Podcasts
Afternoon Cyber Tea with Ann Johnson
Ep 118
Afternoon Cyber Tea with Ann Johnson 11.11.25
Ep 118 | 11.11.25

How Microsoft Is Redefining Global Cyber Defense

Show Notes
Transcript

Ann Johnson: Welcome to "Afternoon Cyber Tea". I am your host, Ann Johnson. On "Afternoon Cyber Tea", we focus on where innovation and security intersect. From the front lines of digital defense, to the groundbreaking advancements shaping our digital future. We bring the latest insights, expert interviews, and captivating stories to help cyber leaders and defenders stay one step ahead. [ Music ] Today I'm excited to be joined by a wonderful Microsoft colleague, Amy Hogan-Burney, Corporate Vice President of Customer Security and Trust at Microsoft, where she leads global efforts to protect customers and build digital trust. A former FBI and DOJ attorney, Amy brings deep legal and cybersecurity expertise to her work disrupting cybercrime and shaping global security policy. Among her many accomplishments under her leadership, Microsoft has taken decisive action against major cybercrime networks, dismantling botnets and cutting off malicious infrastructure, which is just amazing for a company like Microsoft. Welcome to "Afternoon Cyber Tea", Amy.

Amy Hogan-Burney: Thank you. I'm super happy to be here.

Ann Johnson: Amy, you've had this remarkable journey in cybersecurity, from legal leadership in the US Department of Justice, to your current role leading the Customer Trust and Security Organization at Microsoft, which includes our phenomenal Digital Crimes Unit. Let's start with your personal path. How did you get started in cybersecurity and what has kept you engaged?

Amy Hogan-Burney: The answer, Ann, is I'm in cybersecurity by accident. I went to law school because I was an engineer and I thought I wanted to be a patent attorney. I was convinced that I was going to use my engineering degree and be a patent lawyer. And my first job was as a patent attorney. And I deeply respect all patent lawyers and I mean no offense when I say this. I was so bored. I just could not do it, and so I had to figure out what to do instead. And every lawyer who is listening to this will know that when you don't know what to do when you are a lawyer, you go and you be a law clerk. So, you go to try to figure it out. So, I went and I was a law clerk, first in DC at DC Superior Court, and then in the Court of Federal Claims where I worked on spent nuclear fuel cases, which we do not need to discuss at all. But working on spent nuclear fuel cases led me to a job at the FBI. And for anyone who has ever held a security clearance, you know that it takes about a year to get a full detailed security clearance the first time. And the job that I originally got at the FBI was supposed to be in working on weapons of mass destruction, because I knew a lot about nuclear fuel. And by the time I got there, it was gone. And so what happened is then as I rotated through lots of jobs, including a job at DOJ that involved cyber, and that just started a journey across all cyber work. And so I'm very fortunate that I accidentally stumbled into cyber because it just became my calling. And that's how I ended up here at Microsoft.

Ann Johnson: That's amazing. I love, you and I, I think, have talked about this. I have a really good friend who's a patent attorney. And with all due respect to patent attorneys, when he starts talking, my eyes do glaze over a little at a certain point in time. I'm like, Okay, good, good. I'm glad there are professionals that actually really value being in that field because we need them, right?

Amy Hogan-Burney: They're super smart. They're the smartest people I know. I value them so much. But it's a, it's a very solitary pursuit for most folks. And it was just, it was not for me.

Ann Johnson: Yeah, exactly. And that's, respect. Respect for them. It wouldn't have been for me, either. So as you look back over your career, the cyber industry has certainly evolved dramatically. I would love your take on the transformation since the beginning. What has changed the most? What also do you think has persisted?

Amy Hogan-Burney: You know, I think one of the things that's changed the most is just how fast we are moving. When I first started, our cases, particularly in the digital crimes space, and even with nation-state actors, our cases were and the infrastructure were located in the United States. We would do a disruption action, and we would do one case and we would disrupt the actor and it would be in the US. We would seize the infrastructure, and we would do a full disruption and we would be done and we would know we would identify all the victims and then we would move on to the next case. And that's just not the way it works now. We have these, the scope and the scale of the networks is much bigger. The disruptions, we call them advanced persistence disruptions now. There's no way that we are disrupting these networks in totality. We have to think completely differently about how we are working. And this is true, not just from a disruption perspective, but it's also true from a network protection perspective. We cannot possibly think in the same way that we used to because of the scope and the scale that we have. So, I just think we have to be completely different than we used to be because of that scope and scale. And so I think that's kind of the difference. What's the same? The same is the human element. And I say that from two aspects. One is we still have people involved in cybersecurity. And what I mean by that is social engineering is still one of the biggest problems, one of the biggest ways that cyber criminals and nation-state actors get into systems. We still have problems with people clicking on phishing links, and they still use that as one of the biggest attack vectors. And human element is still incredibly necessary in our workforce. And we still have to make sure that we have the right skills, the right people in place, and that we take care of our workforce.

