Malicious worms, hackers, and dire scenarios of cyberattack are giving cybersecurity more attention, but is it getting more action? It is at Microsoft Corp., says executive Craig Mundie, describing the progress of the software giant's year-old Trustworthy Computing initiative.
Systems smart enough to monitor, update, and repair themselves will help reassure people who continue to complain that technology is unreliable, says Mundie, Microsoft's chief technical officer of advanced strategies and policy. He spoke at a community program at Microsoft's campus here Wednesday.
Security functions are part of every Microsoft project now, he says. Efforts range from developing systems that automatically plug holes to new ways to identify remote systems you encounter online.
It's part of an emerging industry-wide focus on security that mirrors national security concerns. But for the technology industry, it's also a preemptive effort to reassure customers and avoid having security measures imposed by law, Mundie says.
People's fear of flaws could slow their enthusiasm for adopting technology, Mundie says. And the government might try to impose policy standards that could slow technology development. "We're starting to see interest in regulating the computer industry as more and more of society is relying on this equipment," Mundie says.
Concerns may heighten as we go online with more diverse devices, from handhelds to phones to custom boxes, Mundie adds. Microsoft expects those capabilities to boost productivity even more than PCs already have, he says.
But, he adds, "the concern that has emerged is, will all this be caught up short simply because people don't trust the computer system?"
Clearly, the world is more focused on cybersecurity than more than a year ago, when Microsoft internally conceived its Trustworth Computing initiative. Then came terrorist attacks and the widespread Nimda worm.
Since Microsoft announced its Trustworthy Computing concept, it has hosted a security conference and even declared a one-month moratorium on software development. Programmers instead used the time to swat bugs and close holes.
Some security efforts began three years ago, when Microsoft applied for Common Criteria for Information Technology Security Evaluation for Windows 2000, a federal standard. The shrink-wrapped retail version earned the certification--not a specialized version--so anyone can benefit from its verified security, he added.
Today, security issues claim as much as 40 percent of Microsoft's spending in some development projects, Mundie said. During its recent Windows security assessment, Microsoft "spent about $100 million on the analysis of both shipped versions and what we could do in new design choices for both the .Net server process and subsequent implementations," notably Longhorn, the Windows update not due out for several years.
"We recognized that to address this we had to do it pervasively, and that requires a culture change," Mundie said. For example, loading applications with features is a common competitive tactic, but also results in lots of features that are infrequently used, and they are often ripe for security holes, he said.
The crux of the Trustworthy Computing effort is a memo by Microsoft Chair Bill Gates pointing out that it doesn't matter how good a product is, if people don't trust Microsoft and trust its work, the product won't succeed. Consequently, security issues are considered in all projects.
For example, Microsoft is working toward self-monitoring systems with features such as Windows Update, which automatically checks for critical updates, Mundie says.
Service Pack 1 for Windows XP, released in September, changes defaults for several functions to the more secure alternative. For example, if you don't have encryption activated on a wireless link, the OS won't automatically install the link and connect you. Also, the firewall configuration default is changed to on.
The Service Pack also plugged a number of security holes, including one serious flaw that Microsoft had not previously acknowledged. Mundie didn't mention it, but Microsoft also recently provided a separate fix for that hole after some customers reported problems installing SP1.
As another security measure, Microsoft beefed up the parental controls in MSN 8, the recently-released client for its online service.
More Doors Ahead
Security is a priority in future products, Mundie says.
"We view this as a long journey," he says. "The stage right now is remediation, fixing sins of the past, and making design changes for future."
Microsoft continues to develop its digital rights management technology, already built into Media Player and Reader to protect copyrighted material. Another major effort, called Palladium, is a hardware-software security measure about which Microsoft has revealed little publicly.
Palladium is designed to help devices that communicate with each other clearly identify their origin, including the software they're running and person using them, to enable greater trust and smoother information exchange, Mundie says. It is intended to extend to general devices the kind of security often built into specialized machines.
A year ago, Microsoft observed a dichotomy of goals regarding security, Mundie says. People wanted privacy online, and saw anonymity as ensuring it; while technical professionals striving for security saw anonymity as the enemy of security.
But today, "security is about making computers resilient to attack," he says. "As the bad guys get smarter and the tools they use get better, we have to further develop our defenses."