Twenty years after pulling Microsoft Corp. through the fallout of its landmark U.S. antitrust case, Brad Smith is a rare voice in Big Tech arguing for more regulation and proactive collaboration with governments.
Mr. Smith was appointed Microsoft’s general counsel in late 2001 – just as the company agreed to settle with the U.S. Department of Justice in the longstanding case over the integration of its Windows operating system and Internet Explorer browser, avoiding a breakup that could have reshaped the computing market. His let’s-make-peace pitch to Bill Gates and Steve Ballmer helped guide Microsoft’s response through much of the next decade.
These days, he’s Microsoft’s president. He says he’s still looking for new ways to make peace, even as Microsoft now sits as an elder statesman among the tech giants – competing with the likes of Amazon.com Inc. in the cloud services market, and with Salesforce.com Inc.’s new collaboration software, Slack , while a new generation of companies sit in the crosshairs of U.S. and European Union competition regulators.
Mr. Smith spoke to The Globe and Mail last week during a virtual ’tour’ of Canada, during which the company announced that it would invest $1.4-million toward a new $8.7-million Canadian Tech Talent Accelerator Program to train 2,500 underrepresented youth for digital-focused jobs in conjunction with B.C.’s Digital Technology Supercluster, and that it would add Inuktitut to its translation software.
In the interview, which has been edited and condensed, the Microsoft president discussed tech monopolies, cyberthreats and his company’s competitive position in the cloud market.
How would you describe the difference between what’s happening right now with antitrust cases against companies such as Google and Facebook compared with what happened with Microsoft two decades ago?
The more things changed, the more they stayed the same. There’s distribution, which has changed – it’s now through an app store. Software still needs to work together, so there’s still the issue of interoperability. We learned the hard way that we had to meet the regulators where they lived, and not expect them to meet us where we lived. That meant we had to see ourselves the way they saw us. It meant that we needed to change. Change is painful. It certainly was for us.
There’s a story from Businessweek after you were hired that said you’d told Bill Gates and Steve Ballmer, “It’s time to make peace.” You seemed to try to. I’d be curious to see if something similar would unfold today.
One thing that may be different this decade, from two decades ago, is that regulators may be concluding that they can create the basis for change through new laws and regulation faster than they can through competition law cases. We’ll see.
You’ve called for a national and global strategy to combat cyberattacks, particularly after the SolarWinds attack [which was revealed last month and saw malicious software spread across the world through the IT management company’s systems]. Thinking again about the way the governments interact with technology companies, how can they work together when they take very different approaches to their work?
When data about cyberthreats are trapped in silos, we all suffer from our inability to connect the dots. That phenomenon was one of the fundamental ingredients that made it possible for a small terrorist organization to inflict 9/11 on the United States. All the information was there, but it was never connected. And I think we live in a world today where information about cyberattacks is far too disconnected.
I cannot speak to the Canadian government, but one of the points we made is in the U.S. government, there’s a need for data to move faster among the different parts of a government that need it. And companies are not necessarily in the habit of sharing threat-intelligence information either, so I think we will benefit if that will change.
I do believe that threat-intelligence information needs to move from the private sector to, at least, trusted governments. I think we can move information about threats without moving data that implicates privacy. This is where we’re willing to break ranks, to some degree, with the rest of our industry. I think we’re going to need a new legal requirement for companies to share information about network breaches. In the world of privacy law, you have a duty to disclose information when there is a data breach, but not a network breach [where systems or information other than consumer data can be compromised], and I think they should be treated differently.
The first goal should be to get the data about a network breach to, say, a centralized reporting organization and a trusted government, so they haven’t lost the ability to see the entire horizon. I don’t think that’s gonna happen without some legal change. It’s going to require a change in culture as well.
Microsoft reported 50-per-cent growth for its Azure cloud-computing services last quarter. Do you worry about that growth slowing because of the cyberattack news in the last couple of months?
No, I don’t, but I think it’s something that we should constantly focus on. This attack demonstrates that we should never assume that anything is immune from attack. But the truth is, the cloud is more secure than [on-premises] servers. All of the attack vectors [access points] that we have seen with SolarWinds started on-premise, then they sought to move around a network. As they moved around a network, they made it into the cloud. If they made it into the cloud of a customer that was running Microsoft Cloud Services, then we saw it.
But the bigger question is: How many customers are there that are not running cloud services that have these attacks ongoing that no one has discovered? The cloud is much more of a solution than a problem here.
Your time is valuable. Have the Top Business Headlines newsletter conveniently delivered to your inbox in the morning or evening. Sign up today.