Two years ago, Microsoft launched its sweeping Trustworthy Computing initiative, aimed at improving the quality,
security and reliability of its Windows operating system and other applications. Despite its efforts and the development of a litany of security tools and programs, Windows systems remain vulnerable to periodic malware outbreaks and hacker attacks.
Lawrence M. Walsh, executive editor of Information Security magazine, SearchSecurity.com's sister publication, recently interviewed Microsoft CEO Steve Ballmer on the progress of Trustworthy Computing, the setbacks Microsoft has suffered and the company's security strategy going forward.
In speaking engagements following the Blaster worm outbreak, you said Microsoft was rededicating itself to improving security. What impact did Blaster and the earlier Slammer worm outbreaks have on Microsoft's security strategy?
Ballmer: Security has been a top software development priority for Microsoft for more than two years and will continue to be a top priority for the foreseeable future. When I talked in October about redoubling our efforts, it was in recognition of a sharp increase in criminal attacks on the world computer systems, that the popularity of broadband means viruses and worms can spread incredibly fast, and that no software is immune from these attacks. We understand that Microsoft has a key role to play in helping to improve computer security and that we need to continue to invest and deliver against security at the highest level possible.
Creating a truly trustworthy computing environment requires Microsoft and our industry to make significant progress on three fronts in addition to security: reliability, privacy and business integrity. From a security perspective, our focus is on reducing vulnerabilities in code, making our software more resistant and resilient to attack and helping customers get and stay more protected.
What is Microsoft currently doing to help protect its customers?
Ballmer: In October, I outlined a number of actions we are taking to help protect customers, starting with continued focus on quality, as well as mitigations and countermeasures to the patching process, and enhanced content and guidance for customers.
Examples of our progress to date in these areas include:
- The forthcoming Windows XP Service Pack 2 will help make the operating system more secure by default and provide mitigation technologies that will help protect in the event a patch isn't released or not yet installed.
- The "Protect Your PC" initiative, formed by Microsoft with industry partners, will provide valuable offers on antivirus and firewall solutions to Windows customers.
- Microsoft founded the Virus Information Alliance with Computer Associates, Network Associates, Symantec and others to provide customers with timely antivirus information.
- The switch to a monthly release cycle for security bulletins will ease patch deployment.
- Extended support for Windows NT4 SP6a and Windows 2000 SP2 through June 2004 will give customers more time to update and upgrade their systems.
Each of these efforts is designed to help customers be more secure. It's also worth noting that the technologies built into Windows XP and Windows Server 2003 already contains important security features. In fact, the Blaster worm showed how effective tools such as Internet Connection Firewall and Auto Update are in preventing malicious attacks, while at the same time underscoring that not enough customers had these security features enabled. Windows users who had these features enabled on their systems, in conjunction with up-to-date antivirus software, were well equipped to fend off the vast majority of malicious attacks.
Is Microsoft making progress toward improving the security of its operating systems and applications?
Ballmer: This is a huge challenge, but I do feel we are making progress. Our Security Business Unit continues to drive significant changes in the way Microsoft thinks about security, and develops and tests our products. We've had success in our initial efforts to improve the security technologies, code quality and default behavior of major products like Windows Server 2003, Microsoft Exchange Server 2003 and SQL Server 2000.
Development of Windows XP SP2, which will deliver new security technologies to make Windows more resistant to attack is on schedule, and beta 1 will be available to technical beta testers by the end of 2003.
We also committed to stepping up our global education programs to provide better and more prescriptive guidance for securing systems. In this regard, we recently hosted a successful developer Security Symposium at Microsoft's Professional Developer's Conference that focused on secure coding practices. We have provided TechNet Security Seminars to customers and are offering monthly security webcasts hosted by our Security Business Unit's Corporate VP Mike Nash.
That said, there's much more work to be done, by Microsoft and across our entire industry.
Some enterprises complain that Microsoft is more concerned about preserving its revenue stream than helping to protect its customers. What would you say to those critics?
Ballmer: Microsoft will only continue to be successful if our customers are satisfied, so it's clearly in our interests -- as well as our customers' interest -- to wrestle the security challenges to the ground.
One of the most important things we learned in the past year is that creating better security tools and resources isn't enough. We need to do a better job raising awareness of our existing security resources and working more closely with customers to develop new solutions.
You've said that security issues are impeding innovation. What initiatives is security concerns holding up at Microsoft?
Ballmer: At Microsoft, security and innovation walk hand in hand. We have to innovate to address security concerns even as we move the ball forward in technology with new product releases. What's different is that we're much more deliberate about building security into products and releases.
What are your end expectations for the security, reliability and trustworthiness of Microsoft's products? When will Microsoft achieve those goals?
Ballmer: I think we have made a good start over the last two years and I believe we will have made enormous progress 10 years from now. But as we've said many times, it really is a journey, not a destination.
That journey involves delivering users a computing experience that appropriately secures their systems and data, provides a reliable system that works as and when expected, and ensures the privacy of personal information while giving them control over how that data is accessed and used.
We're strongly committed to continuing to work, in partnership with the industry and governments around the world, to increase the protection of our customers' data. We will continue to focus on improving our software design, development and testing processes to help make trustworthy computing a reality.
For an in-depth analysis of Microsoft's Trustworthy Computing initiative, please visit Microsoft's Paradox in the January 2004 issue of Information Security magazine.