The most interesting man at Microsoft

A skier and racing driver who's broken 26 bones, as well as protector of one of the world's most valuable companies. Bret Arsenault has plenty to talk about.

Bret Arsenault in a racing car

Bret Arsenault took a sabbatical from Microsoft in late 2001 to join the endurance car racing circuit.

Photo: Courtesy of Bret Arsenault

Bret Arsenault doesn't like cheese.

But for Microsoft's chief information security officer, a distaste for dairy produce isn't born out of a limited diet from two months of stay-at-home orders. No: He grew up in a housing project, dependent on food assistance that included 5-pound blocks of "government cheese." Which, believe it or not, he says isn't very good.

It's a telling anecdote about how the trappings of success can mean less to someone who is amazed at how far he's come in life. Over several interviews with Protocol this year, Arsenault described how he grew up on government assistance. That experience pushed him to take work where he could find it, including stints as a janitor, a commercial fisherman and laying asphalt before getting into graphic design technology. Now, more than four decades later, Arsenault is entrusted with protecting the secrets of one of the world's most valuable companies.

This is his 30th year at Microsoft, two-thirds of the lifespan of one of tech's most iconic companies. He's worked on all sides of its security efforts, mapping its early network security strategy, defending company assets and helping to build security products for Microsoft's customers.

Now, he's in the middle of what he thinks could be his most ambitious and influential project: paving the way for Microsoft employees, and perhaps eventually Microsoft customers, to ditch one of the weakest links in security, the password. At one point Arsenault envisioned this strategy taking years to put into place at Microsoft, but the company's work-from-home edict during the pandemic accelerated the work to a point where he thinks almost all of the company's 150,000 employees will be passwordless by early next year.

It's a project that will free end users from having to manage often-complex password requirements and could provide a blueprint for Microsoft's enterprise software customers on how to implement similar approaches inside their own companies.

"One thing I'd say that has always kept me true north, and a good keel for me, is always understanding that someone is on the receiving end of what we build," he said.

S. "Soma" Somasegar, a longtime former colleague at Microsoft, agreed.

"He's got a unique blend of experiences in my mind. Even when he was in the product groups, and now as a CISO, he does a very good job of keeping his ears and eyes to the ground in terms of the pulse of the industry," said Somasegar, a partner with Seattle's Madrona Venture Group.

Microsoft comes knocking

Arsenault grew up splitting time between the Seattle area and northern New Hampshire, where in the late 1970s he attended a high school focused on winter sports like skiing and ice climbing. That high school also happened to have a PDP-11, a legendary minicomputer made by Digital Equipment Corp. that introduced him to programming.

After serious injuries derailed a budding career in ski racing, Arsenault wound up at The College of Idaho. He developed a taste for manipulating 3D objects on a screen using what were at the time incredibly complex algorithms, and he stuck around the college after graduation, working on advanced computer graphics projects.

"I was spinning logos and doing Escher-type things in 3D, and I was confused and thought I was an artist because I was the only person who could do it with math," he said. "But it turns out that taught me a big lesson, which is, there are people who make computers [that] enable other people to do what they're really good at. That doesn't mean you're really good at it."

I said, there's no way I'd work for a software company that small or that uninteresting.

Still, his graphics work was impressive enough to draw the attention of a young software startup on the east side of Lake Washington called Microsoft.

"I said, there's no way I'd work for a software company that small or that uninteresting, and not advanced in the tech space in terms of visualization and animation," he recalled with a wry chuckle. Arsenault wound up at the massive Pacific Northwest timber company, Weyerhaeuser, where he was promised a job working on cool animation research but wound up in charge of systems, networking and security because he was "a good computer person."

"I was pretty lucky," he said. "People always saw more in me than I did."

Three years later, Microsoft's networking team called him and asked to talk about why Weyerhaeuser was using Novell NetWare instead of Microsoft's LAN Manager, a similar product. Arsenault proceeded to rattle off a list of reasons why NetWare was a superior product, and while Microsoft didn't get the sale, they were impressed enough with Arsenault's insights to offer him a job fixing all the problems he identified.

All of Arsenault's hard work getting to this point — years of living in housing projects, scrambling to find jobs to improve his family's lives, and mastering the important technologies of his time — was about to pay off in a big way. And so, not one to turn down an excellent opportunity, in the middle of 1990, Bret Arsenault reluctantly agreed to cut off his ponytail — "I negotiated poorly," he joked, acceding to his boss' grooming requests for client-facing employees — and joined Microsoft.

The internet tidal wave

Almost five years later, Microsoft was at a crossroads, not the last of which it would encounter over the next several decades.

Inside the company, finishing touches were being added to Windows 95, which would become one of the most successful consumer technology launches in the history of the industry to that point. But a new technology threatened to change the playing field, and Microsoft co-founder and CEO Bill Gates was starting to grapple with the implications.

It was becoming clear to Microsoft and the rest of the tech industry that the internet was going to have an enormous impact on the future, but in the early 1990s, it wasn't clear exactly how the internet was going to work. There were a half-dozen networking protocols under discussion as proposed standards for allowing computers to talk to each other over a wide-area network, and as tends to happen in the engineering ranks, there was a lot of disagreement about the best path forward.

Bret Arsenault in the office "People always saw more in me than I did." Photo: Scott Ecklund/Red Box Pictures

Arsenault, still in Microsoft's networking group at the time, realized that one protocol was starting to take off: TCP/IP. Widely used across government systems in the 1980s, that protocol shipped with Microsoft's LAN Manager in 1990, and by the mid-'90s it was seeing a lot of uptake across Microsoft's customers, he said.

But Microsoft wasn't sold on TCP/IP for Windows 95. It didn't offer the bells and whistles of other protocols, Arsenault said, and one camp inside the company argued for a proprietary protocol stack that would be faster and better than TCP/IP.

In a meeting with key engineers and managers, including Gates, Arsenault recalls using a simple metaphor to argue in favor of his preference for using TCP/IP: "What was technically better: Beta or VHS? Beta was by far the better format over VHS. But the ubiquity and the simplicity of VHS, they won, right? It completely won in that environment."

The results of those discussions eventually turned into Gates' famous 1995 memo, in which he urged Microsoft employees and the industry in general to reexamine their thinking about technology in light of this new concept.

For his leadership in shaping Microsoft's networking strategy and subsequent network-security projects, Arsenault was awarded the Architectural Engineer Achievement Award by Gates, which came with a Rolex.

Arsenault actually gave that Rolex away. "I'm not a jewelry person," he said — a fairly amazing reaction from a person who says he will never forget a life where a Rolex only made an appearance in an ad from a magazine he couldn't afford.

But a colleague convinced him to keep it, saying, "Someday, you're going to have kids, and they're going to hear the story. They're going to want to see the watch." Arsenault managed to get the watch back from the person he gave it to, and says his daughter "now is very interested in it."

Security lessons from the track

With the networking question settled, Arsenault took a new role helping Microsoft customers understand the impact the internet would have on their own businesses. He quickly realized that there was a huge potential problem.

"The more connected you are, the higher probability of catastrophic failure in the system. Essentially, if you think of digital silk, and you pull a thread here, you can ruin the entire piece of silk," he said.

Just a few years later, software security would become an existential threat to Microsoft as criminals began to pull at many of those threads. But around that time, Arsenault was busy worrying about another threat: getting passed by the competition.

Scratching an itch dating back to his ski racing days, Arsenault took a sabbatical from Microsoft in late 2001 to join the endurance car racing circuit, competing in races on famous tracks such as Watkins Glen and Laguna Seca. He won a spot on the podium in several races — and learned some valuable lessons about security and management.

The idea of an airbag, that's how security should be.

One insight: Powerful brakes can be much more valuable than a bigger engine. They allow drivers to enter a turn traveling as fast as possible while choosing a line that competitors can't match because they have to brake earlier to maintain control.

Security tools should operate the same way, Arsenault said. They should either allow the user to take action on their own when they see a problem, like brakes, or deploy automatically, like an airbag.

"The safest vehicles are the ones where you're unencumbered," he said in an interview at RSA in February. "The idea of an airbag, that's how security should be: The user should be unencumbered by it, but it should be omnipresent, omniprotective."

Racing also taught him the value of communication between teams. In racing, there are car people and there are drivers, he said, and they don't necessarily speak the same language. Likewise in tech, there are the people who use products and those who design them, and they don't always have the vocabulary to communicate effectively.

He recalled a frustrating conversation with a member of his racing crew who didn't want to accommodate a car-setup suggestion: "I said, 'I know I'm not the expert on this, but I'm the guy behind the wheel that's going to hit the wall, so try it?' And our lap times went down a second and a half, and I realized he was a frustrated driver as an engineer, but I didn't have the right language to speak to him."

Trustworthy computing

Arsenault realized fairly quickly that a long-term racing career probably wasn't the best fit for him, after understanding just how much fundraising work a driver outside of the major circuits is supposed to do on their own. Once you've spent a significant portion of your life working hard just to stay afloat, glad-handing sponsors can seem a little much. And at some point, breaking bones — Arsenault has damaged 26 so far in his life — starts to get old.

He returned to Microsoft in 2002 — an all-hands-on-deck moment for the company.

The "ILOVEYOU" virus in 2000 awakened enterprise tech administrators to the downsides of connectivity, and subsequent worms like Nimda, Blaster and Slammer underscored how Microsoft's software was the vector for many devastating attacks that cost customers time and money. Gates promised Microsoft customers in early 2002 that security had become the company's biggest priority. Then he had to make it happen.

Upon his return, Arsenault helped build Microsoft's first security incident response team, which helped customers deal with their own pressing security issues while product teams worked nonstop to plug holes in Windows and Internet Explorer.

Bret Arsenault in a racing car "The idea of an airbag, that's how security should be: The user should be unencumbered by it but it should be omnipresent, omniprotective."Photo: Courtesy of Bret Arsenault

This effort required a massive shift in thinking across multiple teams at Microsoft, and battleships don't turn on a dime, he said.

"At first you don't realize you have a problem," he said. "Then you realize you have a problem, you have your wake-up call, which is Sasser, Blaster and Slammer. Then you try to solve it, but you try to solve it with org, and so you build the security division. And then finally you realize you should solve it with culture."

That process led to a realization: Microsoft's customers wanted it to get into the security business and build products that could protect them in the new era of cyberthreats.

"The people in my position and worse, people in small and medium businesses who don't have teams [like his] can't sustain it, they can't protect themselves in that environment," he said. "And so then it was like, 'Hey, this is another good opportunity to start bundling and integrate things, because it's not sustainable.'"

Arsenault's ability to see around corners and communicate effectively with his teams has made him one of Microsoft's best managers, said Lisa Reshaur, general manager in Microsoft's Digital Security and Risk Engineering team.

"He's wicked smart, and extremely affable," she said. "That makes him the kind of person you're going to want to work for, you're going to learn something, and you're going to like working for him."

Arsenault's life experiences played a big role in shaping his approach to managing people.

"Seeing the potential in people in technology is the most important quality in leadership," he said. That's especially true, he noted, for a sector like security, where there is a severe talent shortage, and where people from diverse backgrounds outside of computer science can thrive.

Shut the networks down

Fast forward a more than a decade, and Arsenault is in charge of protecting all of Microsoft's assets from threats that have only grown in sophistication and severity. Early one morning in 2017, he got a call from one of his team members who was on duty in the company's incident response center.

Microsoft's systems had noticed some unusual activity in Ukraine, but it was difficult to tell exactly what was happening. Arsenault recalled saying: "If you didn't think it was serious, you wouldn't have called me." He hung up and tried to go back to sleep, but he kept thinking.

If you didn't think it was serious, you wouldn't have called me.

A few minutes later, he called that team member back with a simple but shocking command: "Shut the networks down. I want Ukraine completely isolated from everything we do," he said.

It was a sweeping order: It was right around the close of the quarter, and while Ukraine wasn't Microsoft's biggest market, it wasn't insignificant, so a misstep could have proven costly. Arsenault reassured the team member that he would take responsibility, and the order was carried out.

As it turns out, Microsoft had detected some of the first signs of the NotPetya worm, one of the most devastating attacks in recent history that cost companies hundreds of millions of dollars in lost data, systems and time to recover. The attack took advantage of a flaw in Ukraine's tax collection software, which any company doing business in Ukraine was required to use.

This was a massive attack: Shipping giant Maersk almost lost all of its data, saved only by a fortuitous power outage in Ghana that knocked a local server offline just as the worm was spreading throughout its network. A few months later, Maersk became a Microsoft Azure customer.

Ditch your passwords

Arsenault won't say for sure how much longer he plans to be at Microsoft. But he is consumed with his latest project: What if Microsoft eliminated passwords without compromising security?

Lots of companies have talked about ditching the password for years, and with good reason: It's one of the weakest links in the security chain. For some time it seemed like two-factor authentication — something you know, like a password, and something you have, like a smartphone — was the best way to go.

But Arsenault thinks two-factor authentication was rolled out without as much thought about the user experience as he'd like. "We took our classic approach to solving it: We jam to fit down everyone's throat with those smart cards and smart card readers and everything else," Arsenault said. Two-factor authentication systems have also been shown to have their own security weaknesses, too.

Ideally, authentication methods, such as biometrics, would become the norm for accessing corporate networks with personal devices, hopes Arsenault, because they create less friction for users, and they're far harder for criminals to surmount. But that's only the beginning of the work for system administrators who transition to biometrics and other password-free identifiers; they also have to overhaul the authentication software that runs the back end of the login system. That sounds straightforward until you learn that the average enterprise has hundreds of internal applications that depend on that core authentication system.

Bret Arsenault in the office "Simplicity is security's best friend."Photo: Scott Ecklund/Red Box Pictures

Still, Arensault believes the effort would be worth it.

"You end up with a system that users love and security professionals trust or IT departments trust," he said. "But the existing infrastructure will take a long time to go all key-based everything — there's just so many applications."

Microsoft's own password-free system was supposed to be ready by the middle of 2021. But many of its employees were abruptly forced to work from home in early March thanks to widespread stay-at-home orders in Washington and California, and suddenly had to conduct sensitive company business on home PCs. Arsenault decided to start rolling out the passwordless technology to some staff early — and so far, it's gone smoothly. He expects many of the company's 150,000 employees to be using it by early next year.

"I think that this has shown people that internet-first is the right way to go," Arsenault said. "And it also makes things simpler, right? I mean, simplicity is security's best friend."

The long and winding road

During the 30 years that Arsenault has spent at Microsoft, technology has changed dramatically — from an important but nerdy sector of the economy to the driving force behind almost all business and cultural activity in 2020. At times, Microsoft drove that shift; at others, it was basically irrelevant, as other players swept past it with better ideas, products and execution.

Aside from his flirtation with the track, Arsenault only seriously considered leaving Microsoft once: about seven years ago, arguably the nadir of Microsoft's post-antitrust decline when it was clear that Apple and Google had cornered the market on the next generation of personal computing.

"I didn't feel that we were going far enough on what we needed to go do for security. We had the right things, but we just weren't progressing in getting it integrated in the culture fast enough," he said.

But that was right around the time when Microsoft had announced that then-CEO Steve Ballmer would be retiring over the next year, and the company embarked on a leak-filled search for its next CEO. Satya Nadella had yet to emerge as the clear front-runner for the job, but he had a lot of support internally as one of the driving forces behind Microsoft's transition to cloud computing.

I'm literally amazed at what's happened in the last four or five years.

"I was really rooting for a different CEO at the time, because I wanted someone who could make that change," Arsenault said. "And I think Steve was a brilliant, wonderful man. But the idea of having someone who could speak the language and come from the engineering environment, yet have such a culturally different view, and go change the people in the leadership team and really reorient the thinking …" Arsenault trailed off there. But his tone suggested: Well, that would all be super cool.

Seven years later, Microsoft is one of the world's most valuable companies and has reasserted itself as one of the primary voices in technology.

"I'm literally amazed at what's happened in the last four or five years," he said. "Not technically — I mean, it's amazing, the cloud and everything else — it is just more of the culture part that is just mind numbing to me. That by just changing the culture, you could get so much more out of an organization. The customers who use our products are in so much of a better place today than they were before."

Adam Janofsky contributed reporting to this story.

LA is a growing tech hub. But not everyone may fit.

LA has a housing crisis similar to Silicon Valley’s. And single-family-zoning laws are mostly to blame.

As the number of tech companies in the region grows, so does the number of tech workers, whose high salaries put them at an advantage in both LA's renting and buying markets.

Photo: Nat Rubio-Licht/Protocol

LA’s tech scene is on the rise. The number of unicorn companies in Los Angeles is growing, and the city has become the third-largest startup ecosystem nationally behind the Bay Area and New York with more than 4,000 VC-backed startups in industries ranging from aerospace to creators. As the number of tech companies in the region grows, so does the number of tech workers. The city is quickly becoming more and more like Silicon Valley — a new startup and a dozen tech workers on every corner and companies like Google, Netflix, and Twitter setting up offices there.

But with growth comes growing pains. Los Angeles, especially the burgeoning Silicon Beach area — which includes Santa Monica, Venice, and Marina del Rey — shares something in common with its namesake Silicon Valley: a severe lack of housing.

Keep Reading Show less
Nat Rubio-Licht

Nat Rubio-Licht is a Los Angeles-based news writer at Protocol. They graduated from Syracuse University with a degree in newspaper and online journalism in May 2020. Prior to joining the team, they worked at the Los Angeles Business Journal as a technology and aerospace reporter.

While there remains debate among economists about whether we are officially in a full-blown recession, the signs are certainly there. Like most executives right now, the outlook concerns me.

In any case, businesses aren’t waiting for the official pronouncement. They’re already bracing for impact as U.S. inflation and interest rates soar. Inflation peaked at 9.1% in June 2022 — the highest increase since November 1981 — and the Federal Reserve is targeting an interest rate of 3% by the end of this year.

Keep Reading Show less
Nancy Sansom

Nancy Sansom is the Chief Marketing Officer for Versapay, the leader in Collaborative AR. In this role, she leads marketing, demand generation, product marketing, partner marketing, events, brand, content marketing and communications. She has more than 20 years of experience running successful product and marketing organizations in high-growth software companies focused on HCM and financial technology. Prior to joining Versapay, Nancy served on the senior leadership teams at PlanSource, Benefitfocus and PeopleMatter.


SFPD can now surveil a private camera network funded by Ripple chair

The San Francisco Board of Supervisors approved a policy that the ACLU and EFF argue will further criminalize marginalized groups.

SFPD will be able to temporarily tap into private surveillance networks in certain circumstances.

Photo: Justin Sullivan/Getty Images

Ripple chairman and co-founder Chris Larsen has been funding a network of security cameras throughout San Francisco for a decade. Now, the city has given its police department the green light to monitor the feeds from those cameras — and any other private surveillance devices in the city — in real time, whether or not a crime has been committed.

This week, San Francisco’s Board of Supervisors approved a controversial plan to allow SFPD to temporarily tap into private surveillance networks during life-threatening emergencies, large events, and in the course of criminal investigations, including investigations of misdemeanors. The decision came despite fervent opposition from groups, including the ACLU of Northern California and the Electronic Frontier Foundation, which say the police department’s new authority will be misused against protesters and marginalized groups in a city that has been a bastion for both.

Keep Reading Show less
Issie Lapowsky

Issie Lapowsky ( @issielapowsky) is Protocol's chief correspondent, covering the intersection of technology, politics, and national affairs. She also oversees Protocol's fellowship program. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University's Center for Publishing on how tech giants have affected publishing.


These two AWS vets think they can finally solve enterprise blockchain

Vendia, founded by Tim Wagner and Shruthi Rao, wants to help companies build real-time, decentralized data applications. Its product allows enterprises to more easily share code and data across clouds, regions, companies, accounts, and technology stacks.

“We have this thesis here: Cloud was always the missing ingredient in blockchain, and Vendia added it in,” Wagner (right) told Protocol of his and Shruthi Rao's company.

Photo: Vendia

The promise of an enterprise blockchain was not lost on CIOs — the idea that a database or an API could keep corporate data consistent with their business partners, be it their upstream supply chains, downstream logistics, or financial partners.

But while it was one of the most anticipated and hyped technologies in recent memory, blockchain also has been one of the most failed technologies in terms of enterprise pilots and implementations, according to Vendia CEO Tim Wagner.

Keep Reading Show less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.


Kraken's CEO got tired of being in finance

Jesse Powell tells Protocol the bureaucratic obligations of running a financial services business contributed to his decision to step back from his role as CEO of one of the world’s largest crypto exchanges.

Photo: David Paul Morris/Bloomberg via Getty Images

Kraken is going through a major leadership change after what has been a tough year for the crypto powerhouse, and for departing CEO Jesse Powell.

The crypto market is still struggling to recover from a major crash, although Kraken appears to have navigated the crisis better than other rivals. Despite his exchange’s apparent success, Powell found himself in the hot seat over allegations published in The New York Times that he made insensitive comments on gender and race that sparked heated conversations within the company.

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers crypto and fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at bpimentel@protocol.com or via Google Voice at (925) 307-9342.

Latest Stories