The Microsoft bribes scandal broke not too long after I had to take the "hey don't do bribes" training at Microsoft.
That event really drove home for me the fact that all of the trainings, emails, processes, etc. are mostly plausible deniability. There are people who care about security at MS. I know, I've met them, but for the most part all of this exists so that Satya can plausibly say in court or in front of congress, "well we told them to do security better. This is clearly the fault of product teams or individual contributors, not Microsoft policy and incentives."
I dunno, that’s a pretty cynical take. Isn’t it just as plausible that they became aware of the bribes internally and were trying to curtail them when the scandal broke out? Or maybe the “don’t do bribes” training actually worked enough for someone to whistleblow even if official internal channels failed? Those who are doing wrong often try to stymie others from making positive changes out of fear, greed, etc.
Edit: I just want to add that there are things to be cynical about - I’m not completely naive. If it’s your legal department heading up the training then you can be pretty sure that there was a cause for it.
Yes, massive companies are a nest of conflicting priorities. The sales team wants to do whatever it takes to win the deal, and the legal team wants everyone to behave ethically at all times. The board wants to be shocked(!) when it turns out those goals are in conflict, with the ethical side sometimes losing out, to remove any personal risk to themselves.
Having worked with many lawyers... for the most part, yeah. Legal wants you to behave ethically at all times, not because they necessarily have some ideological commitment to ethics (though some do), but because it keeps the company out of lawsuits.
The overwhelming goal of a company's legal department is "don't get sued", followed by "if sued, lose as little money/leverage as possible".
In general the lawyer in the room is going to be far more risk-averse than the engineers, product people, sales people, or marketers.
The trick is that outside of some limited circumstances the legal department at companies are not the final say. Many lawyers who "go in house" (i.e., quit a private outside firm and go work directly for a company) find this frustrating. They come into a room, say "don't do that", and then a few weeks/months/years later someone did it and now they have to prepare for a lawsuit.
Most corporate law guidance is about risk mitigation, not about ethics. Less activity generally translates to less risk.
You can see a similar phenomenon with security professionals. True, the only secure computer is one disconnected from the Internet, turned off, put in a Faraday cage, on the moon, under armed guard - but that's not useful.
Even if everyone in the company magically complied with the wishes of the legal department, they would still have work to do. Defending the company against frivolous lawsuits and incoming regulations, suing competitors and other bad actors outside of the company, writing and evaluating contracts, and any internal legal consultation needed.
That doesn't seem plausible, because you can't stop bribery by telling people that bribery is against the rules. Everybody already knows that.
If they became aware of bribery and genuinely wanted to stop it, the way is to publicly punish the culprits as harshly as they can, to demonstrate to others that enforcement of the rules can happen.
Yes and no. You might not even realize that what you did constitutes giving or receiving a bribe. What cracks me up though is that all large US megacorps give tens of millions of dollars in thinly veiled bribes to officials each year, as they browbeat their employees into not accepting a god damn fruit basket from a thankful client.
Maybe. However such training is essentially considered mandatory compliance at any publicly traded company once you reach a certain size, especially if you sell to the government, and IMO probably not related to any specific event they became aware of.
I've had to do the same mandatory anti-bribing public officials training annually at US companies a fraction the size of Microsoft. The anti-bribe training is so common at large companies in the US, there are companies that sell ready made one-size-fits-all training videos specifically on this topic that are then usually the thing the employee has to sit through anually.
In my experience, different cultures have different feelings on the moral failings of bribes. Some of my colleagues grew up in countries where it is a common business practice, it probably makes sense for large orgs with global employee base to have to establish some kind of baseline for acceptable business practices. Similarly, I know several people who came to study computer science in the US and tried to bribe police officers upon being pulled over for speeding, simply because it's how you handle the matter where they grew up.
But this is exactly why it's standard procedure. I worked for a huge Credit Reference Agency and it was very obvious that this is ass covering.
Sarah and Bob in the New York Office of Huge Corp must take the training so that the CEO can swear all his employees know not to bribe people. In the event that Manuel, who is given $100 000 per week of company money to bribe the locals in Melonistan so that they don't interfere with Huge Corp's operations is actually brought before the government and forced to spill the beans the CEO will insist they had no idea and some Huge Corp minion gets sacrificed. Manuel will be replaced, Melonistan will be assured quietly that his replacement will provide make up money ASAP.
In Arms this is even worse, because there it's secretly government policy to bribe people, even though it's also illegal. So then sometimes even if you can prove there was a crime, the government will say "We'll take that evidence thank you very much" and poof, the crime disappears, if you make too much fuss you'll be made to disappear too.
Not just onboarding. Most, if not all, large companies waste at least an hour of their employees time on this per year, while themselves bribing politicians in DC.
The article you linked says that Chiquita was extorted into illegally paying money to a Colombian death squad, who also murdered people, and were ordered to pay restitution to the victims' families. It doesn't say that they paid the death squad to murder people on Chiquita's behalf.
Microsoft has for over two decades been one of the largest and most sophisticated employers of security talent in the industry, and for a run of about 8 years probably singlehandedly created the market for vulnerability research by contracting out to vulnerability research vendors.
Leadership at Microsoft is different today than when the process of Microsoft's security maturation took place, but I'll note that through that whole time nerd message boards relentless accused them of being performative and naive about security.
It would help if there weren't all these employees and ex-employees stepping forward to talk about how Microsoft is performative and naive about security. I won't go as far as to say that, but I will say I don't think my incentives as an IC lined up with the security-focused mindset that company execs tout publicly.
It's been a while now but at one point, just about every giant tech company simply make install'ed a key-material-leaking TLS bug on just about every endpoint they ran. The bug was introduced by, effectively, some guy on the internet. It implemented a feature statistically nobody was going to use.
It's trivial to re-frame all sorts of mishaps as evidence of unseriousness about security, especially if done selectively and in hindsight. It doesn't really tell you much of anything meaningful.
I think there's a difference between compiling and installing a buggy software and developing the whole infrastructure yourself on top of the operating system that you solely develop and build.
Microsoft isn't a single entity! Like any large corporation there are many teams and people doing great work, and they are many teams and people incentivized to downplay that work.
To be fair, it's not really possible to come up with good policy to handle this at scale. It would be too intrusive to require employees to divulge their private financial accounts (and near impossible to audit that the employee has truly divulged all their financial accounts), and the more internal controls you put in place, the slower the deal-making gets, with no guarantee of good behavior.
Eh. For the most part, the trainings can be taken at face value. Even if the management's dealings with governments and partners are questionable, no company wants random employees accepting personal kickbacks from vendors.
There's a liability avoidance component to trainings, but mostly for non-business misconduct. For example, for sexual harassment, the company will say they tried everything they could to explain to employees that this is not OK, and the perpetrator alone should be financially liable for what happened. That defense is a lot less useful in business dealings where the company benefits, though.
That event really drove home for me the fact that all of the trainings, emails, processes, etc. are mostly plausible deniability. There are people who care about security at MS. I know, I've met them, but for the most part all of this exists so that Satya can plausibly say in court or in front of congress, "well we told them to do security better. This is clearly the fault of product teams or individual contributors, not Microsoft policy and incentives."