Why Are You Whitewashing the Microsoft China Cybersecurity Crisis?
Dear Satya:
While Microsoft’s fiscal-Q3 results were terrific in every respect, you did your customers, partners, and investors a grave disservice by avoiding any mention on your April 25 earnings call of last year’s major Microsoft cybersecurity disaster in China that triggered a damning report about your company’s cybersecurity capability, commitment, and culture.
While it’s easy to see why you wanted to say as little as possible — in fact, not a single word — about that horrendous breach, your customers, partners, and investors deserve better from any tech company, let alone the world’s largest and most-influential cloud vendor.
Is it even possible that someone of your intelligence and market awareness felt it was an irrelevant subject? And I hope your team did not try to persuade you that the China cybersecurity crisis was an isolated incident and/or that no one really cares about it and that it was not an appropriate topic for an earnings call. Because the recent article I wrote about your cybersecurity disaster — “Microsoft Cybersecurity Disaster Triggers Customer Doubt, Competitor Opportunity” — and the recent related video I posted — “Can Satya Nadella Fix Microsoft’s Cybersecurity Disaster?” —generated enormous volumes of readership and viewership, among the highest I’ve seen in the past couple of years.
Now, I realize you did indeed mention cybersecurity on the Q3 call, but only in the same context as you always do: as part of the product-by-product run-through spanning a dozen or so categories.
But I thought it was particularly disingenuous of you to open up that perfunctory overview of your security business with this sentence: “Security underpins every layer of our tech stack, and it’s our number one priority.”
“Our number one priority”?
Really?
Geez, for such a burning-hot priority, you didn’t exactly hammer on it during your opening remarks on the earnings call: in your 1,973-word opener, you devoted only 146 words to the section on security, your “number one priority.”
By contrast, you devoted 143 words to your Gaming business. So in a very public forum showcasing Microsoft’s results, strategy, and agenda, you gave as much time to your “number one priority” as you did to Gaming. Is that a good reflection on your priorities? Or on how you choose to present them to the public?
But hope springs eternal, right? And now that you’ve whitewashed the China cybersecurity disaster on the earnings call, I’m still holding out hope that you’ll do the right thing and address it publicly for the benefit of your customers, partners, and shareholders.
What form might that take?
Well, Satya, because you’ve had a phenomenal 10-year run as CEO of one of the world’s biggest and most-powerful and most-influential companies, I’d like to recommend that you listen very closely to some of the wisdom that you and CFO Amy Hood always talk about: being incredibly focused on “signals” from the market, and then responding and reacting to those “signals.”
Ask AI Ecosystem Copilot about this analysis
To get started with some very unambiguous and pungent “signals,” let me give you a few examples — and you can find all of these and many, many more in my article and video referenced above about the China cybersecurity nightmare. And please let me remind you that these “signals” didn’t come from one of your competitors — these comments are from a devastating report written by the special team within the United States Department of Homeland Security called the Cyber Safety Review Board, which bills itself as “America’s Cyber Defense Agency”:
- “In fact, when combined with another flaw in Microsoft’s authentication system, the key permitted Storm-0558 to gain full access to essentially any Exchange Online account anywhere in the world [boldface emphasis added]. As of the date of this report, Microsoft does not know how or when Storm-0558 obtained the signing key.”
- “Throughout this review, the Board identified a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management” [boldface emphasis added].
- “When a hacking group associated with the government of the People’s Republic of China, known as Storm-0558, compromised Microsoft’s cloud environment last year, it struck the espionage equivalent of gold. The threat actors accessed the official email accounts of many of the most senior U.S. government officials managing our country’s relationship with the People’s Republic of China. As is its mandate, the Cyber Safety Review Board (CSRB, or the Board) conducted deep fact-finding around this incident. The Board concludes that this intrusion should never have happened” [boldface emphasis added].
- “To drive the rapid cultural change that is needed within Microsoft, the Board believes that Microsoft’s customers would benefit from its CEO and Board of Directors directly focusing on the company’s security culture and developing and sharing publicly a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products [boldface emphasis added].”
- “The Board recommends that Microsoft’s CEO hold senior officers accountable for delivery against this plan. In the meantime, Microsoft leadership should consider directing internal Microsoft teams to deprioritize feature developments across the company’s cloud infrastructure and product suite until substantial security improvements have been made in order to preclude competition for resources. In all instances, security risks should be fully and appropriately assessed and addressed before new features are deployed [boldface emphasis added].”
Those are some pretty darned powerful “signals” being beamed your way, Satya — wouldn’t you agree? And in light of those findings and recommendations, it seems to me that you have some decisions to make. Here are some options for you to consider:
1) Keep whitewashing. This is the worst of all possible decisions, and I sure hope it’s not the one you pick — but at least pay attention to and address the widespread and glaring flaws that the CSRB has surfaced about your inadequate cybersecurity capabilities and commitment.
2) Address the disaster openly to win back trust. Schedule a Cybersecurity Day and discuss the China disaster, describe what you’re doing to fix it, and do your best to convince business leaders that they can still trust your company’s cybersecurity *in spite of* that disaster.
3) Tell the CSRB to pound sand. Not much difference between this alternative and #1 above, but at least you could say you were candid about your feelings regarding the CSRB’s devastating report.
4) Ignore the CSRB, and keep telling yourself “security is our top priority.” If you pick this one, people will look back at 2024 and say, “This was the beginning of the end of Microsoft’s cloud dominance.”
Wishing your customers the best and hoping you’ll do better in the near future than you did on the April 25 earnings call,
Bob