Inside Trustworthy Computing

Microsoft's Craig Mundie sounds off on how the initiative is working within the company and for customers.

Craig Mundie spent his first six years at Microsoft Corp. incubating a variety of non-PC computing and service offerings - including Windows CE, software for the Pocket PC and WebTV - for the company's consumer platforms division. But now the scope of his work is much broader.
Mundie works with Chairman and Chief Software Architect Bill Gates on a comprehensive set of technical, business and policy strategies that spans Microsoft's entire product line. As senior vice president and chief technical officer of advanced strategies and policy, Mundie must coordinate the plans when their implementation crosses product groups.
Mundie's interest in technical and policy issues related to security and critical infrastructure has landed him on several government committees, including the National Security Telecommunications Advisory Committee. He also started and continues to sponsor Microsoft's Trustworthy Computing initiative.

Computerworld's Carol Sliwa interviewed Mundie about the Trustworthy Computing progress. Excerpts follow:

Craig Mundie of Microsoft Corp.
Craig Mundie of Microsoft Corp.

What effect did the companywide memo that Bill Gates issued in January 2002 have on the Trustworthy Computing initiative? That was sort of the final step in a companywide evangelism. At that point, it went from evangelizing the importance of this to the day-by-day practicing of the art of what you do about it. You have to train people. You have to assess where they are. You have to make it possible to measure these things.

How can we in the outside world tell how much progress Microsoft has made on Trustworthy Computing?
Qualitatively, things like Bill's memo, observing the vast majority of people in the company acting as if they believe this was an important thing, is a qualitative way of deciding if we made progress.
In terms of the quantitative measurements, I think of them in two ways. There is, How do we keep score internally on whether or not we're really doing the right thing? What I said a year ago, and which we are working every month to do better, is to develop an internal measurement system where we're able to assess the progress that people have made, assess their level of understanding of the issues, provide training and then keep score of that as a way of creating management metrics that allow the management of the company to look in a holistic way at Microsoft and say, "Well, are all the groups getting it? Are they doing the right stuff?"
The ultimate outcome of this is, when you look at the products, do they exhibit better characteristics? And there, the anecdotal evidence which we begin to measure in a quantitative sense is certainly starting to support the claim that we will make a big difference here. If you look at Visual Studio .Net, which was the first product group to span down development in order to look at these particular security issues, one thing that's clearly observable is [that] we delayed the shipment of the product from Thanksgiving [2001] until February [2002] specifically because we made decisions to make changes. That costs real money, affects real programs and real people.
Right now, we're very pleased, because the number of security issues that have come up in that product since its release is de minimis.

What are some of the other areas where the effects of Microsoft's security review can be seen? [Internet Information Server] 6 was changed entirely in its installation configuration so that only the basic Web server, which is quite secure, is the thing that's standardly installed.
There have been other things people can observe in terms of the stand-down we did in Windows, where we stopped development this year for about 10 weeks. It produced a set of patches that we've started to push back out to the Windows update mechanism for some of the installed products. ... We released some new tools, like the Microsoft Baseline Security Analyzer.
In some sense, the first of the real Windows products ... where [trust] has had a lot of effect on the design will be the .Net Server release in the spring of [this] year, because ... we have stopped and gone back and made more fundamental changes.
The other thing that we think is going to be telling will be, Which way are all the vulnerabilities, particularly critical vulnerabilities, trending in terms of the use of the systems? We feel these efforts are starting to pay off and that our numbers will trend down in terms of the absolute numbers of bugs that are identified and vulnerabilities that are found and have to be fixed.

What is the greatest challenge going forward? In a technological sense, you're chasing a rocket ship. I mean, we continue to have the technology moving aggressively forward. We continue to scale up the capability of the systems. As they get bigger and bigger, complexity mounts, and to some extent, those things all work against the idea that, well, can we really get this thing stabilized and improved?
So to some extent, I always worry about the balance between having to make the product and the business go forward and trying to lock it all down. If things weren't moving, it would be a lot easier. But they have to keep moving, or there would be no business.

What has been your biggest disappointment in the area of Trustworthy Computing? We still end up with independent security research folks finding bugs that we don't find. ... We wish we would get to the point where they're no better able to find things than we are.
When I think about the industry, one of the disappointments I had is that there's no observable evidence, to me at least, that any other significant companies have really chosen to focus on this to the degree that we have. Certainly, if you look at the Linux community or IBM and the people advocating all the open-source approaches, there's about as big a dichotomy as you can imagine between what they say about that stuff and what it actually means.
One of my big disappointments as it relates to that whole phenomenon is basically the blind adoption and reiteration of all the myths around these things: Just because it's open, it must be more secure. People think that Microsoft is a whole lot worse at these things from an engineering standpoint than that community. Well, no, I don't think so. You look at Windows with 50 million lines of code. You look at Linux at, I don't know, 5 million lines of code. You look at the whole number of deployments, or at least the total number of people that are doing the analysis and attack on these things, and if we come out even, we'd say we must be doing something right. But in fact, we don't find a lot more. In fact, now we're increasingly finding less.


Copyright © 2003 IDG Communications, Inc.

Shop Tech Products at Amazon