■t also you can watch o congressional coverage with our video online. >> c-span is your unfiltered view of government. we offended by the television companies and more including comcast. >> areg this is just a community center? it's way more than tha >> comcast is partnering with 1000 community centers to■+■í ce wi-fi enabled a lift zones so students from low-income families can get the tools they need b ready anything. comcast supports c-span is other television providers giving you a front-row seat to democr >> microsoft vice chair and present brad smith testified before the house homeland security committee on recent cybersecurity failures through operations in china and actions the company is taken to prevent futurea and other

nationstates. this is about three hours. >> the committee will on domestic and you will come to deared the committee in recess at any point back. the purpose of thisexamine thatt bafflement security cyber safety review boards recent report concerning the summer 2020 microsoftt exchange on one cyber incident, specifically will extend microsoft's view regard■ing t company security practices and challenges

encountered in preventing■ suspected nation state actors, d■x strengthen security and measures before. i now recognize myself an openingtement. each andsi every day the united states depends upon microsoft. clouds of his productivity tools operating systems to carry out an array of critical■r missions. microsoft is deeply integrated into our nation's digital heightened respect and heightenedhis hearingnd today because of the latest department of homd security cyber safety review board, the report attributed last summ msoft exchangeho online hack by storm which is backed by the chinese communist party two, and i quote, a quote, a casde security failures at microsoft, end quote. ee based on a number of findings detailed in

the report, and have thesé repot and would like to introduce into the record. soes ordered. specifically, storm 0558 ss microsoft accessicrosoft exchange account using authentication tokens signed by key that microsoft reader in 2016. theji obtained tens of thousands of individual u.s. governmenting te microsoft exchange email accounts of use officials work on national relating to china. csrb concluded this information would have prevented him then prevented at microsoft cultivated a strong security culture which the csrb said, and the court, rre an overall particularly in light of the companies centrality in the ecoe level of trust customers place data and operations, end quote. by any measure cyber intrusion was not sophistate

technologies.l instead storm-0558ited basic well-known vulnerabilities hygiene.d been avoided through in other words, this was avoi concerning and the due diligence and determine just what it's taken this report to heart. articles today are simple. we want to give the company -- so much they faith in as a government, the opportunity toee actions taken and, of course, to share where they feel the report could have been wrong. to bele would never expect a private company to work alone in protecting to s do more, more wo define roles and responsibilities for public and private sector actorsn

event of nation state attacks. our nation's■ adversaries posses advanced cyber capabilities and substantial res often exceeding the defense, the defensive cybersecurity measures available to even the most sophisticated companies. hower, we do eec government vendors to implement basic cybersecurity] practices. since this is not the first time microsoft has been the victim of an avoidable cyber attack, and in the light of the report it'so examine the response to this report. we must restore trust of the american people who depend on microsoft productsry must also r questions regarding the mitigation of economic natio security risks to this hearing aims to shed light on these issues and ensure msoft is implemented the csrb his recommendation to safeguard against future breaches. as we dive into the station we need to keep three things in

mind.rst, closing the cyber workforce gap my topop priity for the committee this year. the secret challenges we face as nation ant shortage of cybersecurity professionals as microsoft intots cyber workforce must hearken back to lessons from the report. our cyber professionals must be trained to t secure the first and must equip them with the right skills to protect our networks and to build our systems security. second when you define the role of public and private sector entities in protecting against, protecting networks against nation state actors. and i thinkhe federas been sileo long on this. these attacks have become rathen anomaly spirit when you include defined responsibilities so we can effectively respond to nation state attacks on our networks in a private-public partnership. finally, we must address a fundamental issue, the economic considers the drive cyrsity investments. essential security measures.

changing the economic incentives for cybersecurity investment is notatut imposing onerous relations site the innovation. it's about creating and a private with a of neglecting cybersecury by the potential benefits of comprehensive securitye measure. today, we will explore the steps microsoft isin security culture while i commend microsoft announcing steps to refices, i e today what microsoft's follow-through has been oho commitments. on its past responses tohe significant cyber incidents such as solarwinds one of my biggest concerns is your, microsoft's presence inary strategic adversd ee hack we're discussing today. over the years microsoft has invested heavily come

setting of research and investment centers including the microsoft research asia center in beijing, microsoft president chen president john christison complex challenges. and risks, and to talk about thatco today. as a part ofg. our discussion oa this could issue. mr. smith, as a long-time deleted within microsoft, i anticipate you help us understand the gas that enabled. the americansu people as well as the numerous federal agencies that depend on microsoft deserve those assurances but theirata and operations will be protected. and mr. smith, we appreciate resence here today and look forward to your testimony. i also would like to let the members of the committee■n, know and listen up, team, that should your question require an answer that would necessitate movement mr. smith will be the only one who knows e question. look, china and russia, beijing

and moscowta are watching us rit now. and if you don't think thas true, you're naïve. the last thinge to do is about our adversary in any way.e ants would require secure facility, please accept this and asked another■ question. they committee staff will determine the best way get you r in a secure and classified manner. i recognize the ranking member for his opening statement. >> thank you very much, mr. chairman. i would like to thank you for holdings hearing on the cyber safety review board investigation of an intrusion into federal networks involving microsoft. at the outset i want to be clea it's not the committ's the witnt or any o entity mone csrb repor.

we have three objectives today. acco networks, and securingroader internet ecosystem. last year we were disturbed to learn that atansored threat actor from china had access to email accounts of hige ranking officials at department commerce, and an e-mail account of a member ores. as investigation unfolded went learn that the threat actor assessed these accounts by forging tokens using a stolen key from 2016, and that the state department, not microsoft, had discovered the intrusion. by august, secretarys announced that the csrb would review the microsoft exchange online intrusion, and the

environments. the csrb engaged in a thorough and expeditious review, and ears year. and i might add, that you are just included a copy of that report in the record. the csrb of review it was supposed to do, and it did so in a manner only the governmentan csrb examined s incident and made pointed findings and recommendations that will ultimately impro microsoft, other cloud service providers, and the government approach security. upon this committee to hold microsoft, one prominent i.t. vendors and■0 mot security partners, accountable for the findings and recommendations in the microsoft deserves credit for cooperating with thet make no m,

microsoft or any similarly situated company would do just the same. microsoft is one ofd the larget technology suppliers in the world, and its products are useç by governments and private sector entities a■akes an estimated 8 productivity software used by the federal microsoft also sells secur is oe government top cloud service providers.,v moreover, a reported 25-30% of-30% of its governmt revenue contracts, at least in part due to the terms of its licensing em the knee company with such a significant foot prinl network n obligation to cooperate with a

government review of how a chinese threat actor assessed sensitive information by exploiting4 vulnerabilities in one of their products. the repo the csrb determined that last summers intrusion was, and i quote,ln preventable■

importantly, the report observed that the secury been tracking the threat actor for■# over 20 years. over that time the threat actor has demonstrated tactics and objectives that those we saw in the last summers attack. dating back to operation aurora in 2009, and rsa compromise■$ ta well-documented interes■n compromise in cloud identity systems, stealing signing keys and forging tokens that would enable access to targeted customer accounts. technology provider in the world has beenae stepped up their approach to securing t the csrb found microsoft did not do so. anwh microsoft did

cooperate with the csrb investigation, the board found the company was slow transparent -- to be fully transparent with the public. most notably, about how the signing key. to this day we still do notw how the threat actor access the signing key. microsoft's■ elanations about why the key was still active in and why it worked for both consumer and enterprise accounts have been competent. iem transparent with the public that it was not confident about the root cause of the incident, my concerns about whether we can rely on microsoft to be,ñop transparent wherere heightened this morning when i read a

propublica article about how an empl a leadership to a vulnerability in services before security researchers publicly reported i( in 2017. that vulnerability which microsoft chose not to fix w ultimately fused by russian actors to carry out secondary even more troubling, the article recounts■qft's testimony before the senate1 which denied that any microsoft vulnerability was exploited in solarwinds. transparency is a foundation of trust, and microsoft needs to be more transparent. in 2002, bill gates said, quote, when we between

adding features and resolving security issues, we need to nquote. the csrb found that mrosoft had, quote, drifted away this ethos, , unquote. i agree. last november microsoft announced a secure future initiative touting aa reinvigorating approach to security. buticrosoft itself was compromised by russian threat act to use unsophisticated tactics assess the e-mails of high-level employees. unfortunatel tho correspondenceh government officials and put the security of federal networks at risk once again. basic cybersecurity tools that what■q have stopped this intrusion. in may, following the csrb report,soft announced an

expansion of the secure future initiative that committed to making security a top priority. but the samecs month microsoft announced recall, a■ that takes and stores periodic r screen which is raised concerns among both privacy and■u securiy experts. microsoft modified the rollout recall in order to incorpora significant changes. i hope will continue to consider these concerns of the security and■ privacy as it rols out new products. on a final note. warned that the committee's oversight of this incident

csrb investigations on notice. this committee will not tolerate refusal legitimate investigations undertaken by the board, particularly when federal networks are involved. any effort obstruct csrb investigations into cyber incident would invite significant scrutiny by this committee and would certainly force expedited csi of proposals to grant csrb greater investigatory powers. microsoft is one ofhe fst import technology and security but we d to allow the importance of that complacency or interfere securit technology providers continue the evolution toward anan better secure the digital ecosystem. i.

chairman, to a productive conversation today about how its secuty customers. and i yield. >> i thank the ranking member r his opening remarks. other members of the committee reminded open statements may be. i'm pleased to have a distinguished witness here before usay a witness please rise and raise his right hand. do you solemnly swear the on hod security of the unitedse statesd nothing but the truths about god? let the record reflect the witness has answered in the affirmative. .. nothing but the truth. >> i will. >> the windows has answered af i would like to introduce our

witness.rves as the vice chair and president of pivotal role in steering the strategic direction of legal he joined microsofin■c 1993 leading the legal and corporate leading the legal and corporate the witnesses answered in the affirmative. i'd like to introduce our witness is currently serves as preparation where he plays a in the company strategic initially on the corporate affairs team in as legal and corporate affairs department under his leadership, microsoft tackle l challenges and been at the amon. congress only speak key policy is an associated importer of going

procedures law firm and logicala nk the witness for being here and recognize mr. for five minutes summarizes opening statements. >> thank you t here today. it star role that this committee plays. of homela of the united states and you cannotprott e homeland security of this country without protecting the cybersecurity of it. that is a shared responsibility between the public and and hen

thing for me to say and to write in my written testimony is that we accept responbility foeaery finding in report. as you can imagine you get a report, u ult to read and you wonder, how will you react. when i sat down the microsoft chairman and ceo we resolved that we would react without defensiveness. without equivocation, without hesitation and we would use th rert make microsoft and the cybersecurity protection of this that is our goal. part of that involves accepting responsibilityap have done in person.8h it involves reminding employees of something that oftesay to them. no one ever died of humility.

use the mistakes that you make so that you can learn from them and get be that only works if you use what better and i appreciate that is where you involves strategy an culture. from a strategic perspective we did start last november to apply the lessons we were learning already from■ ink your what is most important is the csrb's recommendations. there are 25 of them. 16 are applicable and 12 to all cloud services and other technology providers. we have map to all 16 of those recommendations onto our plan for secure future initiatives so that we will do each and but we are not stopping there. there

recommendations that we have incorporated as part of the plan. we have measurable milestones and in fact we now have the equivalent of full time of 34,000 engineers working on this project this is the largest engineering project fosed on cybersecurity in the history of digital technology. i think you ask a second question as well. is that enough(that alone, it would not be. that is why we are focused on changing, strengforward to talking about that. it starts with the tone of the topic and it needs to re■. of our employees. two new steps were approved. one changes the compensation of our senior people so that annual businesses to

cybersecurity with an exclusive focus and i than that, this will become part of the biannual review for every employee at microsoft and what they doing in cybersecurity. i would conclude by saying that i think the o you captured we n think about here. if we improve microsoft alone that will not be■u we are dealing with formidable they are getting better and more aggressive. we should expect them to work together. they are waging ox an extraordinary rate soqu m: the opportunity to ask ourselves to learn together, what can we do in th well?to talking about them. >> thank you mr. smith.

members will be recognized in order of■l seniority. please keep your questioning to fi questioning may be called after all members have been recognized. i now recognize myself for five statement about the -- you know, let me start by saying this respond to initiatives andincentives. economics is about the study of incentives and you n the recent payroll changes for your executives and i wonder if you are at libertthat goes. what"■ú level of leadership.sch would love to hear more about that.z÷■

>> first, the board of directors took the first step yesterday and itacted a bit ahead of schedule. we usually make these an■ánounthe most senior people in the company, including me w year that starts july 1,one third of the individual performance element of our bonus will be about one th the board did note that when it awards bonuseswill take cybersecurity performance into account. what we talked about the last month or so, how to create incentives for everybody and it is based on the culture of --. twice a year every employee has

their manager■ and they reflect and show what they have done and ththit. what we have created is a new piece of this. everybody will need to address that on cybersecurity. the thing i like outhe most is it gives every employee at microsoft the opportunity to think, what have i done? i do? how am and then be rewarded at the end of the year based on that.■ >> that is encouraging. having run a company myself i think how whats' our priorities for people. it let me ask about your lv i would like to get an idea of hat your current posture is the chinese people or to the chinese government. are you having to give up co and what the involvement there

is. broad topic. we have a few different activiti churce of revenue for microsoft. globally it accounts for 1.4% ofdo have an engineering team that we have been redung are offering about 700 or 800 out of china and they would need to move out of china tothe we have been reducing our enneering presence. there are two things that we do that we believe are very important. first, we do run some data centers. cloud services. prince play i would say for the benefit of multinational companies not alone. others reason i

think this is so important is because, if you are an pharmaceutical company or a coffee company, or whatever, you ed ñ,to use the cloud in china and we want their american trade secrets an ameri center in china. in, what access does the chinese government have to that? >> none. every time there is anything remotely close to a request, i always ensure that we ■é%9say no. >> very specifically on this hack, because it difrom china, can you talk with your presence in china ensuring that source going to use your location in china as a vector. what other, if you can,doing th >> i think it involves having a

very direct understanding of what your guardrails are. limits are. what you can do and what yo won't do. you have to know your own mind. we do.■v you have to be prepared to look people in the eye them. that is something i do myself.i and i got pushed because there was unhappiness t reat we made attacks from china about infra influence operations. i , there are lines that we ap4 there are many things we will not be able to do in china but i think at the end of e we have to know our principles.

>> thank you. my time has expired and i recognize the ranking member >> thank you mr. chairman. i would like enter into the record, a pro-public article entitled "microsoft chose money over security. >> so de >> >> i'm sure you are familiar with the artiand we were left vulnerable with that can you say to us or commit tha process■3to make sure that employee concerns about security at microsoft or products are prioritized and addressed?>> one of the cha

made as part of this secure future initiative is . it takes our chief information security officer, it creates an office and puts deputy have to apply in things so i hope that would address part of what you are referring to. i would say one other thing though. the fundamental cultural change that we are seeking to ■1 is to integrate security into every process. we fought a lot about that over what is the key to getting better in your adversary is investing in nstantly changing.

the thing that we have we can learn from total quality management and this really came out ofamican business thinking and then toyota innovated in the 1980s and the on ocess was to empower speak up■-. mprovement and that is what we are trying to do. empower to be able to speak up and there are going to be de we want to ensure that those voices are heard d on what you have said, that will be, going forward, anybody that comes forward with something,they will at least be heard and responded to. with respect we are here becauseof storm0558 ,íx as

it is referred to. the real concis that microsoft did not find the problem. it was the ate department. help us out. >> the one thing i ask all of us to think about is, that the way it should work. no one entity in the ecosystem can see everything. so,we all need to work together and the way that nstru people will see specific endpoints. in this case, as you know, it state department that saw the intrusion department email system. first of all, you ought to give those folks a metal. th but his innovation and great professionalism at work so they let us know. by the way, interestingly enough, at the

same time, who identity the identified the chinese intrusions into electric companies, we are all going to see different things. when somebody else sees it we should applaud and say thank you. not say, i wish i had found it instead. >> i wish it were that simple.■ but, we have a real challenge andbecause you are such a big heavily on your product.t it is not our job to find thrit that is what we ar for. so don't swchthe roll. >> i'm not switching it all. i do appreciate what you're saying. >> so maybe, we will have another round, ■airman. >> you may ask the question. t

said. how can you earn back that this situation has caused? that we acknowledge , devise a s, except strategy to address them and change . be transparent about what we are dog and always listen to feedback. you. i yield back . >> the gentleman yields. mr. h >> thank you. congratulations on your success. it is the success of microsoft isn't it? yo >> it certainly is part of it.

grown so massive because of at your own technological advancements? that you have driven? within your company? has been extended to microsoft products? over the decades? ■.is fairfair i think what we place the most importance on is earning and omers. >> so we are in agreement. microsoft is a great company and everybody inre has some kind of interaction with microsoft. don't remuch choice. so, it is yocr committee gets this right. quite frankly, the american people, myself included, we

ppened and how it happened has and what has transpired since and yet, there no plan b. we that means. u sometimes life comes wnalways s always one guy. da congratulations. you are the one guy. so, i have a couple difficult questions. i apologize for any disk comfort because i am why did microsoft not update y. its ■ist after the intrusion. after the did 2023

microsoftwhy did it take six months for microsoft to update the means byst americ made aware of such a ha■ck? >> first of all, i appreciate the question. our team when i read the csrb that blog. ig we do updates of úr■á■wese repo when i asked the team, said the specific thing that it changed, namelya hypothesis about the cause of thusiol> so, you see, smith, respectfully, that answer does not

regular going to have to move the tape again. but, you did not do it. at microsoft a major thing happened the means by which you communicate with your customers was not six months. i don't really except that answer. as thoroughly honest. i need to move on. say -- i sa conversation inside the company. >> okay. i accept that. n. china. you go and-- you went to china. i guess he madethere and you do

there. you meet with chinese communist party officials and you p achie technological advancements. i believe this is your to actively participate in the digital chineseomy. i believe that was her statement and my question is, doesn't it strike yo that just responded to the attack? pa >>■i my time is expired.

i am just trying to complete >> thank you for the opportunity. there were areas we thought it was appropriate and even importan ent ■5■wd participate, but it is not choose or use those words. >> thank you. my time is far expired. thank i wanted to echo the sentiment that i do not view this hearing as a shaming of any particular coom mistakes in the past that we can better secure the digital ecosystem of. pecily with a company that has such a large footprint in that ecosystem. first, i was hoping

back to the probe public story in employee alleges that a vulnerability was discussed and it was time you were seeking >3■2u do have so many government clients today. as we sit here today are there any vulnerabilities within your operating system that have been expressed to you similar to what was alleged in the past that would affect government system you are aware ofõ what i would say is that everything we are doing is focused on identifying every

every vulnerability our employees can find us so we can go address them.digital technology and given complexity i not sitting

here today aware of anything that fits your description, but i am constantly hoping that we that find something and raise it so we you learn from the internal decision-making process on updating the blog post on the root caus? >> and thought of times eything often.■ i think the answer is because we ne it was at least too phuket we should have updated

i think the a lot in life. it is hard to over communicate. let's work ev hannection. they were hit very hard and experienced a ransom where attack last ye whoperations work crippled in a state of emergency was declared. where do you see these attacks happening and what types of targets do you see as most at risk? >> this is a cral we can all find new ways to work on it because it was last july where systems went off- liweeks. in the 2nd district of mississippi they had a lar wri suspect it had to currency.

this is a scorch. the number vulnability right now i think is so disconin ransom her operators are l hosp healthcare institutions last year.t that the chairman and ranking member thompson alluded to at the beginning i think required we all come together to help these institutions. we launched an initiative days ago and were not alone in the white house. google did it. we all need to do th need to se message. i think that has to be sent to mo. we fought with them 80 years ago it was to protect

people, and it was reflected 4 years later in the geneva convention that said even in times of war governments have to protect civilians, and this is supposed to be a me peace between our countries and what they are doing. they are enabling their employees to use the tools and our operations and target hospitals. cities, counties, schools. i think we have to find our voicetech sector and with the business community, and we have to find a way as a deterrent,m reaction. because right now this is just open season. it is open season on the most people in our country and we have to find a way to change that. >> thank you. >>■8 a lot of other

committee members are going to hone in on the security breach. i am more interested in the presence in china which i consider to be the greatestyj threat to our security in the united states. your presence in china. fully owned by microsoft? what is the nature of their corporate structures that we do operate as a subsidiary and also we have a jovees.iévi >> are you aware of the 2017 national intelligence law in ch if i remember correctly one of the things is states when an organization finds a vulnerability it has toma >> that is not where i am going. i myself.

>> hopefully it is hours■2. >> if it is it is pretty bad for you because it says this. in china there is a law that was implemented in 2017. this requires all organizations and citizens to cooperate with china's intelligence agencies including the people's liberation army in matters of national security. specifically mention companies working in china it does apply to all organizations operating within the country including foreign companies.b you operate in china? >> yes. >> do you comply with this law? >> know we do not. >> how did you get away with fr chinese government? >> know we do not, but there are many laws. the arpupils that apply every law they enact and those

that enact certain laws but don't always apply them. in this context china for that lot is in the 2nd category do y? i sit on the select committee on china and that is not the the intelligence agencies of china in the people's liberation army. you operate in china and ar not have to comply with the laws of china?>> there are days whquons are put to microsoft and come across my desk and i say no. we will not do certain things. >> but you are complied by chinese law to and the people in china the work for microsoft are don't do it. >> clear to the government if the chinese government wants to sue

somebody they need to sue me. i you. they arrest you. do you understand that? >> we make clear there is no point in arresting people. they have no authority due to the authority because it is the law. you are in china. >> i am talking about ■bject to law. >> but they do not have the ability to make these their hands. not trust what you are saying to me. you are operating in china and have a cozy relationship into b i cannot believe they're going to say you do that everybody else does. every other foreign company has to but not microsoft. i wi take you at your word. i am just demonstrating to you the problems that we have with american companies working in china. and that 41% of your resources

or income is it really worth it to inve such a law that says you have to agencies.th intelligence■< >> the thing i would ask all of us. i appreciate your questions and the sesnof we think constantly about these things. i do think there are vaablebe i and i think they both serve the interest of the united states. e t an information and american trade secrets of american comni who are doing business in china. the d is to ensure we are always learning from what is going on in the st sof the world. >> those american companies and all of these secrets that are working in china have to comply

you think they all do? thank you. >>■2 welcome, mr. smith. also ranking members. this is not a shaming siion, bureading on this issue. been on homeland for years. this is very disturbing. that statement is an understatement as to how i am feeling what do i tell my constituents for your services? that an unsophisticated well known vulnerabilities enabled this to happen. >>xt!é i would hope you them. >> i am asking you. what should i tell themwould share with them --

>> they are paying you for your rvice. it is not a freebie. i run your service and i also pay you for service. >> i want people to know on the one hand. >> just tell me straight up. what is the me■:s >> it has two parts. we see our customers attacks more than 300 million times every day, and the people who work 24 7. >> are we doing our job as the federal government helping you? or is there something else we can do to help you do your job better? that we can do and i would love federal government focus on a few key things. i think the instment in cyber security training that the chairman mentioned is an imperative. i think we have done . we

are trained as a company 203,000 people the last 4 years on cyber security. federal government to do more. i think we assistan infrastructure providers upgrade their technology. i think we need -- >> do you need to invest more in this area? >> we are investing more. we increased our investment but more than that -- >> do you believe microsoft responded in a timely basis to these■ known breaches? >> we both reon with people who work 24 7 etty mucharoundthe clock. >> as soon as you found out this was happening you responded? >>tely. one thing i would love for you all just to know that despite these tens of millions of attacksyear --

>> do you respond to known vulnerabilities immediately? >> yes. we respond to every intrusion. we address ds >> we know the challenges that our competitors around the world friendly and unfriendly, and i would love to talk to you sometime to tell us exy we need to make sure this doesn't happen again. because i am to read about the situatn. you have a our trust in siness th at the public and private sector. and to hear about what is going on here ■rdisturbing at best. i hear you saying■hu are here

to cooperate fully. the damage though.■m i have constituents back home that have lost money because ■aq malware and so on and so forth. it is painful. the private sector.■z they run on your platforms. they trust on you being on top any thoughts? >> we are determined by acknowledging where weare fo yesterday was by the senior de engineer leaving what we call the secure future initiatives, and they were we want you know they are energized by this■ >> we often say the chain is

onasro weakest link. are you going to do a better >> absolutely. i would hope you would share with your constituents we take their trust for granted.r did i hear that correctly? >> that is correct. >> i now recognize mr. pflueger i want to talk about the collaboration. and many committees on capitol hill we security and liberty and nced private enrp what i

really want to hear from you is talk to us about the relationship and also today, but just talk to us about how what you expect from the government.uú is it voluntary roundtables and classifittg? i would like to hear a little bit about that and i have some follow-up questions. >> i think it has been moving■t in a positive direction overall. they play an important part of this. i think that ultimately we would benefit from finding more ways to keand then allies becauseit is

an entire ecosystem that we are seeking to defend. nobody by themselves. i think fundamentally their words were well taken by us but culture. i think we have a collective culture, and it is a culture that we need to iring more coll not just with the goment but frankly across our industry. so that people can -- somebody said there is nob. i think two thirds of the folks behind me are trying to sell plor another. that is okay. here as well. i like to say the truth is when shots are being fired people [2

back of the ambulance. everybody else will either be the ambulance driver or ambulach let's be the drivers together. >> let's stroll down to that end the relationship you have with the u.s. intellig unue about microsoft is you pretty much cover ever sector and industry and every household's when you look at the relationship of the national security entities tell us the biggest gapsright now to making sure that they can stay secure in their operations.abou that defenders too often work in silos. every company thinks about their products and every agency thinks about what they have. attackers look for the seams between the silos. have the more seems you have. just as there are ses logy prod because most customers deploy them together there are across the government.

a lot of times one of the challenges for us is th the gov the information is coming in not an active cyber attack necessarily flow from one part of the federal government to thlot of work being done to address this, but i think that needs to be advanced more icklof priority. >> 300 million per day is incredible. let me just ta abou the committee on homeland security. we are worried are doing and how it affects our homeland. obviously the parc and ccp government industries and intellectual property and everything is a massive concern before today. a little bit about the relationship. how does that affect intellectual

property in things that you have that could be either exploited for their benefit to undermined the united states of would say company that has valuable intellectual property has to be very careful to protect it from publishing, and a lot of code is published in open source form. havedoes not go where it should not. there are certain intrusions especially frdiscovering trade secrets. >> is microsoft taking steps to >> absolutely. the other thing to note changing their tactics. if this were a case of saying this is what was done in 2022 and let's fix itod, but i guara

done is 2025 is going to be different. you constantly have to adapt and change, which is wh are doing. mr. chairman, thank much. it is no secret that our critical infrastructure is being targeted■@xxand i am particularly worried about rural hospitals and how they continue to be targeted ■çthrea actors are just this week microsoft announced new rural o hospitals in my district saying they are a participant. would you and how it will help the nations rural

hospitals defend against attacks?■c >> yes and thank you. we talked a little bit about this beforeviical priority for the country because people's lives are literally at stake.■g/z it is free of charge for a year helping■sth advisors and technology assessments so we can work with people. the third thing we are focused on is trying to help them use technology so that they can be more eti right now there are a lot of rural hospitals in the country that are barely afloatwhen it

closes not only do people lose access to local healthcare but some ofity are destroyed at the same time. there is a shortage of people to work in these hospitals. one of the things were trying to focus on is how we can use digital technology to improve quality of rural care. reduce the cost not just for the patient's but for the operators of these small hospitals.put together a holistic approach that we think could makea difference. >> what about hbcus and other small organizations that could likewise use technical assistance and the help that might be in a similar situation financially as a rural hospital? >> have educatnal pricing, but there are two categories in the educational community is of special priority, and we are trying to give them special

priority. one y] created a special progra invest in them to provide scholarships to work on ■qcyber security training. the 2nd is the nation's community colleges i feel this is the great resource. we need to equip them and send them into this battle. with a curriculum. other tech companies have done a good job as llmore questions in little time.■# >> that is absolutely a yes. >> okay great.■c■8

do you agree the country is currently lacking in having successful deterrence strategy? if so what steps are needed to we do?ical and hard problem we need to solve as a nation and requires we do 3 es it's clear to the world what they cannot do without accounli we need transparency. we need collective action with and with elven governments so when the redlines are crossed there is a bl and people know what has happened. we need to start defining some a world where they are not facing consequences. >> i have 30 seconds ended with the important question. i want to make sure i get it

right. earlier mzi briefed by members of the review board about its review of last summer's incident and i wanted torawe discussed. members of the committee have for years raised concerns microsoft was charging extra money for cust and they have to identify and investigate cyber incidents. when you testified before the committee in the aftermath of l explained that everything that we do is designed to generate a return other thansl that. the state department paid for extra logging and generating a detect this attack, but not every customer have that capability enabled. last summer they finall announced they would provide free logging to customers. in february made them available

why did it take so long to make this decision? and what enteredyour mind? >> we have even gone a little bit further. >> that is fine, but can you answer i wish we had moved fas i think there was a focus on the real cost associated with keeping and rein, but we should have recognized sooner as the % ■uíthat lascwe served i think as we are now by not just retaining but . >> so what is atus on providing free logs to our customers and not just federal agencies? speed we decided for all offer there are 3 layers, and we retain them for 6 months, which is what they recommended. will. individual customer logs. we will provide them to those

access when they need them at no additional cost. >> would you agree it is as important for them as a company to have this level of security for its customers as it is for customers have the security? >> yes.>> thank you. my time is expired. >> this has been a very engaging and intriguing co have been listening to this and taking it in and thinking about it through that lens. you started with something that you find es i just want to commend you for that.7e we do not hear that very often, but i think right.

i unde ve role to play as it's responsible for nearly 85% of the tivity software. given the company's presence significant risk of cyber attacks.xt to see. last year if you look at the attacks we had 47 million againsrs >> that is far more than i could have even comprehended. of course these are serious, and everyone here on the committee is as you stated in her testimony cyber attacks have become more prolif. as a result of the

went under in may 2021 the biden administration released an executive order on improving the nation's cyr securityan the establishment of the cyber safety review board under dhs. i want to talk a little bit th i think of course oversight is important, but i think e should be more action taken by our government to prevent cyber attacks. could we talk a little bit about the board(j? my understanding is it's a mix of government and industry representatives. true that micr not represented on the board?>> that is correct9a. >> are any of your competitors on the bo >> yes they are. >> is eventually so how did this work? the attack happened.

>> i think we benefit from effort. i think it's probably a mistake to put on the board people that work for competitors of a review. i am less concerned about the way xx works, and where they want to take it in i going to do us that much good. >> it did they share with microsoft what yourcompit eir o practices? >> i do not believe so. i could be wrong but i do not believe so.

>> with your competitors on the board helping produce the report was this used in any other way in the marketplace? >> yeah. i want to say this us think the most important thing is what you said. i just want to accept responsibility and do not want to deflect any of that because we have the hight responsibility. the words that i would offer that i will offer to the our competitors. it is fine. go tell people that you , but w we are not th each other even though we may compete with each other. they are our foreign foes. let's try to exercise a .7ñ

>> i think the competition is healthy. i think it is grea dt actually i enjoyed it for years and years. i think oversight is also extremely important. i think everyone in this room agrees that we do not want any foreign country gathering any of our information whether it's from an american citizen to our government.

i think it would be extremely important on cyber attacks■r>7 questionin. there a questions about from myt program. it is being compromised.

she recommendss the large enterprise in the compromised assessment program entry the parent company how soft imoving rising programs, is provided in the private-sector?u ...

we are admitting is nothing deputy chief information security officer focus solely on the integrati of companies that are acquired. we clearly n t it up and we will. >> thank you., as you state in r testimony, nationstate adrs aggressive countries like china, russia, iran and north korea present greateat t our national security, and defending against them willequi public-private cooperationha prioritizes strengthening cybersecurity across government networks and critical infrastructure. considering our reliance on large i.t. vendors like microsoft, our defenses will only be aslogy providers are.

disappointing to see the csrb report that microsoft had failed to properly secure its products. microsoft mt better, and i expect that microsoft will continue to update the committee on its progress. cong to ensure the federal government has resources to meet the goals of president biden's ambitious national security -- cybersecurity strategy. mr. smith, how is microsoft improving its security to protect itself and its customers to address these increased foreign threats? >> well, it's a multifaceted effort. and as i said in my written what is today the largest engineering project focus on cybersecurity in the history of digital technology. different categories, and i think that's critical.to but it really is i think a new

approach to cybersecurity culture. it's a new approach for microsoft, and the moreth time i spend with with my colleagues, the more courage i am because f security and they can get part of the engineering process, and like quality. and the cultural change, and several of your comment about this, i just think it's sog important, we want a culture that encourages every employee tooo find p fix problems and then learn from the problems.o. we need to do this in the way that doesn't put security in its own the our security part of everyone's job. i think that is one of the indispensable steps we are taking and really need to take. >> thank you. and with my last 30 seconds,

what investment should congress prioritize to improve our national defenses against nationstate cyber threats? >> invest in the american people invest in the training of the american people. provide more scholarship assistance so that americans can go to a community college, go to an historically black colge[■scr university4é■, get a course, kan cybersecurity. there are 400,000 open jobs in >> thank you.ates today in i yield. >> the gentleman yields. i now recognize mr. gonzalez for chairman. mr. smith, is microsoft teams a secure platform? >> i believe it is. i use it everyday for lots conv.

>> oth which the unconcern. i'm concerned with the trust level that americans have with■ variety of different reasons. i believe microsoft is been a trusted agent for a long let me give you an example. if you work forhe defense, and u want to communicate with others unclassified environment but let's say it's an unofficial capacity, right??8 don't use assume or others likee platform. let's use microsoft teams. w starting to hear is more and more government officials,ment y affiliated folks not trust that. so if microsoft, if they don't trust that come what pinky haven once again i understand if it's a classified setting but i'm reach people without a cat card? cat card route.t t is it anything that is in the

works in o of that -- whether it's warranted or not, thereng amount of trust within microsoft. is there anything inth the pipeneha will regain that trust among dod affiliated organization? >> wl, fst of all i appreciate the fundament question. i would say that we are constantly focused as part of this work that we are doing increasing the security for every aspect of what we do every aspect of it. i feel comfortable talking with the dod or others on teams. i want them to feel comfortable an know that we are not stopping where we are. because her adventures are not stopping where they are. we're going to continue and are continue to invest■ in hardening the security of teams even more than it has today. >> thank you for that.

a large part of what do on this committee is try to get a going out of silos, rig all these agencies are in silos. every time there's a national these reports and it's always somebody knew something but when did they know it. is the abilito communicate in an f for you setting where you feel if a it'e assisting on it, i just would reiterate how important that is from a national security standpoint to ensure that the government has a lease some platforms like microsoft teams. my final question is5ch this. how is microsoft planning to combine your sf five while ensuring tools and accessible? >> first hf questions, and i will quote you back in the companies headquarters. second, the point you make is also so critical because we have to make- sirst the top

priority. we have to make it easy for people to use. and so we do need to synthesize these things, and i think one of the virtues of wte are doing calling on deeply technical engineers but also people say in the field of software design andi elsewher. i think part of our quest i think it's a great quest for all of us, not just a microsoft but across the industry, is to continue to have wall security by default so that people get a new computer, a new so program, all of the security settings are on by default. they have we call security design so that it is designed so that it's not only effective but easy for people to use and easy so we're focused on all of those things, and i'll just say there is i think a lot more coming. of the game and more coming.

we have to make sure americans continue different platforms that are out there. so thank you. thank you once a committee and chairman, your back. mr. magaziner for five minutes of questioning. >> thank you, chama one of the joys of speaking in the order after our from george is that it often handed notes to correct tements that she made, , such as want to enter io the record that microsoft'setitm the findings, and the recommendations of the csrb.n record. now, mr. smith, the article that mr. thompson, ranking member thompson referenced earlier had the so-called solarwinds breach in which russian hackers infiltratedmicre of our country's most sensitive

os from the national nuclear security admis■v nuclear stockpe of the national institute of health. you provide a testament to the senate intelligence committee iw that allowed that breach t occur only became known to cybersecurity facials at microsoft when it public paper . it has now been widely reported that frlo andrew harris discovered the flaw a ar earlier, alerted his superiors and other company ex>■sut rejected. soan y n the senate intelligence committee about what microsoft knew about that flaw and when microsoft ewas >> well, look, the first thing i would say as i know they came up in an articlehisnce read the article yet. i was at the white house thi morning speed is okay. so you can't say, i'll just note that the article cited numerous sour i

just that one individual. you're not prepared to say that when we can move on. >> okay. with what chairman green said earlier about the importance of incentives, and so i w that came out i believe yesterday that one-third of the individuales for senior executives will be tiedo performance. early about the importance of incentives. i welcome the news that cannot i believe yesterdaatone 3rd of the individual performance element of bonuses for senior executives would be tied to cyber securitymance. compensation package for senior executives is the individual performance element? depethe individual. more than enough to get people's attention for sure. >> but roughly ballpark? >> of the cash -- i do not kno

20% if you add stock. >> if you could follow up on that it would be helpful because a 3rd of the individual nds on how big the individual performance is. if it is 10% of the total ll■gi only be 3% of the total package. having some understanding of how large a percentage is■■d th individual get performance element is.

metails are still to be refined. this is the cash bonus that d■z get each year. finally piggybacking on the chairman's question. today stated product managers at microsoft or not senior executives had little motivation to act fast if at a flaws since compensation is ti

revenue generated product and features with one former will get a promotion because you released a new shiny thing. you are not going to get a pr bunch of security bugs. given the importance of people at the project manager level is there y pl for their compensation to be tied at least in part to meeting cyber security goals? >> the answer is yes. announced yesterday is every single microsoft employee as we get to the new fiscal year will have this as a part of thereby annual review. a mandatory part to talk about cyber serity. yo described. >> a part of their review, but is there a portion of conv?■s

>> it won't be as formulaic, but everybody knows that the bonuses and compensation. the rewards you get at the enon and how people do over the year. >> i want to statei do leave it as a positive and good example we are integrating it into compensation packages. i want to make sure we are doing it in a way that is going to be impactful, will yield back.>> thank you. good to see you. and its the conclusion is that microsoft security culture requires an overhaul given its centrality in the the recommendations you are already putting into place. wi the seriousness of these findings and recommendations provided and now and how it was

written and now that we are all he g on ithow do you anticipate future voluntary cooperation with the board's request for information? they can only get the inyour company. what you anticipate happening now in the future with other requests? >> the short answer is i do not know, but i hope 3 things soon. one is that people that we collaborated and provid evething asked for. that i came here today and we acas hope of humility and accepting

responsibility wt( defensive or defiant, and then will do the same because hope i think if you can help us encourage that kind of re will get better because we know our officers are going to get better, so we have to get bett >> i do appreciate you being here and all of the and i have been working with them as well. you brought up secure by design. i have had a lot of conversations about that. they are doing?['■u

>> those really come together in my view to encourage our developers to integrate security into the design of the products baked in. i think one of the key things that we have really sought is a part of everybody's job and not juof the work of the security team. i think that is one of the mistakes that we rely too much on. did not do enoughto ask everybody to make security a part of their job#n■. some of y

have asked about the recall on. we are trying to apply it as a lesson learned. if they e the future they need to think about the security aspects. it has not even been lost yet, so we have had the time to do this right, but we are trying to focus on it requires constant role modeling and practice. each time we go through this we are talking so that everybody can see inside and out quite tangibly how they can weave this into the decisions they are making>> i tt . and lot of those come from user er strong as your weakest i think having more secure by design in these for everybody. what should we

invest in and he said the people. scholarships. the chairman is working on a piece of legislation that would do just that. ■8cíthe provided free curriculum and training. we provided 21,000 scholarships. the thing ul you all is community colleges the students in these colleges are not allowed to do.

thank you for being here today. we appreciate your presence. i wanted to ask this. it could be a little off the beaten path. aba i. a new york allowed me to join to of hers that goes to a id fakes and the like. we have legislative efforts to fix these issues. a part might entail litigation, implement it in a way to address one of these things./

we have to make those adjustments to address the problem. i thk a bigger part is going to have to be technological. to address the a.i. ct■i5[ we nea.i. counter to that. i do not know what is coming along those lines, but i would lito if you are aware of anything that is being developed that could help with that to address that issue in the very near future?

>> asas teenage girls, in place more guardrails around our legitimate products, so use it for abusive purposes. the second is, use a i -- >> give me an example of the microsoft designed, you build in ■varchitecture so that if someone is something, you detect what they are doing, and in certain cases, you stop themfromdoing it. if they try to take a photo of clothes, allowed. it's about as straightforward as that. complex, and very sophisticated architecture involved.

second, ai is very good at detecting the use ai to create images, going to be a cat and mouse game. there are debates among technology experts, but i have a level of optimism, myself, e doing to detect these problems. third, you have to be able to respond. , then stop it or take it off a platform,and we do need good, old-fashioned education, that people are aware, so that parents are aware of what their kids might be doing, or the r k may be facing. it's really multifaceted. >> let's back up to number two, and that is de■@tect not so much you have to rely on the parents or the individual the target, because it might be a while before they are even aware of the issue. what sorts of detection rizon that could be implemented? >> detection mechanisms

that we have in place today, and we are focused on specific problems, in particular. of the elections. are offering free training for every candidate for office in the united states. we have done this in 20 other cotrielet me back up. we go out for ourselves at some point, because we have the ability to do that.re■÷ i'm more worried about the deep fakes, for, especially, teenage what is available for them? >> probably■, no need, is what i would say. >> what >> i think we have put in place guardrails may take it back, and let me n. ask our folks, what could we create for more people that would empower them to do a cand

me about themselves. >> i appreciate that. last question, with respect to misinformation, disinformation, especially, the stuff coming t election day or during that time period when elections have begun, is there a that coordinates private sector there, the public sector, and poteiato address this concern? chair for running over. >> i will say, i ink s been mad we get into the summer months, it's a really important question for all of us to have together, in a way that is gennely ■ -- there is a national association ■)ate election directors. we are working with them. we are working with them, so that they can protect their infrastructure, and our means to educate people about deep ke

frankly, what we are hoping can happen in both of the conversations about how we can enter the election season on labor day with all of the prote need. we are basing that on a lot of work. 5d we were in taiwan for that election. we have been in we will be in the uk and franceand we are take everythin step of the way and apply it. i look forward to hearing back for you. now recognize the gentleman from mississippi. >> ■cthank you, mr. chairman. thank you mr. smith for being hearing today. the federal government and many americans trust microsoft to protectour critical cyber security infrastructure. we are here todayec microsoft has fallen short in 3 i'm especially worried about national security.■ng#recent re

security review commission linked multiple cyber attacks to the ccp. there were breaches of microsoft email servers at the department of state and depaof course, the ■m greater detail, describes microsoft's cultural issues we have highlighted. mr. smith, what the ccp and the russian fedeevrati(qon backing -- state-sponsored cyber attackers, our organizations face this threat number resourc reputation. i acknowledge the federal government has a le we've got to play here. howeve deite in defending again attacks, it appears microft has had some failures, which ble, and

i know you have addressed this, but i want to diuss+g the company's other inves,it's ai offerings, and how it can relate to your plan to improve its i will start you believe that ai becomes integrated more products >> i think we will see two ? things, almost inevitably, and one is our adversaes we use ai to try to pursue more sophisticated attacks, but second, we are already using ai. i have to say, i'm ai can and already is being used to do prot one, ai is especially good at detecting anomalies

looking for patterns. we have threat hunting teams at microsoft. ■ hunting teams than anybody else, when they have ai now, they can detect these patterns. that is at will be important ac the industry. the second is to help the chief information security officers, the cyber professionals across the country. we've got a product, a cybersecurity copilot, and others will have similar things. a lot of work that these folks do it faster, helps them do it better. and, i think be a good step as well. go back to the gap, the 400,000 open jobs. hopefully, what ai will do, is in effect, lower the barrier to that wants to join this hope mo

people will, they will say, hey, i don't rn everything i may have had to learn five years ago, because help me as well. we are seeing that now. we will see it accelerate in >> thank you. what specific cyber security measures is microsoft implementing to protect surface additionally? >> your question goes to is a critical piece. it is one of in the mentioned. i will tell you, i am very proud we have great people,who are just so committed to the mission, but it sort to using m and more ai,so we can make them more effective. we get soucdata that we've

got to, basically, integrate all of the data that we have, so threat hunters, and we need to use ai to make it eaer for the threat hunters to find things faster. so, i think cutting of silos■e, connecting what we cal data graphs, g to make every company that does this -- they will find that it can get better with these approaches. >>uickly,one of the things i would like to follow up with ■ what mr. abby was saying, talking about some of these generated photographs. a local times, we had pants that would come in, and their teenage daughter ha and we, bas , to follow-up, to catch

of these bad actors that are doing these things. i would ask you, as part of your training, train local sheriffs and police officers, especially the ruar that have limited opportunities to have the use of some of the talked about today, because it breaks my heart to see a child go through that when it has been totally false accusation, and then for them to go back to school. would ly to put that on the front burner, so that we can help local law enforcement, to try to stop some of this. say, and i know our time is up, guess, we will, first, i appreciate it. some of the most moving things have been information from police officers, local law enforcement, who are working to protect kids, who are being

victimized in the way you just descd, and second, the other group i should have mentioned is the national center for missing and ploi these are, in my view, real heroes for all of us. we all work together and support them and rely onthere i alliance we have in this country between law enforcement and tech companies, and our coete part of this. the industry is pretty united and the world isbe >> the gentleman yields. i never could -- i now recognize ms. ramirez. >> it i'm freezing, but you might be been hearing our conversation today, in the hearing, and for us, it's pretty clear. we have two homel threats that this hearing is trying to take up. one of thoseis cybersecurity attacks. the other is concerning monopolies and monocultures

