go back for one second on this so-called Active Directory. What we're really talking about here is what was called SAML. It was an industry standard, and it was a security vulnerability in the entire industry standard. And what ensued was a conversation across the industry about the best way to address it. And I think this is where, like I said, a week from now, I'll bet we can pull together information and have a much more informed conversation about this, and I would welcome that opportunity. But I think what's most important for today is simply to note how we are changing our engineering processes, how we are integrating security by design, how we are changing the way employees review themselves, how we elevate these issues and reward people for finding, reporting and helping to fix problems.
Rep. Delia Ramirez (D-IL):
Good. So I have a few seconds, and so a few sentences, I'm going to shift gears for a second. How do you ensure that your bundling practices do not limit the ability of customers to prioritize security in their purchasing decisions?
Brad Smith:
I'm sorry, I couldn't hear that.
Rep. Delia Ramirez (D-IL):
Yeah, let me do that again if I can get a few seconds more. Chairman, how do you ensure that in your bundling practices that you don't limit the ability of your customers to be able to prioritize security in their purchasing decisions? So when they're purchasing that they're able to prioritize their security when you're providing these bonding practices?
Brad Smith:
Let me just see. I'm not aware of any so-called bundling practices that limit what our customers can do in terms of cybersecurity protection. And if you look at the market for cybersecurity protection, frankly, a very robust part of it is about providing tools and services to enable customers to manage the security of their networks when they have solutions that come from so many different vendors. Microsoft accounts for about 3% of the federal IT budget. What that tells you is that there's 97% that's being spent elsewhere, and that's pretty typical when you look at it. And so a lot of what we're doing across the industry, I think especially with industry standards and the like, is to enable, I think the kinds of customer choices that I think you write quite rightly are encouraging.
Rep. Delia Ramirez (D-IL):
Well, thank you Mr. Smith. I've run out of time. If we get another round, I'll ask you the follow-up. Thank you.
Chairman Mark Green (R-TN):
That'd be best. One quick note, if you're like two seconds from your time limit, guys, that's not the time to start a new question. So I give a lot of grace. I give a lot of grace, but if you're in a process and all that, we're going to let that question continue on and we'll give you a little extra time for that. And Mrs. Ramirez, Mr. Ezel was just as bad, and he literally had two seconds left when he started that new question. So I now recognize Mr. Di Esposito for five minutes of questioning.
Rep. Anthony D'Esposito (R-NY):
Well, thank you, Mr. Chairman. Mr. Smith, the CSRB report stated that Storm-0558 had access to some of these cloud-based mailboxes for at least six weeks. Can you tell us who discovered that the system had been compromised and how they did so well?
Brad Smith:
I think Ranking Member Thompson identified this early on in the hearing that in fact, I think we got a notification from the State Department that they had seen an anomaly in their email system. So they informed us of this last June. Our initial reaction was that this was something that was a token that was being generated through a stolen key at the State Department or in the government. I remember 7:30 in the morning, I was notified about this on a Saturday morning, and I was on the phone with Satya Nadella, our CEO, probably within 30 to 60 minutes, but we thought it was confined to that. It took somewhere between a few days to a week or more for us to come to the conclusion that it was broader than that.
Rep. Anthony D'Esposito (R-NY):
Okay. And obviously, do you believe that Microsoft should have been able to realize that you were compromised before the State Department?
Brad Smith:
You always want to be the first in life in everything.
Rep. Anthony D'Esposito (R-NY):
Oh, that depends.
Brad Smith:
So I would, well, yes, that's true. That's a very good qualification. You always want to be the first in everything good in life, and so I have to on the one hand say yes. But on the other hand, I have to say, especially given the nature of networks and how they're distributed and different people see different things. Mostly I just want to celebrate the fact that people are finding different things and we're sharing them with each other.
Rep. Anthony D'Esposito (R-NY):
Okay. So putting the celebration aside, are you confident that moving forward Microsoft has the ability to quickly detect and react to an intrusion like this?
Brad Smith:
Well, I will tell you, I feel very confident that we have the strongest threat detection system that you're going to find in quite possibly any organization, private or public on the planet. Will that always mean that we will be the first to find everything? Well, no, that doesn't work that way, but I feel very good about what we have and I feel very confident about what we're building.
Rep. Anthony D'Esposito (R-NY):
And now obviously Microsoft is seeing a lot of what these cyber criminals and nation state actors are doing, the ecosphere. How do you go about sharing information that you collect or identify with law enforcement?
Brad Smith:
We have a variety of different steps. We take some of which are probably not best talked about in a public hearing that, as the chairman said, is probably being watched in Beijing and Moscow. But we collaborate with the FBI, we collaborate with local law enforcement all the time. We collaborate both with the different agencies of the US government and other governments that are allies of the United States.
Rep. Anthony D'Esposito (R-NY):
Okay. Now, I know that many of our staff use Microsoft for their email amongst many other applications. Can you give us an idea as to the size of the share of government contracts for networking, cybersecurity, and other matters in this space that Microsoft has?
