Tech & Work

Talking Shop: Can Microsoft deliver on Gates' security promise?

Skeptical analysis of Microsofts Trustworthy Computing initiative


On Jan. 15, 2002, Bill Gates sent an internal e-mail memo with the subject Trustworthy Computing, which was intended to change the way Microsoft creates software. In the memo, Microsoft’s chairman and chief software architect admitted to something that everyone in IT already knew: There is a lot of sloppy coding in Microsoft’s software. The memo also acknowledged that if this doesn’t change, no one will trust the .NET platform enough to use it.

The crux of this memo
In part, the e-mail says, “[In a decade, computers] will be an integral and indispensable part of almost everything we do. Microsoft and the computer industry will only succeed in that world if CIOs, consumers, and everyone else sees that Microsoft has created a platform for Trustworthy Computing.”

Gates defines “Trustworthy Computing” as “computing that is as available, reliable, and secure as electricity, water services, and telephony.” He also equates success for the computer industry with what Microsoft does.

For the first two decades of its existence, Microsoft’s business depended on selling software for individual PCs. However, Gates is now trying to change the world's largest software company to a service company that provides software for a fee over the world's public and private networks. To do this, he will have to alter Microsoft’s reputation from that of a company that paid little attention to security and often peddled buggy programs to a software publisher of world-class quality that can win the trust of IT professionals and computer users around the world.

While some people are describing this memo as mostly PR hype, keep in mind that the last “policy” memo he sent out two years ago outlined the .NET strategy. That strategy may have essentially flopped so far because people don’t trust either Microsoft’s intentions or the quality of its software. But there is no doubt that .NET has been the company’s main focus over the past several years and will continue to dominate its efforts for the foreseeable future.

Remember, too, that Gates sent a 1995 policy memo that changed the company’s focus from office- and LAN-centric software to the Internet. Is there any doubt that this reflected a real change in the direction Microsoft took in the late 90s, despite its many naysayers?

Can Microsoft get secure?
Although many of you may not believe Bill Gates when he says the company will now focus on security and producing bulletproof code, I believe his intentions are to accomplish just that. What else can Microsoft do? Is there any important feature that Windows or Office lacks other than trustworthiness?

I’m not saying Microsoft can actually make its software secure, but it’s easy to see that the future lies with collaborative technology and Web services. Microsoft’s market domination is threatened if companies and government agencies won’t risk using its heretofore buggy and insecure software.

Those who haven’t been around quite as long as I have may not realize just how many times people and companies have underestimated Gates' leadership in the past. Under his guidance, Microsoft has defeated the giants and upstarts and the incumbents and techno-marvels, from IBM to Apple to Netscape. I don't think that we should completely rule out the possibility that Gates could pull off another coup and win the emerging Web services battle.

What Gates' memo really says is that Microsoft is about to devote a large portion of its massive resources to making its software both stable and secure. Whether it’s actually possible to do this with such massive programs that carry so much legacy baggage is another question entirely. If anyone can do it, I’d bet on Microsoft. But ultimately, I doubt whether anyone can make Microsoft code really secure or relatively bug-free without rewriting the entire code base.

Bottom line
Microsoft is caught between a rock and a hard place. Its programs and operating systems provide the functionality and user-friendly features people demand. Yet in many instances, these features create some of the worst security problems. When Microsoft makes things more restrictive—and hence more secure—it gets complaints that the software won't let users do what they need to do. For example, Microsoft recently tried to change the way Outlook handles common attachment types that carry most worms or viruses. Some security experts praised this move, but a lot of users complained that the new Outlook was too restrictive.

As IT professionals and consumers are starting to demand secure software with fewer bugs, Gates says that Microsoft stands ready to supply the code. In order to make this work, Microsoft must completely change the way it creates software. The company has always relied on beta and first release testing to identify coding errors. Obviously, this has led to a lot of vulnerabilities, since problems aren’t uncovered before the software is in use.

To produce really secure or bug-free code, the emphasis must change to one of writing good code in the first place and testing it extensively before its public release. This may sound obvious, but is also an expensive and slow way to produce code. Look for Microsoft to reengineer its development process along these lines. If it doesn't, Trustworthy Computing will be an empty promise, and Microsoft's day in the sun will pass.

Do you think Microsoft will deliver on Trustworthy Computing?
We look forward to getting your input and hearing about your experiences regarding this topic. Post a comment or a question about this article.

 

Editor's Picks