When the Pentagon recently awarded Microsoft a $10 billion contract to transform and host the US military’s cloud computing systems, the mountain of money came with an implicit challenge: Can Microsoft keep the Pentagon’s systems secure against some of the most well-resourced, persistent, and sophisticated hackers on earth?
“They’re under assault every hour of the day,” says James Lewis, vice president at the Center for Strategic and International Studies.
Microsoft’s latest win over cloud rival Amazon for the ultra-lucrative military contact means that an intelligence-gathering apparatus among the most important in the world is based in the woods outside Seattle. These kinds of national security responsibilities once sat almost exclusively in Washington, DC. Now in this corner of Washington state, dozens of engineers and intelligence analysts are dedicated to watching and stopping the government-sponsored hackers proliferating around the world.
Members of the so-called MSTIC (Microsoft Threat Intelligence Center) team are threat-focused: one group is responsible for Russian hackers code-named Strontium, another watches North Korean hackers code-named Zinc, and yet another tracks Iranian hackers code-named Holmium. MSTIC tracks over 70 code-named government-sponsored threat groups and many more that are unnamed.
The rain started just before I arrived on a typical fall day in Redmond, Washington. It kept coming down for my entire visit. Microsoft headquarters is as vast and labyrinthine as any government installation, with hundreds of buildings and thousands of employees. I’d come to meet the Microsoft team that tracks the world’s most dangerous hackers.
Offense and defense
John Lambert has been at Microsoft since 2000, when a new cybersecurity reality was first setting in both in Washington, DC, and at Microsoft’s Washington state headquarters.
Microsoft, then a singularly powerful company that monopolized PC software, had only relatively recently realized the importance of the internet. With Windows XP having conquered the world while remaining shockingly insecure, the team witnessed a series of enormous and embarrassing security failures, including self-replicating worms like Code Red and Nimda. The failures affected many of Microsoft’s huge numbers of government and private sector customers, endangering its core business. Not until 2002, when Bill Gates sent out his famous memo urging an emphasis on “trustworthy computing,” did Redmond finally begin to grapple with the importance of cybersecurity.
This is when Lambert became fascinated with the offensive side of cyber.
“There’s a perfection required in the bounds of attack and defense,” Lambert told me. “To defend well, you have to be able to attack. You have to have the offensive mind-set too; you can’t just think about defense if you don’t know how to be creative about offense.”
After seeing the number of government-sponsored hacking campaigns increase, Lambert used this offensive mind-set to help drive fundamental changes in the way Microsoft approached the problem. The goal was to move from an unknowable “shadow world”—where defense teams watch, frustrated, as sophisticated hackers penetrate networks with potent “zero-day vulnerabilities”—into a domain where Microsoft can see almost anything.
“What are the superpowers of Microsoft?” Lambert remembers asking.
The answer is that its Windows operating system and other software are almost everywhere, giving Microsoft the tools to sense what happens on colossal swaths of the internet. That raises real and ongoing privacy questions we still haven’t fully grappled with. For security, however, it’s an enormous advantage.
Microsoft’s products already had Windows Error Report systems built in to try to understand general bugs and malfunctions by means of telemetry, or collecting data from any of the company’s hardware or software in use. But it was Lambert and the security teams who turned the telemetry systems into powerful security tools, transforming what was once a slow and arduous task. Previously, security teams often had to physically go around the world, find specific targeted machines, copy their hard drives, and dive into the incidents slowly. Now those machines simply reach out to Microsoft. Virtually every crash and unexpected behavior is reported to the company, which sorts through the mass of data and, often, finds malware before anyone else.
The malware known as Bad Rabbit, which in 2017 pretended to be an Adobe Flash update and then wiped a victim’s hard drive, crystallizes how Microsoft changed weakness to strength. Within 14 minutes of the ransomware’s introduction, machine-learning algorithms pieced through the data and quickly began to understand the threat. Windows Defender began blocking it automatically, well before any human knew what was happening…….Read More>>