Microsoft president says defending democracy is a big cybersecurity challenge
‘What we’re seeing is technology tools that some people . . . are turning into weapons’
Microsoft’s Brad Smith: “It’s impossible to uphold the integrity or public confidence in a democracy if people don’t have confidence in the counts of the votes.” Photograph: Reuters
For 25 years Bradford L Smith has been a Microsoft man. As a young lawyer with a particular interest in technology and software, he joined the company in 1993 to head up Microsoft’s European legal and corporate affairs team.
Three years later he was appointed deputy general counsel of what was by now one of America’s most powerful companies, and in 2002 became general counsel just as Microsoft was emerging from a bruising anti-trust suit brought against it by the US justice department.
When applying for the role, he prepared a PowerPoint presentation consisting of a single slide, stating: “It’s time to make peace.”
The Wisconsin native has been the company’s conciliator ever since, resolving various lawsuits, settling regulatory actions, cleaning up messy problems, some of them caused or exacerbated – as he has acknowledged himself in interviews – by the company’s own arrogance.
'We thought that cybersecurity and digital peace were worthy of an important project'
Yet Microsoft’s outwardly abrasive corporate culture has begun to change, particularly after the original leadership duo of Bill Gates and Steve Ballmer gave way to current CEO Satya Nadella. In 2015, Nadella appointed Smith – whom everyone simply calls Brad – president of Microsoft, a position once held by the klaxon-voiced confrontational Ballmer.
Smith is the unBallmer. Professionally he’s clearly as tough a lawyer as they come or he wouldn’t have spent years in Microsoft’s top legal job.
But Smith is also a thoughtful, calm presence without airs or bombast.
He has dedicated years to pushing for greater diversity within the company and has championed accessibility. Under his presidency such issues are not relegated to some half-hidden sub-department, but guaranteed high corporate visibility.
Smith has also prioritised data privacy and protection, filing four lawsuits against the US government, the most high profile being a case fighting the US government’s attempts to directly obtain an email in Microsoft’s Dublin data centre. The case went to the US supreme court.
He was a regular visitor to Ireland before that, though. He came here for his honeymoon in the early 1980s, and was often in Dublin early in his Microsoft career to talk to government officials.
He was back in Dublin recently on the way to a Paris Peace Forum and armistice centenary observances, visiting cities in six countries in a week. “It’s almost a campaign-style trip culminating in Paris itself,” he says.
While in Dublin, he visited Microsoft’s new Sandyford headquarters, talked with State officials, discussed cybersecurity with students at Trinity College, and received an honorary medal from the university’s Philosophical Society.
He was travelling this time because Microsoft has been working with French president Emmanuel Macron’s government since May after it put out a call for projects for the Peace Forum.
“We thought that cybersecurity and digital peace were worthy of an important project,” he says. Macron agreed, and launched “a Paris Call for Trust and Security in Cyberspace” during the week.
“We’re really trying to remind people about why World War one took place,” Smith says. “Our fundamental message is that technology accelerated, but that governments really failed to keep pace with it. We need to do better this century. One way we need to keep pace is to put new rules in place and strict international co-operation around issues like cybersecurity.”
Yet that co-operation needs to involve more than governments. Microsoft has called for civil society to have a say, and for the private tech sector to become more active.
Companies like Microsoft, which operate data centres in places such as Ireland, often understand threats and attacks better than any government because they experience them first-hand, Smith says
“We probably see more about the evolution of threats than any single government does. So clearly the tech sector needs to act. Dublin is, in our view, the digital capital of Europe” he adds, and therefore should have a particular interest in these issues.
But technology companies have also created many of the tools and platforms that are used in attempts to wage attacks and to compromise democracy.
“This is where I think that regulation is not only necessary but essential because, fundamentally, what we’re seeing is technology tools that some people, and unfortunately governments in some cases, are turning into weapons.”
Industry self-regulation is important, he notes, and Microsoft has led a drive to get more than 60 tech companies to sign up to a voluntary “tech accord” to agree not to allow their technologies to be used for nefarious purposes.