Brad Smith:
I don't know the precise number for that precise definition. I know as I was mentioning that we account for about 3% of the federal IT budget. I know that the US government has many choices when it comes to cybersecurity services, and I think it takes advantage of them, and we're one of them. I don't frankly know how we compare to some of the others.
Rep. Anthony D'Esposito (R-NY):
Okay. And obviously, like you said, the government has many choices. So with that said, why should they continue to use Microsoft?
Brad Smith:
Because we are going to work harder than anybody else to earn the trust of our government and other allied governments every day. And we are making the changes that we need to make. We are learning the lessons that need to be learned. We're holding ourselves accountable. We will be transparent, and I hope that people will then look at what we've done and say, this is something that they want to do with us, but I know we have to earn their trust every day.
Rep. Anthony D'Esposito (R-NY):
Okay, Mr. Chairman, I'm following the rules with that. I yield back
Chairman Mark Green (R-TN):
The gentleman yields. I now recognize Mr. Menendez for five minutes of questioning.
Rep. Rob Menendez (R-NJ):
Thank you, Mr. Chair. And thank you Mr. Smith for appearing here today. In 2002, Bill Gates issued a memo to Microsoft employees, which stated in part quote, flaws in a single Microsoft product service or policy not only affect the quality of our platform and services overall, but also our customer's view of us as a company. So now when we face a choice between adding features and resolving security issues, we need to choose security. 2002 last month, Microsoft's chairman and CEO and a blog post to Microsoft employees stated, if you're faced with a trade-off between security and another priority, your answer is clear to security 2024. Does last month's directive indicate that Microsoft had drifted from the security first culture set forth in Mr. Gates 2002 memo.
Brad Smith:
I was there in 2002 when Bill Gates was the CEO of the company and had been there every year since. And this is something I think one just has to be introspective about because I've been in so many meetings every year where we've done so much to talk about where we are when it comes to security. I think that the biggest mistake we made was not the one that is being described that way. I think the biggest mistake we made–
Rep. Rob Menendez (R-NJ):
What do you mean describe that way?
Brad Smith:
Of drifting away from a security first culture? I think the biggest mistake we--
Rep. Rob Menendez (R-NJ):
I'm not asking if there was the biggest mistake. I'm just asking if you do believe that there was a style drift at Microsoft between 2002 and 2024?
Brad Smith:
No, but let me say what I think perhaps happened as we hired so many cybersecurity experts, it became possible for people who were not in the cybersecurity teams to think that they could rely on those people alone to do a job that we all needed to do together. See, in 2002, we didn't have all these large security teams. Cybersecurity didn't exist at that time the way it does today. So I think there's an almost profound lesson.
Rep. Rob Menendez (R-NJ):
I understand that the makeup of Microsoft and the different departments may have changed, but this was a statement in 2002 about choosing security first and then more or less the same statement made in 2024. That would, to me at least, indicate that perhaps there was a style on that security first. And maybe taking a backseat, potentially, it'd be helpful if you could just describe to me and to the committee, the Microsoft Security Response Center and how it sits within Microsoft's corporate structure.
Brad Smith:
The Microsoft Security Response Center or MSRC as we call it, reports up to, as I recall, our executive Vice President for Security, a fellow named Charlie Bell who's on our senior leadership team. And it is part of a very large and I think, robust security organization.
Rep. Rob Menendez (R-NJ):
And who makes determinations when something's raised to the security response center as to whether they elevate it up to folks?
Brad Smith:
I would have to go get the precise answer to that precise question. I will say this. We do try to, and frankly, we need to create an environment where bad news travels fast. That's what we aspire to do. And I can definitely tell you, look, I can tell you in the case of Storm-0558 or this midnight blizzard, we're talking, minutes to hours gets to me. I usually, I'm the last stop before it gets to our CEO Satya Nadella. And the time from me to him is in minutes, and it's not a large number of minutes.
Rep. Rob Menendez (R-NJ):
Great. I appreciate that. The CSRB described various approaches cloud service providers use to manage and secure identity and authentication systems, and note in particular changes they made following Operation Aurora in 2010. I'm glad that Microsoft agreed to transform how it manages and secures its identity systems. I'd like to unpack that a little. Does Microsoft plan to make significant changes to the architecture of its core digital identity systems?
Brad Smith:
I think the answer is yes.
Rep. Rob Menendez (R-NJ):
And be quick with this chairman. As part of its review, the CSRB issued numerous recommendations for cloud service providers generally and certain federal agencies. The CSRB also issued four recommendations specific to Microsoft. Microsoft updated secure future initiatives subsequent to the CSRB's report. And I'd like to discuss how Microsoft plans to implement a couple of those Microsoft specific recommendations. The CSRB recommended that Microsoft share publicly a plan with specific deadlines for security based reforms. Does Microsoft plan to implement the CSRB's recommendation and publicly release deadlines for implementation?
Brad Smith:
The answer is yes. And in fact, one of the things that I mentioned in my written testimony is we've invited CISA to send a team out to our headquarters outside of Seattle and Redmond to go through all the details of everything that we're doing. We want to show them all of the details. And then I think one of the things we'll need to frankly assess together with CISA is how much or at what altitude we should be publishing things. Because if we publish them, the good news is that every American can read them. Bad news is everyone in Moscow can as well. And then I'll just say, we recognize the oversight role that you and this committee plays, so we're interested, happy to share more with you than of course we would share with the general public. We just need to do it in a secure way.