driven by profit. sometimes, supremacy and secrecy, and i feel lithreats t democracy. when incidents like the 2023 microsoft exchange breach happened, and the bombshell reports published today, they bring us to this reckoning moment. it's ■ksoft, k) entrusting with our nation's most sensitive information, and also for this committee, this ■m desperate need for the pursuit of accountability, when our nation's homeland security has been compromised. the ranking member mentioned that the propublica article published earlier today desc had dismissed employees concerns about vulnerthat was eventually leveraged by the russians during then, microsoft denied that lne to the attack. when my colleague, asked you

earlier, how quickly you address vulnerabilities, you said immediately, but propublic microsoft to the vulnerability years before solar winds. my question to you, mr. smith is, what is yourde>> it is righ let me just say. look. let's have an article published the morning of the hearing so we can spend the hearing about from now, i will have a chance everything in it. i am, generally, familiar with that situation. let's remember a couple of things. one, the solar winds intrusion was by the russian government into a solar orion

product, t a microsoft product, and that product was customers. to more than 30,000 microsoft was one. because of what the russians d change the software code, the russians immediately had an entry point into al let's also remember that was the beginning, i think, and we came up with a technology tool that in effect, blasted that entry point. >> mr. smith, i have short time, so you might have an opportunity to talk more about that here. microsoft expanded t security feature initiative, and has said that security teams will have an elevated role in product development. concerns that were expressed about our vulnerabilityn handle today. >> i would say, two things.

first, i would hope that there is an issue that needs to be addressed,it will be woven into the engineering processes, it will be escalated, it wibe evaluated based on how they did. second, i for one second on thid active directory. about here is what was called samo, and it was an industry standard. it was a vulnerability in the entire industry standard, and what ensued was a conversationa best way to address it. i thin wh■eré>■e, a week from now, i bet we can pull together information informed c about this, and i would welcome that opportunity, but what think is most important for today is, simply, to know how processes, how we are integrating security by design,

how we the way employees review themselves, how we elevate and reward people forfinding, reporting, and helping to fix problems. >> good. i have a few seconds. a few sentences. i will shift gears for a second. how do you ensure that your ■wnot limit the ability of customers to prioritize security in your >> i'm sorry but i >> how do you ensure vin your bundling practices, that you don't limit the ability of your customers to be able to prioze security in their purchasing decisions? they are they are able to prioritize their security when you are providing these practices. >> let me just say, i'm not aware of any so-called bund practices that limit what our customers can do, in terms of

cyber security proio if you look at the market for cyber security otection, frankly, a very robust part of it is about providing tools and services to enable customers to manage the security of their networks s that come from so many different vendors. microsoft accounts for about 3% of the federal t.9. that tells is there is 97% being spent elseere, and that is pretty typical when you look at it. and so, a lot ofwhat we are doing across the industry, i think, especially, with industry standards and the like, is to enable. i think the choices that you are rightly encouraging-- >> thank you, mr. smith. i ran out of time. another roun ask you a follow-up. >> if you are like two seconds from your time limit, guys,

new question. you know, i give a lot of grace. i give a lot of but if you are in a process and all ■e we will let that question continue on and give you extra and, mr.izell was just as bad. mr. chairman. mr. smith, the csrb report said that storm zero had to some of these cloud-based mailboxes for at least, six weeks. can you tell us who discovered compromised, and how they did so? >> i think the early on. in fact, i think we got tificaonnt that they had seen an anomaly in their email system, so they informed us of th l

our initial reaction was, that this was something that wasa token that was being generated through a stolen key at the state department or in , 7:30 i i was on the phone with our ceo, within 30 to 60 minutes, but thit was confined to that. it took somewhere between days to a week or more for us to come to the conclusion thwas >> okay. do you believe ■ythat microsoft should have been able to realize that you were compromised before the state departme >> you always want to erything,> >> that depends. >>be the

first in everything good in life, buthand, i have to say yes, but on the the nature of networks and how they are distributed and different people just want to celebrate the fact that people are finding different things and sharing them with each other. >> putting bration aside, are you confident that moving forward, microsoft has the ability to quickly detect and react to an intrusion like this? >> i will tell you, i feel very confident that we detection system that you are going to ■i organization, private or public, on the planet. that means we will be first to find everything? no, it doesn't work that way, but i feelvewhat we have and i feel very confident about what we are building. >> microsoft is seeing a lot of what the cyber criminals and ng

the ecosphere. how do you go ■sgqat■3abouyou c identify with law enforcement? >> we have a y of different steps we take, some of which are probably st talked about in a public hearing. rman said, it's probably being watched in beijing and moscow, but we collaborate th enforcement all the time. encies of the u.s. government, and other governments that are allies of the united sta >> i know that many of our staff usemicrosoft for their email, amongst many other applications. can you give us as to the size of the share of government contracts for networking security and other matters in this space that microsoft has? >> i don't know the precise mbnition. we

account for about 3% of the federal i.t. budget. i know thatgovernment has many choices when it comes toservices, and i think it takes advantage of them, and we them. i don't, frankly, know how we compare to some of the others. >> like you said, the government has many choices, so with that said,why should they continue to use microsoft? >> because, we are going to rktrust of our government and other allied governments. every day. we are making the changes that we are learning the lessons that need to be learned. we e accountable. we will be transparent, and i hope that people look at what we have done and say, this is something thto do with i know we have to earn their trust every day. >> good. mr. chairmthat, i yelled back. >> i now recognize mr. menendez for five minutes of questioning.

>> thank you mr. chair and mr. smith. in 2002, bill gates issued a mewhich stated in part, "flaws a single microsoftproduct not only affect the quality of our platform and services overall, but also, our us as a company." now, when we face a choice between adding features or resolving security issues, we need to chew security. 2002. last month, microsoft's chairman and ceo you're faced with the trade-off between security and another priority, yoaners clear. security. 2024. .hthoft had drifted from security first culture set forth in mr. gates' 2002 memo? >> i was there in 2002when bill gates was the ceo of the company, and have been there every year since this is something i think

has to be introspective about, because i have been in so many have done so much to talk about where we are when it comes to security. i think that the biggest miwenot the one that is being described that > what you mean, described that way? >> drifting away from st cultur i think the biggest mistake -- >>■pmnot asking if there's a biggest mistake, i'm asking if you believe there wa-- 2002 and >> no, but what i think, so many cyber security experts, it became possible for people that were not in the cyber serithink they could rely on those people alone that we all

needed to do together. in 2002, we did not have all of these large securityat that time the way it does today, so i think there is a profound lesson. >> i understand the makeup of and the different departments may have changed, but this a statement in 2002 and more or less, the same statement made in 2024. 2curity first, and it may have been taking a back seat, potentially. would be helpful if you could describe to me at the committee the microsoft security response and how it sits whi microsoft's corporate structure. >> the curity response centerreports up to, as i recall, the executive vice president, charlie bell, who is on the senior leadership team, anit part of a very large and robust security

organizationku. >> who makes determination when security response center? >> i would have to go get the precise answer to th question. i will say this. we do try to, and frankly, we create an environment where bad news travels fast that's what we aspire to dofini -- i can tell you in the case of storm 558 or the midnight bliz, minutes to hours. it gets to me. usually, th before it gets to the ceo, and the time for me usually minutes. it's not a large number of minutes. >> i appreciate that rvice prov to secure and authenticate systems.x

i'm glad that microsoft agreed to manage how it secures its identity systems.qt does microsoft plan to make significant changes to ts core digital identity systems? >> i think the i will be ■ñ the csrb issued numerous recommendations for cloud service providers . the csrb issued four recommendations specific to microsoft word . i would like to discus. microsoft plans to implement some of the specific recommendations. they recommended that microsoft share a plan based reforms. does microsoft plan to implement the csrb recommendations ? >> ther one of the things i mentioned imony is that we have invited them to send a

team to our headquarters and go through all of the details, everything that we are doing. we want to show them all of the details, and then, i think one assess together is how much or we should be publishing things, cae is, every american can read them.■ the bad news is, everyone in moscow can as well. i will just say, we recognize we are interested and happy to share more with you e with the public. we just need to do it in much f hearing me today. i look forward to working with you. >> will have some staff look at your microphone. we don't want atto happen to you. another five minutes? good try. the chai"e■br no gentle lady from florida, ms. lee, for five minutes of questions.

