Microsoft’s cybersecurity dilemma: An open letter to Satya Nadella

Microsoft is suffering cybersecurity failures due to systemic problems with strategic leadership.

The world is witnessing an alarming trend of cybersecurity issues with Microsoft products and services. Over the past several years, Microsoft has suffered several serious attacks with cloud and email environments being compromised. In some cases, customers were kept in the dark, giving attackers additional time to exploit victims and entrench themselves deeper to the detriment of those affected.

Microsoft ignored foundational aspects of service and trust by withholding (or considering upselling) basic security tools and insights from customers. An investigation by the US Homeland Security Cyber Safety Review Board (CSRB) into the 2023 breach of Microsoft’s cloud environment concluded that the cascade of errors were avoidable and “Microsoft’s security culture was inadequate and requires an overhaul.”

In June 2024, Microsoft announced a new product feature named Recall. The cybersecurity industry was immediately vocal with concerns: the feature was clearly devoid of common-sense security, disregarded privacy considerations, and was designed to be pushed on users by default. It would (security pros said) be more beneficial to cyber attackers than to consumers.

Microsoft has been persistently deaf to warnings and advice from cybersecurity veterans. In all cases, the “can we do it?” product revenue goals prevailed over the “should we?” perspectives. This stratagem has resulted in long-term cascading cybersecurity impacts.

Half measures

Microsoft spends huge amounts of money on security engineering, which focuses on hardening code against technical vulnerabilities. But it has become obvious that very little is invested in understanding whether something should be created, made available, can be sustainably secured, or how it could be misused.

Their latest Secure Future Initiative (SFI) again focuses on technical vulnerabilities, doubling down on what they do already, yet there is no indication of expanding it beyond the focus of internal code or to get a better understanding of how the adversaries will maneuver to make customers suffer.

Given its dominance and broad product adoption, Microsoft is a highly desirable target. It is an embarrassment for such an innovator and technology powerhouse to eschew such critical cybersecurity considerations.

Microsoft’s response in all instances, including the testimony before the US Congress, has been equally unimpressive. Whenever experts raise clear concerns and issues, Microsoft’s dismissive response showcases an inability to understand the very nature of the problems being described. Only when discussions go viral has Microsoft responded, but often with generic acceptance of some recommendations without the benefit of articulating the meaningfulness of its shortcomings. This continues to leave experts and tech-savvy customers frustrated.

For example, Microsoft’s board of directors recently approved two steps: they pledged that senior executives’ annual bonuses will be tied in-part to cybersecurity, and they promised to institute a biannual review for every employee at Microsoft, which will include a greater emphasis on workers’ efforts to meet security metrics and goals. They are oblivious to the fact that flawed processes and insufficient organizational structures are the problem.

This path of increasing relevance is not a clear solution, as it does not address the core problem. Investing more in flawed plans and processes that don’t incorporate necessary insights does not produce a significantly better outcome. Such public remediation does not address anything meaningful and appears to be a marketing tactic.

Just weeks after Brad Smith, the Vice Chairman and President of Microsoft, spoke before Congress and offered assurances, came another embarrassment: Microsoft allowed some of its security certificates to expire for its Office products, and its customers received security alerts from anti-malware agents that blocked the activities for the expired certificates.

Renewing certificates is a basic function for sustaining the cybersecurity of released products, yet somehow Microsoft failed to do such a simple thing (that only needs to be done every few years). To make matters worse, this was not the first time such a thing occurred; Microsoft’s repeated apathy for such a basic and simple process is telling.

These problems are systemic and will therefore persist. They will continue to surprise Microsoft’s top executives and board members in seemingly unrelated ways across projects, products, and services in the future. To date, management has not been able to discover the root cause, and without addressing the core issues, the problems will endure.

The root cause

It may be hard to believe, but the heart of the issue is NOT technical. Rather, it is a lack of strategic understanding of how products, even well-built ones, will be misused or play a role in complex maneuvers that introduce unacceptable risks post-release.
As unflattering as it may sound, the root cause is a lack of leadership that possesses the necessary strategic insights into the very nature and scope of cybersecurity.