Rep. Rob Menendez (R-NJ):
I appreciate it. Thank you so much for appearing here today and look forward to working with you.
Chairman Mark Green (R-TN):
And we'll have some staff look at your microphone. We don't want that to happen to you again. You get another five minutes? Good try. The chair now recognizes the gentlelady from Florida, Ms. Lee, for five minutes of questions.
Rep. Laurel Lee (R-FL):
Good afternoon, Mr. Smith. Good afternoon. I'd like to follow up on one of the lines of questions from Mr. Menendez. You've testified today that in the wake of the CSRB report that Microsoft is committed to prioritizing security first over product and feature development. That is something that is easy to say and no doubt, very difficult to do with far reaching implications for your company. So I'd like to hear a little bit more about the specifics whether you are standing down on product development while you refactor code base or what other specific ways in which you're throttling or pausing feature release or product release to ensure a focus on the security first as you described?
Brad Smith:
It's a really good question, and I would answer it in two parts. First, in the short term, yes, we reallocated resources, we move people, we've told them to prioritize, and by definition that means that other things may have slowed down or stopped. So this can speed up and that's the right thing to do. I think the real challenge is how you achieve effective lasting culture change. This is true in any organization and especially when you have a company like ours, we have 225,924 employees. This has to be real and reach every one of them, and we're calling on a lot of what we've learned as a company the last decade. We've gone through a lot of culture change and I think people feel it's benefited us. Well, I think you define a North star, which is this notion of do security first. You then have to change your accountability mechanisms and that's why compensation is so important. But fundamentally what we're really gravitating towards is to treat security as the highest priority in quality.
Rep. Laurel Lee (R-FL):
So would it be correct to say then that you've reallocated people and resources in furtherance of that objective?
Brad Smith:
Yes.
Rep. Laurel Lee (R-FL):
And has it also affected your revenue projections? I would think.
Brad Smith:
I would say so far I'm not aware of it changing any of our revenue projections. Let me just put it this way. I was in Stockholm last Monday. This is a country that as you know has just nato and I met with about 25 customers, government customers, corporate customers. And what I found was really interesting, they asked a lot of tough questions as you all are bad news for the folks who want to sell plan B, they don't want to switch. They want us to get it right and we have to get it right to deserve their business. But I think they see that we really are committed to doing that.
Rep. Laurel Lee (R-FL):
I know it's come up a couple of times today, but I'd like to return to a discussion of the recently released recall feature. You mentioned security by default, but that endeavor is something that if I understand correctly, presents a security exposure for users who might not have understood the nature of how it operated. So I'd like to hear more about how the status of that product rollout and how it is consistent with the security first approach and what's being done to make sure users are aware of the potential exposures or risks from using it.
Brad Smith:
Yeah, I think I would start with this product hasn't yet been launched, the feature hasn't yet been finished and we've had a process to share information and take lots of feedback. We've defined, we've designed it so it's off by default so that people have to choose to turn it on and we can share information with them before they make that decision. We've designed the feature so that the information always stays on one's own pc. It doesn't go to Microsoft, it doesn't go anywhere else. We've combined it with a hardening of the security and windows for every part of the computer and not just this feature alone. And then we've added additional features that encrypt data, that decrypt it just in time. So we're trying to take a very comprehensive approach to addressing all of the security and privacy issues as well. And we're trying to do it in a dialogue because when you create a technology, I think one of the mistakes you can make is to think that you have all the answers. You only get to the best answers when you have these kinds of collective and public conversations.
Rep. Laurel Lee (R-FL):
So in an attempt to comply with the chairman's guidance, I'll touch on my last question, which is a bit of a shift in gears, and that is I'd like to hear more about one of the things that was identified in the report as an area in need of improvement was victim notification. So I'd like for you to elaborate a little bit more on your thoughts and going forward plan on how to improve victim notification.
Brad Smith:
Let me try briefly to address this. This is a really important topic, and it's a hard one for us and everybody. When we find that someone has been a victim of an attack, it doesn't mean that the fault was ours. It's just that our threat detection system may have found it. We need to let them know, well, how do you let somebody know? If it's an enterprise, we probably have a connection. There's probably somebody there we can call. But if it's a consumer, like a consumer based email system, we don't necessarily know who the human is. We just have an email address. So we send an email. There was a member of Congress we sent an email to last year. That member of Congress did what you sort of expect. They said, well, that's not really Microsoft, is it? It's spam. And then we call somebody, believe me, we've called people and they say, oh, give me a break. You're not Microsoft. You're just one more fraud enterprise. That's the world in which we live. And so the CSRB report has a great recommendation on this. It's to create the equivalent of the Amber alert, but it will require support from Congress that CISA lead this, that the tech sector and probably the telecommunications companies and the phone makers and the phone operating system makers all come together. This would be a huge step forward.
Chairman Mark Green (R-TN):
Gentle lady yields. I now recognize Mr. Suozzi for his five minutes of testimony.
