William Hayden ’91 Senior Corporate Counsel, Microsoft
NORWICH RECORD | Winter 2022
In the past five or six years, I’ve focused on Microsoft’s cloud computing and space initiatives work with the U.S. government, and for DoD or the intelligence community, as well as on cybersecurity.
A couple of years ago, I had the opportunity to be a part of a Microsoft team that went to Kiev in Ukraine to interview elect-ed officials from the parliament, as well as IT leaders in Kiev, around the cybersecurity attacks called NotPetya, which was an attack by Russia on the Ukraine in 2017. People may not be aware of what’s going on in Crimea and other parts of the eastern part of Ukraine. It’s not really a cold war; it’s not really a hot war either. But there are troop encampments along the eastern edge of Ukraine, and most Ukrainians feel as if they are at war with Russia. That NotPetya attack was interesting in how it impacted the economy and the people of Ukraine, the civilian population as well as military.
Here at home, one area that I really get concerned about is our critical infrastructure. If you look at the number of cyberattacks that have occurred over the past decade, there’s been a marked increase in those attacks. There are various threat vectors: You’ve got individuals, who are very smart, and they want to just create havoc. Then you’ve got people doing malicious things, who may be nation-state backed. And then there is the ransomware category where malicious actors are looking to cash in.
We must be mindful of two facts. One, there are always going to be criminal and bad actors out there who try and take advantage of us. Two, cyberattacks are an element of warfare now. As we saw with the SolarWinds attack last December, that was the Russian equivalent of the CIA putting malware into the [Texas-based company’s Orion software, which has 33,000 customers]. That can have ramifications across the energy sector, hospitals, and other critical infrastructure. With the Petya attacks (unrelated to “NotPetya”) in the United Kingdom, there were patients on the operating table scheduled for surgery. Doctors had to stop those surgeries because their hospital IT systems had been taken over by bad actors.
While positive steps are being taken, at any given moment we’re all at the mercy of state-sponsored groups or ransomware groups and hacktivists. Especially in this post-COVID environment, where we’ve been working from home, taking folks away from the secure environments they may have been in. We need to act immediately, and we need to be thoughtful and put the proper safeguards into effect. There have been some actions on the corporate side and on the government side. If you go back and look at critical infrastructure over the past three or four presidential administrations, there have been a number of presidential directives and mandates for the 13 or so sectors that the U.S. government designates as critical infrastructure. But if you look at what those different sectors have done, there’s no repeatable process being used across the board. Corrective action is retroactive. Once something occurs, then they go and address it. But there’s no holistic approach there.
We’ve got to think about it from two standpoints: One, a kind of traditional warfare scenario. But also two, how do we protect and ruggedize our critical infrastructure, so that we can keep the country going in the event of a widespread cyber event?
—As told to Sean Markey
A lawyer and retired Navy officer, William Hayden has worked at Microsoft Corp. since 2006. As a company senior corporate counsel, he provides strategic and legal advice to senior executives regarding cloud and artificial intelligence technologies supplied to the Defense Department and the intelligence community.
Photo courtesy William Hayden