Microsoft’s primary security focus – ensuring code does not have exploitable vulnerabilities – is a part of cybersecurity, but other considerations are also important: How can a perfectly functioning tool be employed by those with malicious intentions? What commitment is needed to securely sustain products over time? How can a customer quickly realize security has been compromised? What risks does a tool introduce? Who should be authorized to use it? How can victims effectively respond when impacted?

The recent events and business decisions point to Microsoft being oblivious to such dimensions. No amount of money, marketing, training, or corrective action plans will fix this systemic problem unless the right qualified leadership is (1) empowered to broaden the accountability of the culture and (2) transform the current operational mindset to include the long-term accountability of design and business decisions.

There is more to automotive safety than just building cars with strong door locks. The same holds true for computing environments, operating systems, and software.

Microsoft’s focus on hardened code, devoid of exploitable vulnerabilities, is overshadowing the complex risks and interrelated ramifications when the product is released to the world.

Leadership resolutions

The dilemma is solvable, but not by applying more technical engineering. In fact, that is likely the largest contributor to the current situation. Technical cybersecurity architects, engineers, and developers play a key role in making sure a product is coded securely, but they are not inherently adept at understanding how such solutions will create problems across the ecosystem when misused, compromised, or manipulated.

These issues will continue to emerge across many platforms, features, and products unless the fundamental problems are resolved. The root issue does not lie with the technological savvy of its workers, but rather the broader oversight that relies on leaders who have requisite experience in dealing with strategic issues of an adversarial environment.

The key change requires Microsoft to establish, properly staff, and empower the leadership responsible for the strategic cybersecurity oversight of Microsoft products and services.

This team will focus on evaluating the downstream ramifications and industry impacts for features and products to foster long-lasting trust with customers. They will also collaborate to maximize the value that cybersecurity investments can deliver to the bottom line of products and services for the overall benefit of shareholders and partners.

Key deliverables

1. A strategic cybersecurity leadership team must be established to work closely with every product and service division to help them avoid cybersecurity pitfalls and innovate, to increase the overall competitive advantage value of security, privacy, safety, and trust in those products.

2. The team itself must be built and led by a highly experienced cybersecurity leader who understands the cybersecurity landscape. The leader must be savvy in how cybersecurity is not limited to providing protection and compliance but can also be a competitive advantage and valuable contributor to the overall business goals.

This person needs actual cybersecurity operations, industry collaboration, strategic experience, and a strong reputation for this kind of work. Transplanting a great leader from another discipline is not a path to success. There are specific skills that are necessary to overcome the nuances of cybersecurity. Inserting a business, technology, legal, or other management expert as the executive in charge, is a failure waiting to happen. They may be very capable in their respective or adjacent domains, but those will not sufficiently transfer to achieve the desired cybersecurity objectives. It is a tough lesson that many organizations have learned, but Microsoft still must learn.

3. Institute an oversight review and approval process, from product inception to end-of-life, where the strategic cybersecurity leadership team oversees alignment with established cybersecurity principles and goals.

4. Establish a formal process that includes external industry experts and advisors for additional review, insights, and recommendations in early design and architecture phases, version releases, and during events where cybersecurity may impact overall trust by customers.

5. Position the new team to spearhead or contribute with authority in discussions with media, regulators, governments, and partners when articulating the overall security strategy, risk/benefit discussions, and holistic approach for cybersecurity to enhance the trust of customers.

Success is within reach and the world expects Microsoft to lead, given its unique position in the marketplace.

Mr. Nadella, as Microsoft’s visionary leader, the decision is yours, as is the burden for continued failures. I urge you to bring in the right leadership to resolve these issues and build a better and more competitive cybersecurity culture, capability, and supporting processes, for the benefit of the shareholders and the global digital ecosystem.