Rep. Tom Suozzi (D-NY):
Thank you, Mr. Chairman, I want to thank you and the ranking member for holding this hearing. Holding Microsoft accountable is a good idea. And I think that Mr. Smith has demonstrated he's taken his father's advice. I think he said it was your father that said nobody ever died by using humility.
Brad Smith:
I don't know if he said it, but he's definitely still alive today. He's probably watching this for gosh sakes. It is definitely something he taught me.
Rep. Tom Suozzi (D-NY):
You've definitely taken accountability here today and we appreciate that. And let me just ask, what percentage of Microsoft's business comes from governments?
Brad Smith:
If I had to guess, it's less than 10% globally.
Rep. Tom Suozzi (D-NY):
And so what percentage of it is from just the federal government itself?
Brad Smith:
Not that much. We love the federal government. It is a big customer. It's one of our biggest, and it's the one that we're most devoted to, but it's not the big source of our revenue.
Rep. Tom Suozzi (D-NY):
So you mentioned earlier that there are 300 million cyber attacks a day. Are the sources from state sponsored adversaries of ours like China, Russia, Iran, and Korea, is it from organized crime or is it from individuals who are doing this?
Brad Smith:
I would say most of it comes either from those four nation states or ransomware operators. We track over 300 organizations. And those 300 account for by far the highest percentage.
Rep. Tom Suozzi (D-NY):
Can you give a percentage for how much is from the state actors versus the ransomware people or the state actors? Sometimes ransomware activists also.
Brad Smith:
I can, I'm forgetting off the top of my head, but we can easily get that to you. Yeah, I will say in addition to being a substantial percentage, they're by far the most sophisticated and serious.
Rep. Tom Suozzi (D-NY):
So my big concern for our country is how divided we are. And our country's divided because of our members of Congress. There's 435 of us, 380 of 'em are in safe seats, so they don't have to worry about the people per se. They only have to worry about the people in primaries. So they pander to their base. So that divides us. And then social media, the people get the most attention on social media. People say the most extreme things. And then cable news, Tucker Carlson was the most followed person on Fox before he left. Rachel Maddow, they've got 4 million viewers, 3 million viewers. They're kind of playing to the extremes, but our foreign adversaries, Chinese Communist Party, Russia, Iran, and North Korea are taking disinformation and trying to divide us every day by taking messages that we're fighting about already and blowing them up bigger than ever.
We need the great corporate citizen, Microsoft and other great corporate citizens to team up with the people of the United States of America and their governments to figure out how we're going to stop this attack because they're trying to destroy us from within by dividing us using technology and disinformation and cybersecurity attacks on a regular basis to destroy us. So what can we do to team up more effectively and what are the partners, other than the United States government and Microsoft, should we try and bring into this partnership to try and save our country from this division that is being exacerbated by our foreign adversaries?
Brad Smith:
Well, there's lots of great companies in our industry that are doing great things in all areas of the industry. And the good news is, especially there's this extraordinary CISO, chief Information security officer community where people work together across industry boundaries--
Rep. Tom Suozzi (D-NY):
But we need to advise the public about what's happening.
Brad Smith:
Exactly. And I think we need processes to do that. And I would say at the end of the day, look, I think the point you just made is maybe the most important point that could be made at this hearing because the greatest threat to this country in this space comes if our adversaries coordinate and unite. And we should assume that they not only can, but they will.
Rep. Tom Suozzi (D-NY):
They are.
Brad Smith:
And the greatest weakness of this country is that we're divided not just politically, but in the industry as well. And we just always have to remember that if we can find a way to summon the ability to work together, you all, if you can work together across the aisle and we in our industry can work across the industry, and then we unite together with new processes that are probably government sponsored and some of them exist, including through cisa, so we can do what you just described and among other things, help people learn and also take the steps to hold these adversaries accountable so we can start to change what they are doing.
Rep. Tom Suozzi (D-NY):
Thank you, Mr. Smith. Mr. Chairman, I would, oh, Ms. Chairman, I'd like to participate in an effort by this committee bipartisan in some way working with industry to come together as a team to figure out what we can do as a country to identify these threats, notify the public as to what's happening to them on a regular basis, and how we as a country corporate public-private partnership can unite to fight against our foreign adversaries that are trying to destroy our country. Thank you, Mr. Smith.
Chairwoman:
Gentleman yields back. Thank you, Mr. Suozzi. The gentleman from Texas is recognized for five minutes.
Rep. Morgan Luttrell (R-TX):
Thank you, Madam Chairman. Good afternoon, Mr. Smith. Let's just chat a bit, give, 10 years downstream. Tell me how Microsoft secures the network from nefarious or bad actors globally. What is the, and I won't say end game because I don't ever think there's going to be a finish line when it comes to just the artificial intelligent machine learning or the cyberspace, but what is Microsoft doing the kill chain results from this little guy right here, but maybe there's nothing we can do to stop the amount of actors that attack this every single day, but we may not be able to be able to talk about an open setting, but is there an end game? Is there a way to secure the network where bad actors cannot have these breaches?