Ann Johnson: I think that's exactly right. The global scale of attacks is something that we're certainly seeing increasing. But there always will be a human element in cyber security. And we talk a lot about nation-state, but cybercrime is actually a higher percentage type of tax. And that's very human network oriented. And mostly, as you know, for monetary gain, which brings me to your team generates, and I want to give you full credits for this because folks don't always know where it comes from, but your team works very hard to publish the Microsoft Digital Defense Report. We just published the 6th annual edition, and this is really a cornerstone for the industry. People wait for it, for the security thought leadership and the statistics, and the metrics, and our, just our overall view of the landscape. Why do you think it's so important for Microsoft to publish this report every year, and what do we hope that the audiences will take away from it?

Amy Hogan-Burney: Yes. You know, and this, as you mentioned, it's the sixth report. When you do five reports, you're like, This is great. We're so excited to do our fifth report. When you get to the sixth report, you have to actually start to reflect on why are we doing this? Because your number six is like, Okay, should we really keep going here? And I will tell you, we were really reflective this time on what is the reason that we are doing this report? Why is it necessary? And I think for this report, we really felt like as AI is advancing, it is more important than ever that people understand that the basics for hardening your system and for being resilient are more important than they have ever been. Because of the advances that we are seeing, you must take all necessary steps right now. And we have been on such an incredible journey and we are so fortunate as a company to have the investment that we do, both, you know, really at the corporate level. Our SLT is directly involved in cybersecurity, really, frankly, on a daily basis. Our Board is directly engaged in our security. And so we have the ability to share all of the work we've done over the last several years. And so we come from a privileged position. And I think we sat back and thought, We need to share all of our learnings. We need to make certain that we kind of distill this into a usable format for everyone because it is more important than it ever has been that everyone be prepared this year. And so I think the top 10 recommendations from the report are just essential this year. And we tried to streamline it. In the past, we've put lots of different information. We've been really creative with the report. I think this year you'll see the report's not that creative, and that's purposeful. It is very streamlined. It's very targeted at being active. What can you actively do? What can you take from the report and really use the recommendations? And so my hope for this MDDR is that everyone will take the report, they will use it. And a year from now, it'll be like a checklist. And I will talk to everyone and they will have done the recommendations. They will use it like a roadmap. And then when we check in again, that the data from the report will have changed. So, I'm hoping that a year from now, we actually see differences in the data, and that we see changes and that actually everyone does talk to people at the board level. That we do have people actively working to defend their perimeter, that we really have people prepare for the regulatory changes that are coming, and that really we have the basics done because of the advances that we are seeing in AI.

Ann Johnson: That's really comprehensive. Thank you, seriously, for being so specific in the answer. And I want to keep going for a minute. I want to talk about the landscape from the perspective of international collaboration cyber. From a practical operational partnership standpoint, can you give us your point of view on what international collaboration is and why it is so important?

Amy Hogan-Burney: Yes, I mean, I think there's so many ways that it's so important, but I think I'll start with an example or a few examples from the Digital Crimes Unit. So, for the listeners that don't know, Microsoft's Digital Crimes Unit has been around for more than a decade, and the Digital Crimes Unit actually proactively brings cases to seize criminal infrastructure, so to basically take the servers to take the domains in order to identify victims. But they can't do everything, and they can't do it alone. And so they oftentimes partner with law enforcement around the world. And so it's one of the most important things that we do. And so most recently, they partnered with a Japan cybercrime control center in and with the Indian federal law enforcement. And they were able to disrupt a widespread tech support scam that originated from Indian call centers. And this one is really important because it targets older individuals in Japan. And there's nothing worse I think than going after the most vulnerable populations, where we had generative AI was used to impersonate Microsoft and mass-produce malicious pop-ups. And they specifically profiled older victims who would be more susceptible to this. And it translated the content into Japanese. And really, we're seeing this happen more often. Where it used to be limited to English language. We're seeing it in other languages. We're seeing the mass generation of this content. And I think the Digital Crimes Unit looking for creative ways to partner with law enforcement and to look for ways to protect the most vulnerable is incredibly important. So in May of this year, there were six arrests, which we can't do on our own, the shutdown of two illegal call centers, and the takedown of a fraud center, and the repatriation of $1.3 million, which can be given back to victims. So, with statistics like that, and those partnerships, I think that's a great example of how we can help to protect those victims and those cross-border operations.

