This story is part of Fast Company’s Most Creative People in Business 2022. Explore the full list of innovators who broke through this year—and had an impact on the world around us.
As Microsoft’s corporate VP for customer security and trust, Tom Burt leads the division of the company that protects customers—individuals, corporations, and governments—from cyberattacks. That means securing their data not just from ordinary thieves and fraudsters, but some of the most formidable digital foes: hackers backed by powerful governments, including the Russia-linked groups that launched cyberattacks in Ukraine this past spring. Engineering is naturally a big part of those efforts.
But Burt, the former head of Microsoft’s litigation unit, is a lawyer, not a coder, and his background has proven useful in waging cyber battles. He helped thwart the Ukrainian attacks by appealing to the U.S. court system to quickly seize and take down seven internet domain names used to command and control malware, deploying a legal process that his team has honed against Russian hackers since 2016. (The same technique helped Microsoft take down more than 100 servers linked to a Russian-speaking ransomware group ahead of the 2020 U.S. elections.)
Burt’s work often requires negotiation skills—and diplomacy. “Every time we see a new attack against an agency, enterprise, or organization in Ukraine, we’re providing that threat intelligence rapidly to Ukrainian officials,” he says. His team coordinated with U.S. and Ukrainian governments about when to reveal Russian attacks, and it has been working with nations and private companies around the world over the past several years to advocate for a Digital Geneva Convention that would create standards for how countries conduct cyber warfare.
To protect Microsoft customers, Burt also occasionally spars with governmental officials directly. He appeared before the House Judiciary Committee last summer, for example, arguing against the government’s use of gag orders to prevent companies from letting customers know when law enforcement requests their private information. Burt says it’s the nature of the job. “Sometimes we’re on the opposite side [of the government], but then the next day, we’re working with that same agency on ‘How can we take down this cybercriminal?’”