Brad Smith:
I would say two things. First, if you look at the current course and speed, this is probably for the time being and until the geopolitical environment in the world changes a bit of a forever war in cyberspace with constant combat, and I would hope that that would change, but we can't assume that it will. So what can we collectively change? Well, first at Microsoft, I would not just hope, but fundamentally believe that say five years from now, we're going to have production systems, engineering systems, networking, identity systems that make it extraordinarily difficult. And just beyond the economic reach of our most sophisticated and well-resourced adversaries to attack and breach.
Rep. Morgan Luttrell (R-TX):
Is that moving the infrastructure completely to a cloud-based system?
Brad Smith:
I do believe it is. I do think that the cloud is part of the answer, not only for us, but for the other companies who are in the cloud services business. And I think that in addition to what we do as a company, I would hope, look, just as we learn from our competitors, and that's a good thing, that we'll share what we're learning and our competitors will adapt as well. I think the thing we're going to have to do the most to internalize is just recognize that we'll do a lot of good things. Let's say we do every single thing that the CSRB is recommended because that's what we are going to do. It won't be enough because two years from now, our adversaries will have done more. So what we need to create is a process where we collectively always learn from what is happening. We do a better job of anticipating and predicting, and I do think that AI will be one of the great game changers, and we need to ensure that AI benefits the United States and our allies and the defense of people at a faster rate than it can be used by our foes to attack them.
Rep. Morgan Luttrell (R-TX):
Inevitably, that's going to be the human variable that's removed from the cybersecurity space, and it's inevitably going to be completely AI based. Is that a fair statement?
Brad Smith:
I am very--
Rep. Morgan Luttrell (R-TX):
There's a word out there I'm looking for, but I don't have it--computation based. I'm sorry. The computer systems are the ones going to be running forward with this, which they already do.
Brad Smith:
Let me just say I am optimistic about what AI can do to strengthen cybersecurity defenses, but I think sometimes people in the world of technology actually run the risk of underestimating the power of people. What we should really bet on--
Rep. Morgan Luttrell (R-TX):
Lemme say, as a congressional member, I would never do that. I want everybody to know that.
Brad Smith:
What we should bet on and what we should pursue as a country and as an industry is the opportunity to enable people to stand on the shoulders of better technology. And if we can do that with ai, if that's the stronger foundation, we will enable our people, especially in this profession, to achieve so much more. And we know that in Moscow and other places, they'll be trying to do the same thing. We've just got to do it better and we've got to do it faster and we can never take a day off. That's the reality.
Rep. Morgan Luttrell (R-TX):
Okay, thank you, Mr. Chairman. I yield back
Chairman Mark Green (R-TN):
Gentleman yields. I now recognize Mr. Garcia for five minutes of
Rep. Robert Garcia (D-CA):
Questioning. Thank you, Mr. Chairman, I want to thank everybody. Sir, I had a chance to be here for the first half of this hearing and I rushed to the floor and rushed back. So thank you for answering all of our questions. Want to just take one step back and kind of absorb some of what I heard in the first half as well? I mean, clearly I think you understand. I appreciate you taking responsibility for the security failures and concerns that I think all of us have. I think that's important. I also want to just broadly thank you. I mean Microsoft and so many other companies have done incredible work to change the lives of Americans. Obviously as someone that really believes in the power of technology and the incredible economic driver that you are to my state in California and other places, I don't want to sweep that part under the rug as well.
So I thank you for your continued work and this is an important serious topic that we're discussing today. Every company, every government faces serious threats from hackers from foreign intelligence services. I think we all know that Russia and China and other countries are trying to steal secrets, steal technology, steal patents, and it's not just within your company, but it's in companies, of course, all across our nation. It's important that we're here on a bipartisan basis. I also want to note the report that we're reviewing today is a report from cisa, and I want to encourage us to support cis A as an organization. There have been some of my colleagues that have wanted to abolish CISA. They've wanted to reduce support for strengthening cybersecurity in our country, and I think that would be a huge mistake. And so I would encourage us to continue to work with CISA and other agencies to make our systems more secure.
I also want to just note that what I believe is that we need more federal intervention and partnerships, not less with Microsoft and other technology companies. It's important that we continue to work. Before I got here was the mayor of Long Beach, California, and for eight years, and I consistently remember the numerous attacks that we got, the cyber attacks we would receive from a city perspective and the challenges for municipalities and governments and smaller governments that are not the federal government to deal with those effectively. And so I encourage you to continue to work not just at the federal level, but there's so many small cities and towns that don't have the capacity to actually deal with some of these cyber threats that we have. I also just want to just have an initial question. You answered it partly earlier. We know that there are an extraordinary number of cyber attacks from nation state actors. We talked about those today. If you want to boil that down. What do you attribute these direct attacks to? Why are they attacking Microsoft systems?
Brad Smith:
Let me just first thank you for your comments and I do want to underscore so it's clear if there's any doubt we support CISA as well. I support cisa and there's always debates about exactly one piece or another, but it's really doing important and good work for the country. I think it's really important to look at the motivations of nation state actors as well as criminal enterprises and just understand what they're doing. And I would say over the last year, we've seen on the nation state side, broadly speaking, three kinds of motivations. One is access to information surveillance, including of other governments but not governments alone. And so of course they go to where the information is located, which does include our cloud services. The second, and I think this is extraordinarily disconcerting, is we've seen from China in particular this prepositioning of so-called web shells.
Think of it as tunnels into our water system, our electrical grid, into the air traffic control system, the kind of thing that you look at and you say, this is only useful for one thing and that's they have it in place in the event of a war or hostilities. The third thing that you see from nation states is something that is very unique to North Korea. They have a very different approach to budgeting. They let ministries employ hackers, and then the ministries work to steal money, and then the ministries get to keep the money that they get. So it's an oddity. That's the nation state side. And think about those.
Rep. Robert Garcia (D-CA):
And briefly, sir, because I want to ask one more question with my remaining time, but continue.
Brad Smith:
Okay. On ransomware, it's all about making money, unfortunately.
Rep. Robert Garcia (D-CA):
No, I appreciate that. And I just want to take a moment to also commend the State Department security operations. They've been involved with you and a lot of other organizations, they're their infrastructure which needs to be strengthened, and do a lot of this work, and so I want to uplift them as well. Lastly, I wanted to mention in the CSRB report, there was a recommendation to create some type of Amber Alert system, some kind of notification system. We're all concerned about these cybersecurity threats. Does Microsoft support this recommendation? And can you expand a little bit on that?
Brad Smith:
Yes, and I was talking about this a little bit when you had to leave. I think it could be extraordinarily helpful for our entire industry, for everybody who uses technology for consumers in particular, I hope that we will find a way to work together to make it a reality.
Rep. Robert Garcia (D-CA):
Well, thank you. I yield back
Chairman Mark Green (R-TN):
Gentlemen yields. I now recognize Mr. Strong for five minutes of questioning.
Rep. Dale Strong (R-AL):
Mr. Smith, I appreciate you being here today, and most of all, I appreciate your humbleness. We've had people sit right before this committee. Cabinet members tell us that the southern border, that they've got it under control and three years later, three and a half years later, they sit right there and tell us that more than 10 million people have illegally crossed that southern border. So you've served Microsoft well today, and I appreciate how you presented yourself. As you may know, I also serve on the House Armed Services Committee and specifically the Cyber Information Technologies and Innovation subcommittee. I'm aware of the DoDs cyber challenges and needs. The recent cyber attacks impacting Microsoft demonstrate how vulnerabilities within a single vendor can be exploited to gain access to sensitive information and systems potentially compromising national security. Can you please explain from your perspective the risk posed by the DoD’s reliance on a single source vendor?
Brad Smith:
Well, I guess the first thing I would say is I don't see the DoD moving to rely on anybody as a single source in the technology space. There's a lot of competition that's alive and well at the DoD, and I think that's a good thing. And then the other thing I would say is just as there is risk in relying on one vendor, there's risks in relying on multiple vendors, I would still rely on multiple. So I don't want anybody to be thinking I'm saying something I'm not. But when you have what we call a heterogeneous environment, meaning technology from lots of different suppliers, you create a lot of different seams. So then you need to have technology and people who can knit it all together. And then the thing we should remember is that a lot of what, say the SVR, the Russian Foreign Intelligence Agency does, or the GRU, they're military, they look for the seams because those are the places that are easiest for them to get in. So fundamentally, whether you have one vendor or several, the challenge is similar. We all need to work together and just keep making progress.
Rep. Dale Strong (R-AL):
Thank you. Would you agree that the vendor responsible for developing and running hardware and software programs for the DoD should not be the same vendor responsible for testing security, conducting security audits, or reporting on security?
Brad Smith:
I'd like to think a little bit about the precise formulation of your question. It's a very good one. Mostly what I would say is I think it's well thought out to focus on testing of solutions and how you have, it's almost a first principle in governance, I would say as somebody who's responsible for a lot of the governance at Microsoft, you want checks and balances. If one group is performing, you want a separate group to be auditing and assessing. And I think that's true in a company. It's maybe even more necessary in the government.
Rep. Dale Strong (R-AL):
I agree. My friend from New York briefly touched on this specifically. What are the security implications of China and other potential threat actors having access into your network for so long? What is the threat of that? Thank goodness it was discovered, but what is the threat you see for them being in your system for so long without being noticed?
Brad Smith:
Yeah, I would just like to qualify a little bit of the premise because I noticed in some of the questions that were floating around this week that people suggested that because the Chinese had acquired this key in 2021 and we didn't find it until 2023, that they must have had access for two years. I think that in fact, they kept it in storage until they were ready to use it. Knowing that once they did, it would likely be discovered quickly.
Rep. Dale Strong (R-AL):
Thank you. And that leads to my next question. Are the Chinese still able to access Microsoft's corporate network today?
Brad Smith:
No, not with anything they did before. And we'll do everything we can to ensure that they don't get in any other way.
Rep. Dale Strong (R-AL):
Thank you. And again, I thank you for the way that you've represented yourself and your company today. Mr. Chairman, I yield back.
Chairman Mark Green (R-TN):
Gentlemen yields I now recognize Mr. Crane for five minutes of questioning.