“So the industry is increasingly coming together in additional and important ways. But self-regulation is not and is never going to be sufficient in addressing many of these issues.”
Companies in the sector “have to aspire to follow a strong sense of ethics and take a high road, but there’s always the risk that instead we’ll see a race to the bottom”.
“The race to the bottom accelerates when some companies conclude that the best way to gain market share is to really abandon any commitment to strong ethics.
“I think the only way to insure that we avoid the race to the bottom is to create a regulatory floor that defines a new bottom, and actually raises the bar. I think that’s a very powerful motivator.
“I think we’ve seen that in the privacy space. Europe has really led the way in that space. But I think we need this kind of regulatory standard now in new areas as well. That’s why we called for regulation with respect to facial recognition, an incredibly powerful technology that can be used as a tool or as a weapon, depending especially on what governments do with it.”
'We’ve seen a set of threats to our electoral processes that are quite substantial and serious'
He says all technology companies have a responsibility to address such issues, whether involving products, services or social media platforms.
“I think there are a lot of questions we’re all going to have to work through together, not just in the tech sector but with governments around the world as we find the right balance to ensure an appropriate level of regulation.”
After Microsoft’s threat-intelligence centre spotted suspicious activity – that Smith says turned out to be “state-sponsored attacks emanating from Russia” – attempting to compromise individual US senators as well as two high profile, conservative think tanks in the US, the company launched an initiative called Defending Democracy last summer to help protect national electoral processes.
It also introduced a free AccountGuard programme to protect the accounts of politicians and political parties in the United States. The schemes have more recently been introduced internationally, and during his visit, to Ireland.
One of the biggest challenges in cybersecurity right now, Smith says, is defending democracy.
“We’ve seen a set of threats to our electoral processes that are quite substantial and serious in 2018 even though, just three years ago, they were not even on people’s radar screens.”
Cybersecurity for democracy tackles four main issues.
“One is protecting candidates and campaigns from hacking. The second is protecting the integrity of our voting systems. The third is addressing political advertising and the forth is addressing disinformation.”
Smith thinks political advertising is probably the easiest to counter. He worries most about potential attacks on the voting process. “It’s impossible to uphold the integrity or public confidence in a democracy if people don’t have confidence in the counts of the votes.”
But countering such problems is more difficult when a government that once shaped global policy and international security initiatives now, instead, disputes whether attacks have even taken place, as is happening in the US.
After the second World War, “the United States benefited from a bipartisan consensus on foreign policy issues. We’ve seen that consensus become more fragile over the last decade and then we really saw it break down further after the 2016 election”, says Smith.
“We’ve been concerned and we’ve shared our concerns with people in both political parties in Washington DC. This is bigger than any single election. It’s even bigger than any single individual or president because really what we’re talking about is the sustainability and vitality of democracy itself.
“I do believe the ultimate strength of all of our democratic countries is the people, the ability of people to recognise the need to come together and appreciate that we have far more in common in this space than the issues that divide us.”
As for Microsoft’s Dublin email case that quietly fizzled out in the US supreme court earlier this year after Congress passed a new Cloud Act to govern lawful access to digital data, Smith says he was satisfied with the anticlimax.
“We were definitely encouraged by the steps that Congress took to pass the Cloud Act, which obviously brought an end to the supreme court case.
“We said from the very first day when we brought that case that we were prepared to take it all the way to the supreme court, and we also said that, ultimately, this needed to be a springboard to adopt a new law, that we didn’t think this was a case that the judiciary could resolve by itself. Now we have a new law.”
And slyly, he adds, “it ensures that other countries have a certain way to control their own destiny”.
“If they define laws that make it impermissible for an American company to turn over data, then we can go to court and can show that there’s a conflict of laws and, even more importantly, it creates the foundation for a new generation of international agreements.
“We’re very hopeful that we’ll see countries, whether it be Ireland by itself or with the European Union, put those international agreements in place.”
Smith may be Microsoft’s president now, but he remains very much Microsoft’s lawyer.