The headlines served as a warning to cybercriminals around the world—Russian hacker Track2 was sentenced to twenty-seven years in prison for crimes that caused more than $169 million in damage to banks and business owners. It took a dedicated team of federal agents and prosecutors to find, apprehend, and convict Track2, whose real name is Roman Seleznev. Norman Barbosa acted as lead trial counsel for the Department of Justice.
Today, Barbosa works at Microsoft and leads the tech giant’s global law enforcement and national security compliance and public policy efforts. As part of that role, he’s developing policies related to government access to data, cybersecurity, and cybercrime. The fifteen years Barbosa spent as a prosecutor have given him the unique ability to understand all aspects of the many issues that come together where technology, business, law, and privacy collide.
After five years as an assistant regional counsel with the Social Security Administration, Barbosa worked as a special assistant United States attorney in the western district of Washington state, where he prosecuted social security fraud and identity theft. During that time, he convicted members of a conspiracy who used emerging card printing technology to create counterfeit documents used to purchase millions of dollars worth of electronics they sold through online auction sites.
Barbosa managed bigger and bigger white-collar fraud investigations, and in 2008, he started to coordinate the district’s Computer Hacking and Intellectual Property Crimes program and act as a national security cyber specialist. Soon after Barbosa took the role, users around the world started reporting incidents of a computer worm attacking vulnerabilities in Microsoft Windows. The malware, known as the Conficker botnet, hit computers in nearly two hundred countries. Microsoft referred the case to Barbosa’s office, and his counterparts launched a wide-ranging investigation in cooperation with the FBI and several foreign law enforcement agencies.
In 2011, after a three-year investigation, they seized hundreds of servers, executed search warrants in Kiev, and arrested three Ukrainians. “Protecting companies, individuals, and governments from bad actors online is a huge team sport that spans all borders,” says Barbosa, who provided investigative support for the FBI’s investigation and prosecuted responsible parties.
Cybercrime increasingly became a bigger priority for the Department of Justice, and Barbosa says his colleagues were pursuing Seleznev (AKA Track2) for ten years before they finally caught him trying to pass through the Indian archipelago of the Maldives. Seleznev spent five years hacking into hundreds of retail systems to install malware and mine credit card numbers he used and sold on the dark web. At the time of his arrest, Seleznev was in possession of more than 1.7 million stolen credit card numbers, and his activities were linked to servers in Russia, Ukraine, and the United States.
Working these cases often required Barbosa to interact with leading tech companies. “Cybercrime investigations form arm’s length relationships between government and private industry because there are mutual interests,” Barbosa says. In interacting with Microsoft, he became impressed with the internal digital crimes’ unit and the company’s strong reputation for protecting its customers. In 2018, after resolving the Seleznev case, Barbosa joined Microsoft to coordinate data access compliance and balance law enforcement requests with commitments to customer privacy.
Barbosa is leveraging his experience and niche subject-matter expertise to help Microsoft answer complex questions related to how they respond to obligations placed upon the private businesses to produce records and information that may be in its data centers. He serves as a bridge between all interested parties, often engaging with customers to assure them Microsoft maintains an appropriate relationship with governments.
As the work gets more connected, Barbosa’s job gets more complex. He’s monitoring ongoing issues related to privacy and digital sovereignty. What happens when Europeans use American technology on the internet? Which laws apply, and how are companies and individuals impacted when global laws conflict? “There’s a lack of clarity,” Barbosa says. “People around the world want to know that their privacy and data are protected, and we are working to encourage governments to find multilateral solutions and an agreed set of principles going forward.”
After decades of unbridled innovation, Barbosa says the time is right for countries to regulate the internet to ensure citizens, corporations, and governments are using technology for good and not for evil. There’s a lot at stake. Microsoft’s mission is “to empower every person and every organization on the planet to achieve more.” That mission is impossible if people lose trust in technology.