Rep. Eli Crane (R-AZ):
Thank you, Mr. Chairman. Mr. Smith, thank you for preparing and coming before the Homeland Security Committee today. Mr. Smith, you're the president of Microsoft, is that correct?
Rep. Eli Crane (R-AZ):
You're here today to discuss some leaks and vulnerabilities that Microsoft has had in the past and what you guys are going to do to fix 'em in the future. Is that correct?
Brad Smith:
Yes, that's right.
Rep. Eli Crane (R-AZ):
Mr. Smith, you said earlier in the hearing that some of your competitors are in this very hearing room, is that correct?
Brad Smith:
So I've been told they could be. They could raise their hands if you asked them. It's probably not the best use of time.
Rep. Eli Crane (R-AZ):
Okay. So would it be fair to say, Mr. Smith, that you understand the importance of being strong and formidable today with some of your opponents or competitors in the room?
Brad Smith:
I'm sorry, I didn't hear.
Rep. Eli Crane (R-AZ):
Do you understand the importance of appearing strong and formidable today because some of your opponents and competitors are in the room?
Brad Smith:
I think the reason is that, I don't know if I would use the word strong or formidable. I think the reason we need to be responsible and resolute is because of our adversaries abroad, not so much the competition--
Rep. Eli Crane (R-AZ):
How about this, Mr. Smith, have you ever heard the saying that weakness is provocative?
Brad Smith:
I've heard similar things. I dunno if I've heard that one in particular, but I understand it.
Rep. Eli Crane (R-AZ):
Well, you're running one of the most powerful corporations in the world, so I'm sure that that's something that's not completely alien to you, right?
Brad Smith:
Yeah. Let me put it this way, size brings power, but mostly what it brings is responsibility. I would much rather focus on the need to be responsible than
Rep. Eli Crane (R-AZ):
Okay, fair enough. Mr. Smith, would you say that taxes against the United States in the cyber field have increased in the last couple of years?
Brad Smith:
Absolutely.
Rep. Eli Crane (R-AZ):
Didn't you say in your testimony earlier, sir, that it felt like it was open season?
Brad Smith:
Yeah. Or yes, I did say that and I think that's right. And it is an open season on US targets by certain foreign adversaries.
Rep. Eli Crane (R-AZ):
How many attacks are you guys seeing a day, Mr. Smith?
Brad Smith:
I had the precise number in my written testimony. What I've been saying here is reflected that there are more than 300 million per day.
Rep. Eli Crane (R-AZ):
300 million per day?
Brad Smith:
Yes.
Rep. Eli Crane (R-AZ):
Wow. Mr. Smith, you're aware you're in the Homeland Security Committee, is that correct?
Brad Smith:
Yes, absolutely.
Rep. Eli Crane (R-AZ):
So you understand that the scope of the Homeland Security Committee is much larger than just cyber attacks, is that correct?
Brad Smith:
Absolutely.
Rep. Eli Crane (R-AZ):
Good. Are you aware, Mr. Smith, that there was reporting just this last week that eight individuals with ties to ISIS were arrested this week in multiple US cities? Did you hear that story?
Brad Smith:
Actually, I was. Not until you just told me.
Rep. Eli Crane (R-AZ):
Well, that happened this week. How about this one, Mr. Smith, are you aware of the reporting that Russian ships were 30 miles off the coast of Florida just this week as well?
Brad Smith:
I did hear that or read about it.
Rep. Eli Crane (R-AZ):
One of my colleagues asked you, sir. He said, what can we do to help you? And nobody really wants to say it in this room, but I'm just going to say it. One of the things that we can do to help you is actually get stronger leadership that's respected around the world. That's actually one of the big problems here, and I think everybody in this room actually knows that. And so that is one of the things that I think that we're going to be doing. But the other thing I wanted to point out, Mr. Smith, this isn't an isolated incident, right? All these increased cyber attacks that we're seeing, right? We're seeing attacks across the board and everybody in this room knows it. We're seeing it at the border. We're seeing Russian ships off the coast of Florida. Just this week, eight individuals with affiliation to ISIS were captured in multiple US cities. And that's why I started my questioning, sir, with weakness is provocative and if you knew what that meant and what it meant to you.
Brad Smith:
Yeah, I understand. Let me just be clear. I have expertise in one field, not in every field, but I understand what it means in my field.
Rep. Eli Crane (R-AZ):
I know you do, sir. And we've said this for a long time in this country, peace through strength, there is something to that. And when the United States senses that we're weak, we're feckless and we have weak and feckless leadership, these are the types of things that we see. And so I'm hoping that not only this body but the American people can work together to get better leadership for this country because I know it's going to impact your business. And I want to say one more time, I appreciate you actually coming here today, taking ownership and responsibility because as some of my colleagues have said, it's not something that we see every day. So thank you, sir. Appreciate it.
Brad Smith:
Well, thank you. And then let me just conclude, because I think this gets us through the entire committee. I would just underscore what I've tried to say throughout. We do understand the importance of what you all do on this committee, what the CSRB and what CISA do, the importance of this report. And we are committed to addressing every part of it.
