The most interesting man at Microsoft

Bret Arsenault doesn't like cheese.

But for Microsoft's chief information security officer, a distaste for dairy produce isn't born out of a limited diet from two months of stay-at-home orders. No: He grew up in a housing project, dependent on food assistance that included 5-pound blocks of "government cheese." Which, believe it or not, he says isn't very good.

It's a telling anecdote about how the trappings of success can mean less to someone who is amazed at how far he's come in life. Over several interviews with Protocol this year, Arsenault described how he grew up on government assistance. That experience pushed him to take work where he could find it, including stints as a janitor, a commercial fisherman and laying asphalt before getting into graphic design technology. Now, more than four decades later, Arsenault is entrusted with protecting the secrets of one of the world's most valuable companies.

This is his 30th year at Microsoft, two-thirds of the lifespan of one of tech's most iconic companies. He's worked on all sides of its security efforts, mapping its early network security strategy, defending company assets and helping to build security products for Microsoft's customers.

Now, he's in the middle of what he thinks could be his most ambitious and influential project: paving the way for Microsoft employees, and perhaps eventually Microsoft customers, to ditch one of the weakest links in security, the password. At one point Arsenault envisioned this strategy taking years to put into place at Microsoft, but the company's work-from-home edict during the pandemic accelerated the work to a point where he thinks almost all of the company's 150,000 employees will be passwordless by early next year.

It's a project that will free end users from having to manage often-complex password requirements and could provide a blueprint for Microsoft's enterprise software customers on how to implement similar approaches inside their own companies.

"One thing I'd say that has always kept me true north, and a good keel for me, is always understanding that someone is on the receiving end of what we build," he said.

S. "Soma" Somasegar, a longtime former colleague at Microsoft, agreed.

"He's got a unique blend of experiences in my mind. Even when he was in the product groups, and now as a CISO, he does a very good job of keeping his ears and eyes to the ground in terms of the pulse of the industry," said Somasegar, a partner with Seattle's Madrona Venture Group.

Microsoft comes knocking

Arsenault grew up splitting time between the Seattle area and northern New Hampshire, where in the late 1970s he attended a high school focused on winter sports like skiing and ice climbing. That high school also happened to have a PDP-11, a legendary minicomputer made by Digital Equipment Corp. that introduced him to programming.

After serious injuries derailed a budding career in ski racing, Arsenault wound up at The College of Idaho. He developed a taste for manipulating 3D objects on a screen using what were at the time incredibly complex algorithms, and he stuck around the college after graduation, working on advanced computer graphics projects.

"I was spinning logos and doing Escher-type things in 3D, and I was confused and thought I was an artist because I was the only person who could do it with math," he said. "But it turns out that taught me a big lesson, which is, there are people who make computers [that] enable other people to do what they're really good at. That doesn't mean you're really good at it."

I said, there's no way I'd work for a software company that small or that uninteresting.

Still, his graphics work was impressive enough to draw the attention of a young software startup on the east side of Lake Washington called Microsoft.

"I said, there's no way I'd work for a software company that small or that uninteresting, and not advanced in the tech space in terms of visualization and animation," he recalled with a wry chuckle. Arsenault wound up at the massive Pacific Northwest timber company, Weyerhaeuser, where he was promised a job working on cool animation research but wound up in charge of systems, networking and security because he was "a good computer person."

"I was pretty lucky," he said. "People always saw more in me than I did."

Three years later, Microsoft's networking team called him and asked to talk about why Weyerhaeuser was using Novell NetWare instead of Microsoft's LAN Manager, a similar product. Arsenault proceeded to rattle off a list of reasons why NetWare was a superior product, and while Microsoft didn't get the sale, they were impressed enough with Arsenault's insights to offer him a job fixing all the problems he identified.

All of Arsenault's hard work getting to this point — years of living in housing projects, scrambling to find jobs to improve his family's lives, and mastering the important technologies of his time — was about to pay off in a big way. And so, not one to turn down an excellent opportunity, in the middle of 1990, Bret Arsenault reluctantly agreed to cut off his ponytail — "I negotiated poorly," he joked, acceding to his boss' grooming requests for client-facing employees — and joined Microsoft.

The internet tidal wave

Almost five years later, Microsoft was at a crossroads, not the last of which it would encounter over the next several decades.

Inside the company, finishing touches were being added to Windows 95, which would become one of the most successful consumer technology launches in the history of the industry to that point. But a new technology threatened to change the playing field, and Microsoft co-founder and CEO Bill Gates was starting to grapple with the implications.

It was becoming clear to Microsoft and the rest of the tech industry that the internet was going to have an enormous impact on the future, but in the early 1990s, it wasn't clear exactly how the internet was going to work. There were a half-dozen networking protocols under discussion as proposed standards for allowing computers to talk to each other over a wide-area network, and as tends to happen in the engineering ranks, there was a lot of disagreement about the best path forward.

"People always saw more in me than I did." Photo: Scott Ecklund/Red Box Pictures

Arsenault, still in Microsoft's networking group at the time, realized that one protocol was starting to take off: TCP/IP. Widely used across government systems in the 1980s, that protocol shipped with Microsoft's LAN Manager in 1990, and by the mid-'90s it was seeing a lot of uptake across Microsoft's customers, he said.

But Microsoft wasn't sold on TCP/IP for Windows 95. It didn't offer the bells and whistles of other protocols, Arsenault said, and one camp inside the company argued for a proprietary protocol stack that would be faster and better than TCP/IP.

In a meeting with key engineers and managers, including Gates, Arsenault recalls using a simple metaphor to argue in favor of his preference for using TCP/IP: "What was technically better: Beta or VHS? Beta was by far the better format over VHS. But the ubiquity and the simplicity of VHS, they won, right? It completely won in that environment."

The results of those discussions eventually turned into Gates' famous 1995 memo, in which he urged Microsoft employees and the industry in general to reexamine their thinking about technology in light of this new concept.

For his leadership in shaping Microsoft's networking strategy and subsequent network-security projects, Arsenault was awarded the Architectural Engineer Achievement Award by Gates, which came with a Rolex.

Arsenault actually gave that Rolex away. "I'm not a jewelry person," he said — a fairly amazing reaction from a person who says he will never forget a life where a Rolex only made an appearance in an ad from a magazine he couldn't afford.

But a colleague convinced him to keep it, saying, "Someday, you're going to have kids, and they're going to hear the story. They're going to want to see the watch." Arsenault managed to get the watch back from the person he gave it to, and says his daughter "now is very interested in it."

Security lessons from the track

With the networking question settled, Arsenault took a new role helping Microsoft customers understand the impact the internet would have on their own businesses. He quickly realized that there was a huge potential problem.

"The more connected you are, the higher probability of catastrophic failure in the system. Essentially, if you think of digital silk, and you pull a thread here, you can ruin the entire piece of silk," he said.

Just a few years later, software security would become an existential threat to Microsoft as criminals began to pull at many of those threads. But around that time, Arsenault was busy worrying about another threat: getting passed by the competition.

Scratching an itch dating back to his ski racing days, Arsenault took a sabbatical from Microsoft in late 2001 to join the endurance car racing circuit, competing in races on famous tracks such as Watkins Glen and Laguna Seca. He won a spot on the podium in several races — and learned some valuable lessons about security and management.

The idea of an airbag, that's how security should be.

One insight: Powerful brakes can be much more valuable than a bigger engine. They allow drivers to enter a turn traveling as fast as possible while choosing a line that competitors can't match because they have to brake earlier to maintain control.

Security tools should operate the same way, Arsenault said. They should either allow the user to take action on their own when they see a problem, like brakes, or deploy automatically, like an airbag.

"The safest vehicles are the ones where you're unencumbered," he said in an interview at RSA in February. "The idea of an airbag, that's how security should be: The user should be unencumbered by it, but it should be omnipresent, omniprotective."

Racing also taught him the value of communication between teams. In racing, there are car people and there are drivers, he said, and they don't necessarily speak the same language. Likewise in tech, there are the people who use products and those who design them, and they don't always have the vocabulary to communicate effectively.

