SCOTT SIMON, HOST:
We're only beginning to understand the gravity of an attack that began as early as March when hackers seeded malware into computer systems used by governments across the globe and the world's biggest businesses. Recent assessments by federal officials trail those of companies, including Microsoft, which says the number of victims will, quote, "rise substantially."
The president of Microsoft is Brad Smith, and he joins us now from Redmond, Wash. Thanks so much for being with us.
BRAD SMITH: Thank you.
SIMON: Based on what you've learned, how serious, deep and far-reaching is this attack?
SMITH: Well, I think this is one of the most serious cyberattacks we've seen in the past decade. This actor put malware into legitimate software that was then distributed to roughly 18,000 customers around the world - governments, companies and the like. Already we've identified more than 40 organizations, 80% of them in the United States, where they followed up, penetrated the networks, took additional steps. And as you indicated, that number is going to continue to rise.
SIMON: Who's responsible? Do you know?
SMITH: What everyone is pointing towards right now is an intelligence agency in Russia. We have not seen any evidence that goes in a different direction, but I think it's a little too early to declare a verdict in the case.
SIMON: We know hackers targeted SolarWinds, the Texas company that makes widely used network monitoring software. May we ask, were any Microsoft products compromised, directly or indirectly?
SMITH: We have not found any evidence that any Microsoft products or services were compromised, used to attack anyone else or put at risk any of our customers.
SIMON: Do you feel that this administration's policy towards Russia, which I'll just describe as accommodating, somehow invited this attack?
SMITH: What I would say is this. This has become an issue of national importance that will benefit from strong presidential leadership, whether we're talking about the next four weeks or the next four years. This is really a moment of reckoning. It highlights weaknesses in the nation's defenses. It shows us where we need to strengthen our laws. It indicates where we need strong collaboration with America's allies to hold these kinds of nation-state attackers accountable.
SIMON: And how do you hold them accountable, Mr. Smith?
SMITH: Well, I think that it starts with clear public attribution. And then it needs to be followed by consequences. There are many tools, from economic sanctions to deterrence measures. We saw, especially in the federal government, great leadership to protect our elections. Now let's apply that to these other cybersecurity issues, as well.
SIMON: When you mentioned the possibility of economic sanctions, what kind? And would Microsoft be willing to jeopardize its own market position in Russia and China?
SMITH: The U.S. government has imposed economic sanctions against actors in Russia over the past several years. It has done so with respect to other countries, as well. And what I think it recognizes quite rightly is that the nation's interest needs to come first. Any day we have to sacrifice a part of our business to serve the country is, I think, a day where we should absolutely do what needs to be done. The course is clear.
SIMON: Let me read you words from President-elect Biden, who said, quote, "a good defense isn't enough. We need to disrupt and deter our adversaries from undertaking significant cyberattacks in the first place." Is the president-elect suggesting the best defense is a good offense?
SMITH: I think the suggestion here is probably that one part of an effective defense is the ability to play offense. In a sense, this is like every other part of national security and national defense. You always want, I believe, to have a variety of tools, and then we need wise decision-making that will put those tools to use in the most effective way possible.
SIMON: I think anyone hearing our conversation, Mr. Smith, is inevitably going to be struck by the fact that you're using those terms, national security and national defense, as opposed to just economic security.
SMITH: I believe that when you see an attack like the one that we are currently witnessing, one that is not yet over, this is an economic issue, but it is more than that. It is a threat to the national security of the country as a whole. And we need to respond to it with the level of urgency that that requires.
SIMON: Brad Smith is president of Microsoft, a technology firm based in Washington state, I believe. Thanks so much for being with us, Mr. Smith.
SMITH: Well, thank you. Yes, it's - I am in Washington state, where it is, as it's always is this time of year, quite rainy.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.