Facebook Twitter

Microsoft announces shift toward security

SHARE Microsoft announces shift toward security

WASHINGTON — Microsoft Corp. Chairman Bill Gates is steering his software empire onto a new strategic heading, putting security and privacy ahead of new capabilities in the company's products.

In an e-mail to employees obtained by The Associated Press, Gates referred to the new philosophy as "Trustworthy Computing" and said his highest priority was to ensure that computer users continued to venture safely across an increasingly Internet-connected world.

Gates compared the significance of his 1,600-word message, sent Tuesday, to his "tidal wave" e-mails during the mid-1990s, which changed the course of Microsoft, and much of the software industry, to focus its products on the Internet.

He said this new emphasis on security for Microsoft was "more important than any other part of our work. If we don't do this, people simply won't be willing — or able — to take advantage of all the other great work we do.

"When we face a choice between adding features and resolving security issues, we need to choose security," Gates continued. "Our products should emphasize security right out of the box."

The change comes after the discovery of major security problems in Microsoft products, such as flaws in the latest versions of Windows that allow hackers to seize control of a user's computer. Another problem allowed the so-called Code Red viruses to cripple hundreds of thousands of computers running Microsoft products.

"Gates' saying that security needs to come before features is a huge statement for the software industry, not just a huge statement for Microsoft," said Marc Maiffret, founder of eEye Digital Security Inc.

Other experts expressed skepticism, even as they praised the Gates message.

"That sounds really good," said Bruce Schneier, chief technology officer at Counterpane Internet Security Inc. "If Microsoft follows through, it will be an enormous change. As a longtime watcher of Microsoft rhetoric I'm skeptical, but those are the right words." David Smith, vice president of Internet Strategy at Gartner Inc., an analysts firm, welcomed the move but said the strategy shift may be coming too late. Smith faulted Microsoft for developing broad, Internet-based strategies without paying enough attention to security.

"It's about time, perhaps overdue," Smith said.

In the e-mail, Gates also referred to the Sept. 11 terror attacks as a reason to focus on security. He noted that last year's events "reminded every one of us how important it is to ensure the integrity and security of our critical infrastructure, whether it's the airlines or computer systems."

Other Microsoft executives declined to comment.

Microsoft products can be found in almost every government facility, from the White House to aircraft carriers at sea. One person with knowledge of the change said new products and features will be tested for security risks before going any further — if they fail, the feature won't be included.

"Things are going to have to go through a crucible, and the crucible will be security-first," according to this person, who spoke only on condition of anonymity. Compensation plans of Microsoft product engineers, such as raises and bonuses, will also be tied to how secure their products are.

Russ Cooper, a security expert with TruSecure Corp., said the change occurred in part after a new security team assigned to attend every product meeting met resistance from product teams.

Microsoft has long been criticized for focusing on making products more feature-rich rather than emphasizing security and stability. For example, Windows XP added DVD player software, a rudimentary Internet security utility and a new instant messaging program.

Customers could also see a downside, though. Other than fewer new features, product upgrades could come less frequently or could be pushed back.

Privacy is also a focus.

"Users should be in control of how their data is used," Gates wrote. "It should be easy for users to specify appropriate use of their information, including controlling the use of e-mail they send."