He recalled a frustrating conversation with a member of his racing crew who didn't want to accommodate a car-setup suggestion: "I said, 'I know I'm not the expert on this, but I'm the guy behind the wheel that's going to hit the wall, so try it?' And our lap times went down a second and a half, and I realized he was a frustrated driver as an engineer, but I didn't have the right language to speak to him."

Trustworthy computing

Arsenault realized fairly quickly that a long-term racing career probably wasn't the best fit for him, after understanding just how much fundraising work a driver outside of the major circuits is supposed to do on their own. Once you've spent a significant portion of your life working hard just to stay afloat, glad-handing sponsors can seem a little much. And at some point, breaking bones — Arsenault has damaged 26 so far in his life — starts to get old.

He returned to Microsoft in 2002 — an all-hands-on-deck moment for the company.

The "ILOVEYOU" virus in 2000 awakened enterprise tech administrators to the downsides of connectivity, and subsequent worms like Nimda, Blaster and Slammer underscored how Microsoft's software was the vector for many devastating attacks that cost customers time and money. Gates promised Microsoft customers in early 2002 that security had become the company's biggest priority. Then he had to make it happen.

Upon his return, Arsenault helped build Microsoft's first security incident response team, which helped customers deal with their own pressing security issues while product teams worked nonstop to plug holes in Windows and Internet Explorer.

"The idea of an airbag, that's how security should be: The user should be unencumbered by it but it should be omnipresent, omniprotective."Photo: Courtesy of Bret Arsenault

This effort required a massive shift in thinking across multiple teams at Microsoft, and battleships don't turn on a dime, he said.

"At first you don't realize you have a problem," he said. "Then you realize you have a problem, you have your wake-up call, which is Sasser, Blaster and Slammer. Then you try to solve it, but you try to solve it with org, and so you build the security division. And then finally you realize you should solve it with culture."

That process led to a realization: Microsoft's customers wanted it to get into the security business and build products that could protect them in the new era of cyberthreats.

"The people in my position and worse, people in small and medium businesses who don't have teams [like his] can't sustain it, they can't protect themselves in that environment," he said. "And so then it was like, 'Hey, this is another good opportunity to start bundling and integrate things, because it's not sustainable.'"

Arsenault's ability to see around corners and communicate effectively with his teams has made him one of Microsoft's best managers, said Lisa Reshaur, general manager in Microsoft's Digital Security and Risk Engineering team.

"He's wicked smart, and extremely affable," she said. "That makes him the kind of person you're going to want to work for, you're going to learn something, and you're going to like working for him."

Arsenault's life experiences played a big role in shaping his approach to managing people.

"Seeing the potential in people in technology is the most important quality in leadership," he said. That's especially true, he noted, for a sector like security, where there is a severe talent shortage, and where people from diverse backgrounds outside of computer science can thrive.

Shut the networks down

Fast forward a more than a decade, and Arsenault is in charge of protecting all of Microsoft's assets from threats that have only grown in sophistication and severity. Early one morning in 2017, he got a call from one of his team members who was on duty in the company's incident response center.

Microsoft's systems had noticed some unusual activity in Ukraine, but it was difficult to tell exactly what was happening. Arsenault recalled saying: "If you didn't think it was serious, you wouldn't have called me." He hung up and tried to go back to sleep, but he kept thinking.

If you didn't think it was serious, you wouldn't have called me.

A few minutes later, he called that team member back with a simple but shocking command: "Shut the networks down. I want Ukraine completely isolated from everything we do," he said.

It was a sweeping order: It was right around the close of the quarter, and while Ukraine wasn't Microsoft's biggest market, it wasn't insignificant, so a misstep could have proven costly. Arsenault reassured the team member that he would take responsibility, and the order was carried out.

As it turns out, Microsoft had detected some of the first signs of the NotPetya worm, one of the most devastating attacks in recent history that cost companies hundreds of millions of dollars in lost data, systems and time to recover. The attack took advantage of a flaw in Ukraine's tax collection software, which any company doing business in Ukraine was required to use.

This was a massive attack: Shipping giant Maersk almost lost all of its data, saved only by a fortuitous power outage in Ghana that knocked a local server offline just as the worm was spreading throughout its network. A few months later, Maersk became a Microsoft Azure customer.

Ditch your passwords

Arsenault won't say for sure how much longer he plans to be at Microsoft. But he is consumed with his latest project: What if Microsoft eliminated passwords without compromising security?

Lots of companies have talked about ditching the password for years, and with good reason: It's one of the weakest links in the security chain. For some time it seemed like two-factor authentication — something you know, like a password, and something you have, like a smartphone — was the best way to go.

But Arsenault thinks two-factor authentication was rolled out without as much thought about the user experience as he'd like. "We took our classic approach to solving it: We jam to fit down everyone's throat with those smart cards and smart card readers and everything else," Arsenault said. Two-factor authentication systems have also been shown to have their own security weaknesses, too.

Ideally, authentication methods, such as biometrics, would become the norm for accessing corporate networks with personal devices, hopes Arsenault, because they create less friction for users, and they're far harder for criminals to surmount. But that's only the beginning of the work for system administrators who transition to biometrics and other password-free identifiers; they also have to overhaul the authentication software that runs the back end of the login system. That sounds straightforward until you learn that the average enterprise has hundreds of internal applications that depend on that core authentication system.

"Simplicity is security's best friend."Photo: Scott Ecklund/Red Box Pictures

Still, Arensault believes the effort would be worth it.

"You end up with a system that users love and security professionals trust or IT departments trust," he said. "But the existing infrastructure will take a long time to go all key-based everything — there's just so many applications."

Microsoft's own password-free system was supposed to be ready by the middle of 2021. But many of its employees were abruptly forced to work from home in early March thanks to widespread stay-at-home orders in Washington and California, and suddenly had to conduct sensitive company business on home PCs. Arsenault decided to start rolling out the passwordless technology to some staff early — and so far, it's gone smoothly. He expects many of the company's 150,000 employees to be using it by early next year.

"I think that this has shown people that internet-first is the right way to go," Arsenault said. "And it also makes things simpler, right? I mean, simplicity is security's best friend."

The long and winding road

During the 30 years that Arsenault has spent at Microsoft, technology has changed dramatically — from an important but nerdy sector of the economy to the driving force behind almost all business and cultural activity in 2020. At times, Microsoft drove that shift; at others, it was basically irrelevant, as other players swept past it with better ideas, products and execution.

Aside from his flirtation with the track, Arsenault only seriously considered leaving Microsoft once: about seven years ago, arguably the nadir of Microsoft's post-antitrust decline when it was clear that Apple and Google had cornered the market on the next generation of personal computing.

"I didn't feel that we were going far enough on what we needed to go do for security. We had the right things, but we just weren't progressing in getting it integrated in the culture fast enough," he said.

But that was right around the time when Microsoft had announced that then-CEO Steve Ballmer would be retiring over the next year, and the company embarked on a leak-filled search for its next CEO. Satya Nadella had yet to emerge as the clear front-runner for the job, but he had a lot of support internally as one of the driving forces behind Microsoft's transition to cloud computing.

I'm literally amazed at what's happened in the last four or five years.

"I was really rooting for a different CEO at the time, because I wanted someone who could make that change," Arsenault said. "And I think Steve was a brilliant, wonderful man. But the idea of having someone who could speak the language and come from the engineering environment, yet have such a culturally different view, and go change the people in the leadership team and really reorient the thinking …" Arsenault trailed off there. But his tone suggested: Well, that would all be super cool.

Seven years later, Microsoft is one of the world's most valuable companies and has reasserted itself as one of the primary voices in technology.

"I'm literally amazed at what's happened in the last four or five years," he said. "Not technically — I mean, it's amazing, the cloud and everything else — it is just more of the culture part that is just mind numbing to me. That by just changing the culture, you could get so much more out of an organization. The customers who use our products are in so much of a better place today than they were before."

Adam Janofsky contributed reporting to this story.