Microsoft’s New Security Chief Says It Is Time to Take Shelter in the Cloud
As security challenges grow, Charlie Bell is building tools that can be used on rivals’ cloud networks
Feb. 23, 2022 9:00 am ET
Ransomware attacks are increasing in frequency, victim losses are skyrocketing, and hackers are shifting their targets. WSJ’s Dustin Volz explains why these attacks are on the rise and what the U.S. can do to fight them. Photo illustration: Laura Kammermann
Microsoft has built a $15 billion business—and one of the world’s biggest private cyber armies—to counter cyberattacks, but the storm of threats is expanding. U.S. banks flagged nearly $600 million in ransomware payments during the first six months of 2021, and cybersecurity experts put the cost of that much higher. Corporate and public networks are also under siege from scammers looking to steal their money and government-backed hackers looking to steal their secrets.
“It’s sort of like the mother of all problems,” said Mr. Bell in his first interview since joining Microsoft from Amazon.com Inc. AMZN -1.58% last year. “If you don’t solve it, all the other technology stuff just doesn’t happen.”
Microsoft finds itself uniquely positioned in the center of all of this activity, Mr. Bell said. Its email and office-productivity products are dominant on corporate and government networks, and it is the country’s No. 2 provider of cloud-computing services.
Mr. Bell, who at Amazon helped build the world’s largest cloud business, said Microsoft is taking center stage in combating cybercrime. Some of its customers have said the company has more to do.
Microsoft has been hit by a series of high-profile cyber intrusions in recent years. In December 2020, the company said it had been compromised by the hackers behind the cyberattack on SolarWinds Corp. —a group that U.S. officials have linked to the Russian government. Months later, Microsoft’s widely used email product, Exchange, was targeted by a cyberattack that was eventually linked to the Chinese government.
Mr. Bell’s success or failure at securing Microsoft’s customers from a growing array of bad actors is set to determine the growth of the company’s cyber business, analysts said, and help set the terms for how the tech industry can protect itself and continue to fuel global innovation.
Since Mr. Bell took over four months ago, he has tried to centralize all of Microsoft’s security efforts, previously siloed, under one organization. Now 10,000 people report to him, and he has a budget to spend billions of dollars to build security products.
On Wednesday, Microsoft said it would be offering a simpler way to use its security products on Google’s GOOG -0.82% cloud, a major competitor to its own Azure cloud. Microsoft had previously created a version of its security product compatible with Amazon’s cloud, so now its popular security software will be available at the three companies that account for more than 65% of all cloud infrastructure services.
Bringing Microsoft’s security solutions to the clouds of different companies is crucial to solving cybersecurity issues, Mr. Bell said, because companies today are often dependent on too many small security products that defend only parts of their data.
Customers “get kind of a Frankenstein solution,” Mr. Bell said. “The problem is everywhere you glue things together, there are seams and those seams become places that people attack.”
Microsoft’s cybersecurity business has been consolidating its lead in the highly fragmented industry. Last month, the company said its cybersecurity business surpassed $15 billion in sales for the previous year, up 45% from a year earlier.
“Their security surface is massive,“ said Corey Quinn, chief cloud economist at the Duckbill Group LLC, a cloud computing consulting service. “This stuff is hard. You only have to be wrong once, and everyone thinks you’re a fool.”
In addition to the SolarWinds and Exchange cyberattacks, the company in August had to repair a flaw in the Azure cloud—strategically Microsoft’s most-critical business—after a cybersecurity company found a bug that left customer data exposed. The Azure bug, which was discovered by the cybersecurity company Wiz Inc., rattled some Microsoft customers because it showed how hackers could steal data from thousands of customers by targeting one part of Microsoft’s cloud.
The growing prevalence of cybersecurity problems has hit close to home for Mr. Bell. Last month, his mother called him in desperate need of tech support. She had clicked on some offer and a stranger claiming to be fixing her computer had taken over her screen. “I said, ‘Mom, pull the plug.’”
The threats have created an opportunity for Microsoft. But the company finds itself in the awkward position of being the major target of cyberattacks while also increasingly profiting from the tools it sells customers to deal with these problems, said analysts.
“The old joke is, why pay for a filter from someone selling dirty water?” said Jefferies analyst Brent Thill.
Mr. Bell came to Microsoft after 23 years at Amazon, where he helped to build Amazon’s cloud as it basically invented the cloud-services business starting in 2006. Mr. Bell has been credited by former colleagues for his ability to create scale and tackle complicated engineering problems.
Mr. Bell was at one time considered a contender to succeed Amazon Web Services chief Andy Jassy, who took over as chief executive from Jeff Bezos. Mr. Bell departed a few months after former AWS executive Adam Selipsky returned to the company from business software vendor Salesforce.com Inc. to take the job. Following weeks of negotiations between Microsoft and Amazon, Mr. Bell was able to start his new role in October.
Mr. Bell said he began talking to Microsoft because he had been thinking about the next big engineering challenge to tackle, and security became something he couldn’t get out of his head.
He consulted his wife, Nadia Shouraboura, a former Amazon vice president, and she suggested he chat with Microsoft CEO Satya Nadella, whom she knew from her days when they were trying to recruit each other. His wife introduced the two. During the meeting, Mr. Nadella brought up the security issue before Mr. Bell raised it himself, he said.
In August, the same month it was announced Mr. Bell would be joining Microsoft, the company pledged at a summit on national cybersecurity hosted by President Biden to invest $20 billion over the next five years to advance its security.
Microsoft is the best place to build better walls to block cybercriminals, Mr. Bell said, as no other company has the capital, vision or talent pool to face down the threat. He calls how companies defend themselves today “digital medievalism,” where each can only rely on the strength of their own castles and bad actors can disappear to their own citadels after attacks.
“We all want digital civilization,” where companies help defend each other, he said in a LinkedIn post after accepting the job.