Update: Gates wants security top priority at Microsoft

Bill Gates is getting serious about security. Microsoft Corp.'s chairman and chief software architect is calling on the software giant's 49,000 employees worldwide to make "trustworthy computing" the company's highest priority.

"In the past, we've made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible," he wrote in the memo to employees dated Jan. 13 that was made available to the media. "We've done a terrific job at that, but all those great features won't matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security."

One observer said the memo doesn't necessarily mean a new strategy for Microsoft.

"I think the announcement itself is probably more political than one of substance," said Graham Titterington, a senior analyst at research and consulting firm Ovum Ltd. "IBM has decided to make privacy one of its key themes over the next quarter or so ... so there may be a little bit of me-tooing in this announcement."

Microsoft spokeswoman Kimberly Kurseman disagreed, saying Gates statement is a "call to action" for Microsoft employees.

"This is definitely, not a 'me too,' action," she said this afternoon. "I think it is worthwhile to note that this is an issue that Microsoft, from the executive level on down, has been thinking out for some time. It is a long-term initiative for the company, and Bill's memo is a call to action to all Microsoft employees."

According to another Microsoft spokesman, Visual Studio.Net is the standard for developing more secure products.

"Visual Studio.Net, which is shipping next month, has undergone an intense code review with a focus on ensuring security," he said. "The Office team has also undergone similar training for its developing and test teams. The other product groups are also committed to executing on Bill's leadership, following the path he lays out in his e-mail."

Kuresman said the emphasis in the past had been more on producing products that customers wanted -- products with extensive features and functionality. Now, she said, Microsoft will examine the balance between "extensivity" and security.

"There will be an internal culture and mind-set change in terms of how products are developed," she said. "When we think about developing software, we need to think about security first. Customers are saying they want certain types of features, but now it's dawning on them that they want to do things securely."

Kuresman said 7,000 Windows Microsoft developers are being trained internally in security; the company is also doing an extensive code review of its product development process.

Critics have in the past charged that Microsoft products are especially vulnerable to malicious code and other security problems. But the company has generally rejected the claim, saying its software is more frequently targeted simply because of its high profile.

"All software contains security vulnerabilities, and worms and viruses can be written to exploit vulnerabilities in any product," said a Microsoft spokesman, who asked not to be identified. "Microsoft is a leader, and so our products are more frequently a target [of hackers]."

That's only partially true, said Titterington.

"Hackers want to get the greatest return on their investment, and therefore they go for software platforms that are widely distributed," he said. "But if you compare the number of successful security attacks on Windows against the number of successful attacks on Unix, the difference is so wide that you can't totally explain it by the attraction to hackers [of Windows]."

One reason Windows is vulnerable, he added, is that it started as a stand-alone product for individual users and has since grown to encompass enterprise servers, increasing the security risk.

Microsoft CEO Steve Ballmer also discussed the issue of security during an interview with Computerworld (see story).

Gates wrote in the memo that events last year, including the terrorist attacks of Sept. 11 and highly publicized virus attacks, have highlighted the importance of "integrity and security of our critical infrastructure, whether it's the airlines or computer systems."

Customers, he continued, should be able to rely on "computing that is as available, reliable and secure as electricity, water services and telephony."

Linda Rosencrance contributed to this report.

Related stories:

Copyright © 2002 IDG Communications, Inc.

Shop Tech Products at Amazon