>> good afternoon, mrs. r. i would like to follow question from mr. menendez. you testified today that in the wake of microsoft is committed to prioritizing security first over product and feature development, bu something that is easy to say, no doubt, very difficult to do with far-reaching implications for yo like to hear a little bit more about the specifics, you are st product development one of the specific ways in which feature release or product release to ensure a focus on se >> that's a really good question. i wod anit in two parts. in the short-term, reallocated resources. we moved people. we told them to reprioritize, and by definition, that means that other things may have so t can speed up.

and, th do. i think the real challenge is how you achieve effective, lasting culture change. this is true in ■i organization, and especially, when you have a company like ours. oyees. this has to be real every one of them. lot of what we have learned is a company over the last decade. we have gone through a lot of culture change and people feel it has benefited as well. i thinyou a northstar, which is the notion of due security fir. you then have to change your accountability mechcompensation important. are really gravitating towards is to treat security highest priority in quality. >> would it be correct to say, then, that you have reallocated

>> yes. nd urces in >> has it also affected your revenue projections, i would think? >> i would say, so far, i'm not aware of the changing any of it this way, i jectis. was in stockholm last monday. this is a country that as you know has just joined znatout 2 govents, corporate customers. what i found was really interesting. they asked a lot of tough questions, as you all are. want to sell plan b, they don't want to switch. they want us to t it right. we have to get it right to deserve their business, bui e t are committed to doing that. >> i know it s come up a couple times today, but i would like to return to a discussion of the recently released recall feature. you mentioned security by default, but that endeavor

so'd like hear more about how that comes the status of the product rollout and how it is consiste w security first approach and was being done to make sure useaware of ts or risk from using it. >> i would this product hasn't yet been launched. the feature hasn't yet been finished and we had a process future information and takeyw of feedback. we've defined, we've designed a so it's off by default so that people have to choose to turn it can sharenformation with them before they make that decision. we designed future so that the information always stayss ot doesn't go to microsoft. it doesn't go anywhere combinedg of security in windows for every part of computer, and not just this feature alone and then we added additional features that encrypt data, that decrypt it just in time. so were tg very

comprehensive approach to addressing all of the security andadad issues as well, and were trying to do in a dialogue. because when you do create technology i think one of the mistakes you can make is to think you're all the answers. you want to get to thejes answers when you have these kinds of collective and public conversations. >> in a the chairman skype i'll touch on my last question which is a bit of shifting gears, that is i ulf thepu things that was identified in area of like free to elaborate more on youghtur t and going forward planning home to improve victim notifion because this is really important topic and it's a hard oneor everybody. when we find that someone has attack, doesn't mean the fault was oursd it. we doan to let them k somebody ?

if is an enterprise we probably had a connection. there is probably somebody we can call. consumer based email system, we don't know who the human is. we just have an email address. so w an email. there was a member of congress we send an email to last of cont you sort of expect. they said w it? it's spam. an we call people and they say all, give me a break, here microsoft. you'reof just one more fraud enterprise. hich we live. and so the csrb report as a his. it's too great the equivalent of e alert. but it will require support from ngre that the cisa probably the telecommuni@mcatis companies and the phone makers

and the phone operating system makers cld be a huge step forward. >> gentlelady yields. i now recognize mr. suozzi first >> thank you, mr. chairman. i want to thank you and the ranking member for holdingoldina terrible is a good and i fathers advice. i think he said was father who humility. >> i don't know if he said that he definitely, he, still alive today. is probably watching this for gosh sakes. something top. >> you've taken can barely e toy that. let me just ask from governments? >> if iad guess, , it's less than 10% globally. >> so what percentage of it is just from the federal government itself? >> not that we love the g federal governmen. its it's one

of our biggest and it's the one where most devoted to but it's nothe our -- s■] you mentioned earlier there are 300 million cyber attacks a day. are the sources from russia, iran and korea, is it from organized crime, or is it from individuals who are doing this? >> i would say most of the timer nationstates or ranks of our operators. we over 300 organizations those 300 300 account for be highest you give a person for how much from state actors ? >> i -- >> or the state actors sometimes ransomware activiststs also?ingf my head that we can easily get that to you. i will sayçl being

a substantial percentage they are by far the big concern for r country's have divided we are. and our country's because of our members ofnt congress, there's 435 of us. 380 of them are in safe seats so the don't have to worry aboutth. they we have to worry about the people in primaries, so they pander too the base that divides us. and in social media the people get most attention social media, media people say the most trngs. cable news, you know, tucker carlson was most follow person l maddow, they get 4 million viewers, 3 million viewers. .. rachel maddow, therefore million viewers, 3 viewers, they are the extremes. but, our foreign adversaries, the chinese communist party, russia, irh are taking this information and trying to divide us every day,

fighting about already and blowing them up bigger an ever. we need the great how disinformationular basis destroy us so what can we do ef? are industry doing great things in all areas. being exacerbated by foreign adversaries? >> there are lots of grea our i are doing great things in all areas of the industry, and thws is this extraordinary where peo together across industry boundaries.

>> we need to advise the public about what's happening. exactly. i think we need procses that, and i would say, at the end of the day, i think the the most important point that could be made at this hearing, because the greatest threat cou comes if our adversaries coordinate, and we should assume that they noly >> they are. >> the greatest weakness of this country is ■.that we are divided. not just politically, but in always have to remember that we can find a way to summon the ability to work together. if you all can work gewe in our industry can work across the industry, and we unite to that probably government-sponsored, and some of thecisa, so we can do what you ju

things, help people learn. also, take the steps to hold these adversaries accountae,cha they are doing. >> thank you, mr. smith. mri would like to participate by this committee, bipartisan, in team, to figure out what we can do as a unfy the public as to what is happen■& on a regular basis, and how we a cotry, rporate, public private partnership, can unite to fight against foreign adversariesthat are trying to destroy our country. thank you, mr. sm rds back. the gentleman from texas is s. >> thank you, madam chairman. good afternoon, mrs. -- mr. smith. let's chat five or 10 years downstream. fariouba and i won't say endgame,

because i don't think there ■1l artificial intelligence and machine learning or cyberspace, but what is microsoft doing■■r? do to stop the amount ■y that attack us every single day, but we may not be able to talk about it in an open setting, but is there an endgame? is there a way to secure the network, or bad actors breache >> i would say two things. fit,look at the current course and speed, this is probably, for the time being, and until changes, a bit of a forever war in stant combat. i would hope that would change, but we can't ■assume that it will. so, what can we collectively change first, and microsoft,i don't

just hope, but fundamentally believe that say, ■we are going production systems, engineering sy, that make it extraordinarily difficult,and just beyond the economic reach of our most and well resourced adversaries to atta >> is that moving the infrastructure completely to a cloud-based system? >> believe the cloud is part of the answer, not only for us, buthe cloud services business. i think that in addition to would hope -- just as we learn from our competitors, and th ad that they will share but they are learning, and our competitors wi i think the thing we are going to have to do the moize, that we will do a lot of good

things. let's say we do recommended, because that is what we are going to do. ■g it won't be enough, because two years from now, our adversaries will have done more. but we need to create is a process, where we collectively, always learn frrom what is happening. we do a better job of antici■apating a and i do think that ai will be one of the greatgame changers, and we need to ensure that ai benefits thunthe defense of people at a faster rate that it can be used by foes to attack them. >> another way is going to be removing the human variable from the cybersecurity space. we know that will be compthat a looking for, but i don't have it. competition based. >> let me just say, i am

optimist about what ai can do to strengthenbefenses, but i th sometimes, people in ■nactually risk of underestimating the power of people. what we should really bed on is -- >> -- as a congressional member, i would never dohould a what the opportunity to enable people to stand onof better technology. and, if we do that with ai, if that is the stronger foundation,enable our people, especially, in this profession to achieve , and we w and other places, they will be tryiit better and faster, and we can never take a daf. that's the reality. >> thank you.

mr. chairman, i yelled back. re for five minutes of questioning. >> thk i want to thank everybody. i had a chance to be here for the first half of rushed back, so thank you for answering our questions. i want to tastep back and absorb what i heard in the first half as well. clearly, i think you you taking responsibility for the security failures and concerns that all of us how. i think that is importto broadl you. microsoft and so many other countriesanies have done so much work to change as someone that really believes in the wer le economic driver t you are to my state of california and other places, i don'part under the rug as well, so i thank you for your continued

work. an important, serious topic we are discussing. every company, every government faces serious threats from hackers, foreign intelligen russia, china, and other countries are trying to steal technology, steel patents, and it's not justwithin your company, but it's within companies all across our nation. it's important that we are here on a bipartisan basis. i also want to note, we are reviewing today is a reportfrom cisa, and i want to encourage us to support cisa there have been some of my cisa, they want to reduce support for strengthening cybers i think that would be a huge mistake, so i woul us to continue to work with cisa and other agencies to make our systems more secure. i that i believe we need more federal intervention , with microsoft a

to work -- before i got here, i was the mayor of long beach, ■tcalifornia, for eight years, and i consistently remember the numerous attacks that we got, a receive from a city perspective, and the challenges for municipalities and smaller governments, and the federal government to lñ/de i encourage you to continue to vel, but there are so many small cities and towns ity to d with some of the cyber thats ■ that we have. i also just want to have an initial question.ú4■( we know that there are an extra ordinary number of cy attacks from nationstate actors. if you want to boil thwn, what do you attribute to these attacks? why are they attacking >> let me first thank you for your com underscore, so it's clear if there is any doubt.

there are debateabout one piece or another, but it's about doing important and good work for the country. i think it's really important to look at the motivationsof nationstate actors, as well as criminal enterprises and just i would say over the last year, we have seen, on the nationstate side, broadly speaking, three kinds of access to information.■ surveillance, including of other governments, so, of course, they go to where the information is located, includ. the second, and i think traordi is we have seen fris pre-positig of tunnels into our water system, our electrical grid, into the ai■wf

kind of thing you look at and one thing, and that is to have ■linwar or hostilities. the third thing you see from nationstate's is something very unique to north korea. they have a very different approach to budgeting. they let ministries employ hackers, and e nistries work to steal money at the ministries get to keep the money that they get, so it's an that is the nationstate side. >> and, briefly, i want to ask one more question. >> on ransomware, it's all ouking money, unfortunately. >> i also want to take a moment ions that have been involved with you and a lot of other organizations. ened, does a lot of this rki want to uplift them as well. lastly, i wanted to mention, in the csrb report, there was a recommendation to teof amber a

some type of notification system. we are all concerned about does microsoft support this recommendation, and can you exnd i was talking about this when you had to leave. i think itd be extraordinarily helpful for our entire industry, for everybody that uses technology, for consumers, in particular. i hope that we will find a way to work together to make it a >> thank you. i yield back. >> i now recogniz for five minutes of questioning being here today, and i appreciate your humbleness. this committee, cabinet members, tell us that the southern border, that they've got it under control. three years later, they sit right there and tell usthat more than 10 million people have illegally crossed the southern border, so you have rvedhow you

presented yourself. as you may know, i services com and specifically, the cyber information technologies and innovationubittee. i'm aware of the dod cyber challenges and needs. the recent cyber attacks impacting microsoft demonstrate how vulnerabilities wswithin a single vendor can be exploited to gain access ■nsitive information and systems. potentially, compromising national security. can you please explain, from your perspective, the risk posed by the dod's reliance on a single source vendor? >> i guess, the first i don't s dod moving torely on anybody as a single sourcein the technology space. lot of compet that is alive and well at the dod. the other thing i would say is, just as there is risk one vendo

are risks in relying on multiple vendors. i would still rely on i don't want anybody to be thinking i'm saying something i'm not, but what we call ent, meaning technology from lots of different create a diffenand people that can knit it altogether. the thing we should remember is that a lot of what the russian foreign intelligence agency does, or the g are military, they look for the seams, because those are the places that are easiest for them to get in. fundamentally, whether you have one vendor or several, e we all need to work together. and, just thank you. would you agree that the vendor responsible for developing and running hardware and software

be the same e for testing security, conducting security audits, or reportin s >> to think a little bit about the precise formulation of your question. it's a very goi would say is, i think it is weho the focus on testing of solutions. it's almost the first principle in governance i would say, e,as someone responsible for a lot of the governance at microsoft. you want checks and balances. e want a separate group to be auditing and assessing, and i think that is true in the company. maybe even more necessary in a government. >> my colleague from new york touched on this. specifically, what are the security implications of china anhe actors having access into your network for so long, what is the threat of that? thank goodness it was

discovered, but what is the th■at that you see from th for long without being noticed? >> i would just like to qualify le because i noticed in some of the questions that were floating around this week, that people suggested that because the chinese qhad acquiredthis key in 2021, and we didn't find it they must've had access for two years. i think that, in fact, kept it in storage until they were ready to use it. knowing that once they did, it would likely be discovered quickly. >> thank you for that to l able to estion. access microsoft's corporate network today? >> no. not like anything before.w we will do everything we can to ensure they don't get

>> thank you. again, i thank you represented and your company today. mr. chairman, i yield back.> >> i now recognize mr. crane for five minutes of questioning. mr. chairman, mr. smith. k you for preparing and coming before the homeland security committee today. mr. smith, you are the president of microsoft, is that correct? >> that is correct. >> yo some leaks and vulnerabilities that miosoft about what they ar do to competitors are in this hearing room. is that correct? >> they can raise their has if you ask them. it's probably not the best use of time.■n >> would it be fair to say, mr. of being strong and d t critical today with some of your opponents or competitors the roomhear you. >> do you understand the

appearance of and formidable today because some of your competitors are in >> i don't know if i would use the words strong or formidable. i think the reason we need to be responsible and resolute is because of our adversaries so m the industry. >> have you ever heard the saying that weakness is provocative? >> i have heard similar things. i don't know if i have hed that one in particular, but i understand it. >> you are running one of the most powerful corporations of the world, so i'm sure that is something that is not completely alien to, >> yeah. size brings power, but mostly what it brings is responsibility. i would much rather focus on thed >> fair enough. mr. smith, would you say ed states increased in the last couple of

years? >> absolutely. >> didn't you say in your testimony that it felt like it was open season? >> yes, that. i think that is right. it is an open season on u.s. targets >> how many attacks are you seei each day, mr. smith? >> i had e itten testimony, whi more than 300 million per day. >> 300 million per day. wow. you understand that the scope of the homeland security tee is just cyber attacks, >> absolutely. >> good. are you aware, mr. smith, there st week that eight individuals to isis week in multiple u.s. cities? >> actually, i did not until you just told me. >> how about this one, mr. smith, are you aware of the reporting that russian shiples florida just this week as well?

>> i d or read about that. >> one of my colleagues ask you, what we to help you? nobody really wat i will say it one of the things that we can do to have stronger leadership that is respected around the world. that is one of the big problems here, and everybody in this room knows that. one of the th the other thing i want to point out is, mr. smith, this is not an isolated incident, all of th■uese increased cyber attacks that we are seeing. we are seeing attacks across the board and erit. we are seeing it at the border. we are seeing russian shipthis week. eight individuals with affiliation to isis were and that's where i started my questioning with weakness is provocative, and if you knew what that meant and it >> yeah, i understand. let me just be clear, i have

expertise in one field, not what it means in my field. we have said this for a long time in this country. peace through strength. there is something to that, and with the united states senses that we are weak, feckless, and we have weakedfess leadership, these are the types of things that we see. i'm hoping that not only this body■hof the american people ca work together to get better because i know it's going to impact your business, and i want to say e you coming here today, taking ownership and responsibility,@f because as so of my colleagues have said, e s >> thank you, and let me i think this gets us through the entire committee. i would just underscore what i have tried ay we do understand the importance committee, with what csrb and cisa do. ■÷

incredible job repr company, you do understand some running a coy it is only one thing real problem, you addressed it for thus far. let me thank you for that testimony and omitting to participating in e ongoing oversigh footprint in both government and critical inucture networks . it is our shared interest that the security issues raised by the csrb are dressed

quickly, you have said that the main things have already been hearing is important to understand last summer's cyber incident and microsof's approach to security. in my view, it is just the to ensure that the technology products used by the federal government are secure and federal vendors take the security■+obligations seriously we have had that discussion in my i'm sure you have talked with other members about that. in th, i have a couple questino dacha kind of thing, if you yes or no, that is go, understand that too. will microsoft commit to being transparent with its customers, particularly the government, about vulnerabilities in its

products including cloud products? >> the answer is yes, the only qualification i would offer ist share information with the right people and the and do it that it does not make the same sensitive information available to our adversaries. i'm sure we can do that. >> sure, classified setting, as with that. thank you. will microsoft commit ■6ato bei transparent with its customers about cyber incidents including cause scope of impact, and any associ threation as before, i would add, we are wodo that a lot of what we are doing by adding to the chief information officer infrastructure, government officer, is ability

to get out and share more informatn with >> thank you. will microsoftmmit to establishing benchmarks and time frames for implementation of the csrb recommendations and secure future initiativeand commit to proactively keeping this committee informed of ogre >> yes. >> will microsoft commit to performing an ongoing and transparent evaluationág of ris associated with the business ventes in adversarial nations? >> yes, i think we >> i look fo committee's ongoing oversight and continued engagement with microsoft.u9 one of the things we are tasked with is(t looking at keeping america safe bo and domestic adversaries. obviously's -- obviously, cyber

major threat. but you have to talk to us. >> believe me, i will. ■ just defined not just the mission but the cause. i think unites all of us. >> thank you, i yield back. >> the gentleman yields. smith, today and i will talk more for what i think was very cooperative collaborative good tone set of questions. important things to do here, ask questions of accountability and to determine the responsiveness of the company to the we also had to protect usys are watchin be carefulq. i want to thin our

office going over some of the stuff as well, i know ;byo yourself available to the ranking member and myself, really appreciate that. he asked most of my questions about transparency and things like tha. i will just say this, sometimes government inpa that we talked about a couple times, several members brought it up, sometimes the and i want to ask that you educateas i will give you an example of th fcc ruling, i'm onthe board of cybersecurity, it is a seven data fix breach, announcing to the world, four days we have a hole in the hole, we are inviting, this is government forcing companies across the

that is a stupid regulation. we need help on understanding where the governmentalso creates problems so i would appreciate anything ■dbthat com to mind, phone calls. one of the initiatives here, we talked about cyber workforce, one of ion of the regulations that are out there, make sure we are not implicit, contradictory, as i understand it, some regulations ask your company to help us and the competitors in the room to understand where the government cybersecurity. if we are causing you to have , that is m could be sent on. in this partnership, we need communication, not just issues each identified, how we 3■mags better and work better on how we compliance

requirements and things like r i thank the whispers valuable testy. members of the by the w get one that will probably require classified mechanm and we can discuss with you and the staff how to best do that. we would ask that the witness respond to these questions in wring pursua to rule 70rd held 10 days. without objection, the committee stands in adjournment. >> thank you, ■■#■4■k

see superiorou criminal family tax a will be take place 5:30.m eastern. the house is in recess over the juneteenth holiday and 25th lawmakers wlontinue working on 2025 federalndg legislation when they return. live coverage of the house onn d all of our congressional■ uf c-n now or online at c-span.org. >> social security and medicare estimated to become insolvent by 2036. congress takes no action.

gress could take to shore the tomorrow eastern our mobile be left or see been.org. >> c-span is on the field turner communications. ♪♪ connect a front row seat to the month is. >> u.s. supreme court and it down a decision to reverse trump eras span which