Chairman Mark Green (R-TN):
I now recognize the ranking member for his five minute closing statement.
Ranking Member Bennie Thompson (D-MS):
Thank you very much, Mr. Chairman. Ms. Smith, you've done a creditable job in representing your company. You do understand that there are some challenges with running a company like that, and it's only one thing can create a real problem. And I think you've addressed it thus far. So let me thank you for that testimony and committing to participating in the committee's ongoing oversight. Microsoft has an enormous footprint in both government and critical infrastructure networks. It is our shared interest that the security issues raised by the CSRB are addressed quickly. And you've said that the main things you've already done, we appreciate it. This hearing was important to understand. Last summer's cyber incident and Microsoft's approach to security. In my view, it's just the beginning of an ongoing oversight to ensure that the technology products used by the federal government are secure and that federal vendors take the security obligation seriously. We've had that discussion in my office and I'm sure you've talked with other members about that. So in that spirit, I got a couple final questions. I told you there's no got you kind of thing. If you can say yes or no, that's good. But if you need a little time, I understand that too. Will Microsoft commit to being transparent with its customers, particularly the government, about vulnerabilities and its products including cloud products?
Brad Smith:
The answer is yes. And the only qualification I would offer is we need to do it in a way where we share information with the right people in the right governments and do it in a way that it doesn't make that same sensitive information available to our adversaries. Sure. And I'm sure we can do that.
Ranking Member Bennie Thompson (D-MS):
If it's a classified setting, as the chairman said, we're fine with it. Yeah. Okay. Thank you. Will Microsoft commit to being transparent with its customers about its investigation into cyber incidents, including related to root cause, the scope of impact, and any political ongoing associated threat?
Brad Smith:
Yes. And obviously the same qualification as before. And then I would just add, and we are working to do that. A lot of what we're doing by adding to our chief information security officer infrastructure governance structure is an ability and really a desire to get out and share more information with customers the way you described.
Ranking Member Bennie Thompson (D-MS):
Thank you. So will Microsoft commit to establishing benchmarks and timeframes for implementation of the CSRB recommendations and the secure Future initiative and commit to proactively keeping this committee informed of its progress?
Brad Smith:
Yes.
Ranking Member Bennie Thompson (D-MS):
Will Microsoft commit to performing and ongoing and transparent evaluation of risk associated with business ventures in adversarial nations?
Brad Smith:
Yes. I think we need to.
Ranking Member Bennie Thompson (D-MS):
Well, I look forward to the committee's ongoing oversight and continued engagement with Microsoft. And one of the things that we are tasked with is looking at keeping America safe, both from foreign and domestic adversaries. And obviously cyber is, in everybody's opinion, a major threat. But you have to talk to us. I yield back.
Brad Smith:
Believe me, I will. You have just defined not just the mission but the cause. Thank you. That I think unites all of us.
Ranking Member Bennie Thompson (D-MS):
Thank you. I yield back, Mr. Chair.
Chairman Mark Green (R-TN):
Gentleman yields. Thank you Mr. Smith for coming today and I'll talk a little bit more about that. I also want to thank our members for what I think was very collaborative and cooperative. Good tone, set of questions. We had some important things to do here, ask questions of accountability and to determine the responsiveness of the company to the report. But we also had to protect because the bad guys were watching. And so we had to be careful. I want to thank you too for the time you've spent in our office just going over some of this stuff as well. I know you made yourself available both to the ranking member and myself and really appreciate that he actually asked most of my questions about transparency and things like that. So I just will say this, and sometimes government in this public private partnership that we talked about a couple of times, several members brought it up.
Sometimes government can get in the way too. And I want to ask that you educate us as much as possible. I'll give you an example. The SEC ruling on a four day report for a breach and those kinds of things. I'm under some of the big cybersecurity companies. I mean, the biggest in the nation have told me it's seven or eight days to fix a breach. If we're announcing to the world that in four days we got a hole in the wall and it takes seven days to close the hole, we're inviting. This is government forcing companies across the country to invite the enemy to come in. So that's a stupid regulation. And so we need help on understanding where the government also creates problems. So I'd appreciate anything that comes to mind, pick up the phone and call us. Okay. And one of the initiatives here, we talked about the cyber workforce.
One of the other initiatives is the synchronization of the regulations that are out there and to make sure that we're not duplicitous and that we're not contradictory. And as I understand it, there are some regulations that are, so again, we'd ask your company to help us and the competitors who are in the room to understand where government gets in the way of actual cybersecurity. Because if we're causing you to have duplicitous effort, that's money that could be spent on real cybersecurity. So in this partnership, we need communication not just on the issues that are brought up here with this breach that was identified, but how we can make things better and work better on how we regulate and create compliance requirements, things like that. Thank you again for your time. I thank the witness for his valuable testimony and the members for the questions. The members of the committee may have some additional questions. And by the way, I did already get one that will probably require a classified mechanism and we can discuss with you and the staff on how we best do that. And we would ask that the witness respond to these questions in writing pursuant to committee rule 7D. The hearing record will be held open for 10 days and without objection, the committee stands in adjournment. Thank you, Mr. Chairman. Thank you.