Ann Johnson: So that's great, particularly the ability to recapture funds and the ability to have this kind of impact with holding people accountable. And it's evident that private sector, like Microsoft, is playing a really meaningful role. But what more do you think that private sector, not just Microsoft, but what more do you think private sector in general can do to help close the gaps in international cybersecurity collaboration?

Amy Hogan-Burney: Yeah, I mean, I think private sector is so important, and not just Microsoft, as you say. So we work with private sector in many different ways. And one of the best ways to do that is with, you know, collective groups. So like the healthcare ISAC. and one that we worked recently with the Healthcare ISAC to dismantle a phishing platform. It has an interesting name. They called it Raccoon O365. It is a phishing platform. It's used to facilitate all manner of cybercrime. We worked with the healthcare ISAC because there were lots of different hospitals that were victimized, and we seized the malicious infrastructure. In addition to the healthcare ISAC, we also cooperated with Cloudflare. Cloudflare was hosting some of that malicious infrastructure, and as soon as they were notified that they had that malicious infrastructure, they immediately cooperated with us to help seize that infrastructure, as well as Chainanalysis, because Chainanalysis knew that they were able to help us understand the funding mechanisms. One of the best things that we can do is identify the funding that these cyber criminals have, going after the money. And so working with Chainalysis to find that money and to help identify it for law enforcement as well. So I think you're right, Ann, anytime we can cooperate with other private sector companies in the digital crimes space. So I think we are always looking for it. And so I'll just kind of actually, this is like an advertisement for me. If you are a private sector company and you are looking to partner in any way with the Digital Crimes Unit, we are always looking for global partners.

Ann Johnson: We will definitely, as we do the promotion for the episode, Amy, we will include that in our LinkedIn and social posts, etc. Might as well, right?

Amy Hogan-Burney: That's right. More partners, the better.

Ann Johnson: So can you talk about cyber diplomacy? I don't think that a lot of our listeners are that familiar with that term. I know your team is heavily engaged. What role does the private sector play in the term "cyber diplomacy" and what does cyber diplomacy actually mean?

Amy Hogan-Burney: Yeah, so it's interesting. I don't think we spend enough time talking about cyber diplomacy, and I think it's incredibly important in this digital age. As nations operate in the digital space and as we see nation-state actors increasingly using the digital space, both for I think espionage and potentially for pre-positioning in the event of a kinetic war, as we saw in Ukraine. We need to think about what kind of rules and norms that we should have, because we have to make sure that we have a stable and secure operating system. The private sector holds the vast amount of critical infrastructure. And so we need to make sure that we are preventing conflict online in the same way that you would use traditional diplomacy to prevent conflict on land. And so we want to try to work, and this is I think relatively unusual for the private sector to start to engage in talking about how do we agree to make sure that we are not attacking critical infrastructure? How do we make sure that we are protecting things in peacetime? And how do we build that trust among countries and bring nations together to strengthen their cyber defenses? Because we hold so much of that critical infrastructure. And I think the importance of setting those norms, and the reason why it is critical, why we must have norms, is because where there is an absence of norms, you end up with negative behavior. We do not want to have negative norms. Where you have a permissive environment, it does end up kind of creating a place where we have bad behavior. And no one wants that. We all want to make sure we have, create a good place because that creates a trustful environment, and that means we can all be in a digital space and a place where we trust. And so we've worked, I think, a lot to create good initiatives in this space. So, initiatives like Paris Call and really working in the UN and places where you don't think the private sector will show up. And we are not the only private sector to do this. So, Amazon, Google, others are in the same places and largely for the same reasons. And I think we'll continue to see Microsoft in these spaces as we work to try to make sure we secure critical infrastructure and that we kind of create that trustful environment for individual users, for countries, and as we continue to kind of grow globally in this area.

Ann Johnson: That's super clear. I think that everyone will both understand what cyber diplomacy is, but also why it's necessary and the role that private sector must play in it. It also ties in a little bit to the other question I wanted to ask you, which is about regulation. Regulatory expectations are shifting fast. We're seeing a, I don't know if it's a rapid increase, but we're certainly seeing a lot of activity, particularly in the EU, but also in other places globally. I want to unpack it for a minute. We've heard from customers that vast regulations are complex. They're not harmonized. We talk a lot about regulatory harmonization. Can you just help contextualize today's environment? What does the complexity look like? What are you thinking about and how are we helping customers?

Amy Hogan-Burney: You know, it's kind of a mess out there. Like, I don't know how to describe it any other way. And I always feel, I feel terrible for customers because we're really, we're big and we have a lot of resources. And we can work hard and we can comply. We've long in cyber been a standards-based compliance regime, and that's not where we are anymore. We are moving to a regulatory-based compliance regime, and that's a big change for us. And so looking across all the, you know, 100-plus regulations that we either have in place now or will be in place in the next three to five years, and how do we harmonize those regulations? Because they are not harmonized right now. And you're navigating overlapping and sometimes conflicting requirements. So how do you create the appropriate high watermark for compliance? What do you do in order to help customers? And it is really, really challenging. And I think it's challenging in three ways, and this I think is really difficult for just about everyone. The first is the volume and the velocity of new regulation, right? They're emerging faster than ever, and there's shorter implementation time. The second is that they're just fragmented. Every region defines critical infrastructure differently. There's a unique set of reporting windows. They use different security baselines. And the last is an accountability shift. So, regulators are moving from kind of "check the box" compliance to personal accountability for executives and for boards. And this is, means that the stakes are different for your governance and your transparency. And this is one of the reasons why, in addition to the, I said the MDDR, it was really important to get your house in order from a governance perspective and from a threat perspective because of the age of AI. But it's also important from a regulatory perspective. And I think we talk a little bit about that in the report as well. And so for customers and for us at Microsoft, it really means that you have to build compliance into the fabric of your operations. And so it's about how do you harmonize your controls? How do you automate your reporting? How do you engage early with regulators to practically shape implementation? And how do you take a risk-based approach? And it's challenging. There's nothing I can say differently. It's just very difficult. And I sit in a position, like I said in the beginning, of privilege. We are very big. I have incredibly talented people across the company, incredibly talented people, legal, on the legal team, incredibly talented people on the policy team, incredibly talented compliance managers, incredibly talented engineers to implement this work. We have a fantastic formalized governance structure with our CISO, our deputy CISOs. We have a formal relationship with our board and with our corporate SLT. And still, it is going to be challenging for us to implement these regulations.

Ann Johnson: I think that's right and I think that our push, and I'm not going to spend too much more time on it here, but our push towards regulatory harmonization is something that a lot of companies have gotten behind. Because obviously there's a need for some regulation, but if every government around the world is asking corporations that work globally to adapt to every regulation, you're going to have a tremendous amount of conflicts. It just makes your job harder. Yeah.

Amy Hogan-Burney: So many conflicts. And so that's why I said, you know, like, how do we find that kind of high watermark? And how do we engage early with regulators to try to make sure that they understand what we are doing and that they are able to accept where we are going and they understand the technology? You know, that's really the education piece, I think, is incredibly important as well. And we've been doing work as part of the cyber resilience working group in Europe to do just that. And I think we'll continue doing that work around the world as well.

Ann Johnson: Well, with that, let's just talk a little bit about you, your role, your team at Microsoft. I work, I have the pleasure, I would say, of working with your team. I find your team to be very pragmatic. They give excellent advice. They separate for me what is business versus legal decision. Even if they may have some input on the business decision, they're really clear that "this is your decision". And to me, that's a great partnership. What do you, from your perspective, does the partnership look like between legal and cybersecurity teams, and what characteristics demonstrate a well-functioning partnership between the teams?

Amy Hogan-Burney: Yeah, that's a great question. You know, it is such a pleasure to work with you and with the rest of the deputy CISOs and the engineering organization across Microsoft. One of the things I think is the most important, and I think that the team does well, is listening and understanding the technology. It is impossible to give good advice if you do not spend the time to understand. And I think the team just, we look for people who enjoy the technology, the work, and really learning what's going on on a day-to-day basis. Everybody here just loves the kind of understanding the underlying engineering. They love understanding the threat actors and what the threat actors are doing. They love understanding how we're working to improve our systems. They love understanding how the network works across Microsoft. Like, we really are a bunch of technology nerds at heart over in this cyber division. And I think that's part of what it is. And they connection between the technology and the law gets people excited around here. And I think that that's one of the things that's great. The other part is we all like each other a lot. I mean, I think there's a real kind of friendship and camaraderie amongst all of us that work together, which is good because we spend a lot of time together. And as you know, Ann, there's a lot of work to be done and there's a lot of long hours, and a lot of travel around the world. And so I think it's important that we all get along well, and even when we don't get along well, we make up easily so that's good, too.

Ann Johnson: Well yeah, it's healthy conflict, right? We may disagree, but everybody is very respectful in saying, Look, I don't agree with this perspective. We also, I'll speak for myself and I'm pretty sure I'm speaking for my peers, we know we're not lawyers. So we're smart enough to know when we need true legal advice, and when to bring our lawyers in.

Amy Hogan-Burney: And I think we're smart enough to know when we're like, We have no idea what's going on technically anymore. You've lost us completely.

Ann Johnson: Yeah. I would love to hear the personal reflections that inspire our listeners. And I think I want to know from you, What is the best career advice you've ever received? And what advice would you give younger in career or career changing, anyone who's aspiring to be in cybersecurity?

Amy Hogan-Burney: Yeah, I would say any opportunity that you are given, take it. Every time someone has asked me, If I want to do something, and I mean this big and small, I have said yes, unless there was an actual reason to say no. So, every training someone has offered me, every job, even if it didn't seem like it was something that I necessarily wanted to do or thought was the right, was kind of a linear path, I have said yes to. I spent 18 months working in privacy compliance in the run-up to the GDPR. Anyone who knows me knows that I did not know anything about privacy, and I'm not the ideal compliance lawyer, either. And so I probably had no business being in privacy compliance in the most important 18 months of privacy and compliance. But I was asked if I wanted to do the job, and I said yes. And I have never learned more about Microsoft's engineering business about privacy and I regret not a single day of that job. And I'm so glad I said yes. And I've said yes to just about every single opportunity that someone has offered me, unless I absolutely to say no. And I've never, ever regretted saying yes. And so that's what I would say to anyone who's young in career. You'll never have the chance again, because as you get older, you get, there's more reasons you have to say no. You get more bogged down with obligations. And so when you're young, you're freer to say more yeses. So take them all and say yes to everything.

Ann Johnson: I couldn't agree more. There's actually a, can't remember the song. And I was like, there's a great country song that describes it. But as you get older, you have mortgages and kids in college and car payments and all of the other obligations in your life that keep you from taking as many risks.

Amy Hogan-Burney: Absolutely. So do it all. All the yeses.

Ann Johnson: Amy, I close every "Afternoon Cyber Tea" with optimism. I call myself a cyber optimist because I know for everything that makes the headlines, there's thousands of things we have blocked, detected and blocked. With that in mind, considering everything we've even talked about today, I'd love to hear what you are optimistic about when it comes to the future of cybersecurity.

Amy Hogan-Burney: You know, I am so optimistic for two reasons. One, I am so optimistic because of the people that I work with every single day, that the talent that we have here and that I see in my travels around the world, it just makes me incredibly optimistic. And I am so optimistic because I see that talent being used with the innovation, with the age of AI. It is just incredible. The combination of those two things I just think makes me incredibly optimistic and I am, so, we might have a lot of rest. that seems like it's bogging us down. Our MDDR might show you lots of different threat actors, and we may have lots of different cyber criminals that we're going after in the Digital Crimes Unit. And none of that changes the fact that the combination of the talent and the innovation I see in the AI space makes me incredibly optimistic.

Ann Johnson: That's fantastic. It's wonderful to hear. I really appreciate you joining us today, Amy. You always have such great advice. You're wonderful to talk to. And I appreciate, I know how busy you are. So I appreciate you making the time.

Amy Hogan-Burney: This was great, Ann. Thank you so much. I love being here.

Ann Johnson: And many thanks to our audience for tuning in. Join us next time on "Afternoon Cyber Tea". [ Music ] So sitting down with Amy Hogan-Burney really was enjoyable. She has such a wealth of knowledge. She's incredibly influential in cybersecurity, and she brings so much perspective to the conversation. I invited her to the podcast because I wanted to hear her perspective. It's a very unique perspective, and I know our listeners are going to really enjoy it. [ Music ]

Afternoon Cyber Tea with Ann Johnson
Podcast Info
HOST(S):
Ann Johnson
Ann Johnson, Corporate Vice President and Deputy Chief Information Security Officer at Microsoft, talks with cybersecurity thought leaders and influential industry experts about the trends shaping the cyber landscape and what should be top-of-mind for the C-suite and other key decision makers. Ann and her guests explore the risk and promise of emerging technologies, as well as the impact on how humans work, communicate, consume information, and live in this era of digital transformation. Please note, the opinions expressed by guests on this podcast are their own and are not endorsed by, nor do they necessarily reflect opinions of, Microsoft or Ann Johnson.
Schedule: Tuesdays
Credits: Executive Producer is Charlynn Settlage, Producers are Rob Petrillo and Greg Ormsby. Production Manager is Max Solomon, Scheduling and Administrative Support is Katie Zwart, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft