In 2000, Microsoft removed the words "idiot," "fool" and "nitwit" from Word's built-in thesaurus. After reading Bill Gates's e-mail on Trustworthy Computing, I now know why. Gates's pie-in-the-sky security manifesto has left us searching for a new word to describe what Gates must take us for.
Only the truly cynical security practitioner could read Gates's mantra and not feel at least partially vindicated. He finally put in words what we've trumpeted all along: "Trustworthy computing is the highest priority for all the work we are doing." Gates even goes so far as to emphasize security over functionality in software development: "[W]hen we face a choice between adding features and resolving security issues, we need to choose security."
By George, he's finally got it.
Still, you'll pardon me if I remain skeptical. I don't doubt that his intentions are earnest. Gates reserves these types of missives for only the highest priority issues, those he considers fundamental to the company's future. And if anyone can make Microsoft software secure, it's the chairman himself.
But all of the above begs the question of whether Microsoft products can be secured. Gates claims that the company's forthcoming .NET initiative "is designed from the ground up to deliver Trustworthy Computing." He states that "customers will always be able to rely on these systems to be available and to secure their information."
The problem with this statement is that it has already been shown to be false. For example, last December we found out that Windows XP, the first major step in .NET, contains a critical vulnerability in its Universal Plug and Play (UPnP) capability. And then, in mid-January, part of the .NET My Services site was off-line for five days due to a "technician's error." Meanwhile, the first .NET-targeted virus also made its appearance, a sure sign of things to come. If this is what it means to make .NET secure, Gates isn't off to a good start.
In Building Secure Software (Addison Wesley, 2001), John Viega and Gary McGraw point out that "software that is properly engineered goes through a well-structured process from requirements design, through detailed specification, to actual implementation." Secure software is built from the ground up. It's not an add-on, a hotfix, a patch or an afterthought. It's a fundamental part of the initial design and engineering process.
While it's not too late to make .NET more secure than it otherwise might have been, achieving Gates's lofty goal of making "computing that is as available, reliable and secure as electricity, water services and telephony" is unrealistic in .NET without going back to square one, which the company obviously won't do.
Aside from the technical infeasibility of securing millions of lines of proprietary code across hundreds of systems and applications, making good on the Trustworthy Computing pledge will involve an almost unfathomable shift in the company's way of doing business. Microsoft's deeply entrenched product development culture has always put features and functionality before security and availability. Bonuses and promotions have always been based on time-to-market and feature creep.
Making Microsoft products secure will result in higher costs for development and QA processes, delayed product launches and (gasp!) software without all the bells and whistles. Yes, it can be done. But even if Microsoft starts today, it will be 18 months to two years before we see the fruits of this labor. One wonders if Gates has the patience.
To be the champion of secure commercial software, Microsoft must be tenaciously uncompromising in its commitment to robust-ness and reliability. It will have to be satisfied with lower profit margins and the gripes of many consumers about endless pop-up windows and a seeming lack of features.
Gates's vision is admirable, but it has put his company between a rock and a hard place. He is right to say that security is a "fundamental challenge that spans the entire computing ecosystem, from individual chips all the way to global Internet services." He recognizes that the long-term success of his company depends on the security, reliability and availability of his products, and that achieving this goal will require a top-to-bottom overhaul in how the company operates. Indeed, to become a leader in security, Microsoft must be willing to sacrifice the key elements of its rise to power: profitability and market dominance.
About the author:
Andy Briney is editor-in-chief of Information Security magazine.