In Gates We Trust

Microsoft promotes reliable .NET services and secure computing in new strategy

Microsoft chairman Bill Gates started 2002 with the blockbuster announcement that his company's new focus would be software security, prompting derisive comments from competitors, hackers, and disillusioned customers. However, analysts concur that security is a top priority for Microsoft and the entire industry, and the company has taken some significant steps on the path to "trustworthy computing."

Gates led the charge with his Jan. 15, 2002 "internal" email message addressed to all Microsoft employees, which also ended up being sent to most news organizations. In it, Gates informed his staff that Microsoft's new top priority is to ensure trustworthy computing for all customers, particularly in the .NET Web services environment. Gates urged Microsoft workers to "lead the industry to a whole new level of trustworthiness in computing" by delivering security, high availability, and privacy protection via Microsoft products.

Industry response to Gates' manifesto ranged from tepid to downright hostile, even spawning a bogus www.trustworthycomputing.com site leading to continuously updated Google search results for news about Microsoft security flaws. Nevertheless, Ovum analysts opined that Microsoft isn't entirely to blame for its highly publicized security problems, given its fame and the size of its market, which makes it a prime target for hackers.

Jim Hurley, Aberdeen Group's vice president and managing director for information security, said Microsoft isn't the only company with a security problem and blames the IT industry's troubles on a new era of malicious software "microbes" — infectious agents that can launch software-based plagues through highly interconnected enterprise systems. Developing the antidote for these microbes is the responsibility of all software companies, not just Microsoft, according to Hurley.

Microsoft is also reacting to heightened interest in security in the post-Sept. 11th world, according to Ovum. In addition, Microsoft's Web services push contributed to the company developing increased security awareness, as did actions of some of its competitors, such as Oracle, with its "unbreakable" marketing campaign, IBM's privacy council, and ongoing efforts by Sun Microsystems to undermine Microsoft's credibility and market share.

Other Microsoft officials are now orchestrating Gates' security campaign. Microsoft recently plucked Scott Charney from PricewaterhouseCoopers' (PwC) Cybercrime Prevention and Response practice to be chief security strategist. Charney, who has a legal rather than an engineering background, led the U.S. Justice department's computer crime division from 1991-1999 and said opportunities to implement security technologies and policies at Microsoft make his new job "irresistible." Charney succeeds Microsoft's chief security officer Howard Schmidt, who received a Bush administration nomination to be vice chair of the federal Critical Infrastructure Protection Board.

Craig Mundie, Microsoft's CTO of Advanced Strategies and Policies, has also stepped into the security spotlight and will work with Charney. In a Feb. 20, 2002 keynote at the RSA Conference in San Jose, Calif., Mundie discussed Microsoft's forthcoming security initiatives, including the development of trust scorecards and better auditing practices to create more accountability within the organization.

Mundie also said Microsoft will train its developers about security and make more of its closely guarded source code available to integrators so that they can develop better security and privacy services. However, Mundie cautioned that plugging Microsoft's security vulnerabilities is a long-term project that will require a lot of cooperation from the industry.

"There is nothing we or anybody else can do that fires a silver bullet at this problem and it all just gets better overnight," Mundie said. "We are [using] best practices that we've ... learned about over the last three years in the Windows world and the .NET divisions ... to discover, develop, [and] deliver better technology. And we're trying to participate in more industrywide initiatives."

— Claudia Willen

In this Issue: