Microsoft outlines security policy

Malicious worms, hackers, and dire scenarios of cyberattack are giving cybersecurity more attention, but is it getting more action? It is at Microsoft Corp., says executive Craig Mundie, describing the progress of the software giant's year-old Trustworthy Computing initiative.

Systems smart enough to monitor, update, and repair themselves will help reassure people who continue to complain that technology is unreliable, says Mundie, Microsoft's chief technical officer of advanced strategies and policy. He spoke at a community program at Microsoft's campus here Wednesday.

Security functions are part of every Microsoft project now, he says. Efforts range from developing systems that automatically plug holes to new ways to identify remote systems you encounter online.

Seeking Reassurance

It's part of an emerging industry-wide focus on security that mirrors national security concerns. But for the technology industry, it's also a preemptive effort to reassure customers and avoid having security measures imposed by law, Mundie says.

People's fear of flaws could slow their enthusiasm for adopting technology, Mundie says. And the government might try to impose policy standards that could slow technology development. "We're starting to see interest in regulating the computer industry as more and more of society is relying on this equipment," Mundie says.

Concerns may heighten as we go online with more diverse devices, from handhelds to phones to custom boxes, Mundie adds. Microsoft expects those capabilities to boost productivity even more than PCs already have, he says.

But, he adds, "the concern that has emerged is, will all this be caught up short simply because people don't trust the computer system?"

Heightened Alert

Clearly, the world is more focused on cybersecurity than more than a year ago, when Microsoft internally conceived its Trustworth Computing initiative. Then came terrorist attacks and the widespread Nimda worm.

Since Microsoft announced its Trustworthy Computing concept, it has hosted a security conference and even declared a one-month moratorium on software development. Programmers instead used the time to swat bugs and close holes.

Some security efforts began three years ago, when Microsoft applied for Common Criteria for Information Technology Security Evaluation for Windows 2000, a federal standard. The shrink-wrapped retail version earned the certification--not a specialized version--so anyone can benefit from its verified security, he added.

Today, security issues claim as much as 40 percent of Microsoft's spending in some development projects, Mundie said. During its recent Windows security assessment, Microsoft "spent about $100 million on the analysis of both shipped versions and what we could do in new design choices for both the .Net server process and subsequent implementations," notably Longhorn, the Windows update not due out for several years.

"We recognized that to address this we had to do it pervasively, and that requires a culture change," Mundie said. For example, loading applications with features is a common competitive tactic, but also results in lots of features that are infrequently used, and they are often ripe for security holes, he said.

Pervasive Priority

The crux of the Trustworthy Computing effort is a memo by Microsoft Chair Bill Gates pointing out that it doesn't matter how good a product is, if people don't trust Microsoft and trust its work, the product won't succeed. Consequently, security issues are considered in all projects.

For example, Microsoft is working toward self-monitoring systems with features such as Windows Update, which automatically checks for critical updates, Mundie says.

Service Pack 1 for Windows XP, released in September, changes defaults for several functions to the more secure alternative. For example, if you don't have encryption activated on a wireless link, the OS won't automatically install the link and connect you. Also, the firewall configuration default is changed to on.

The Service Pack also plugged a number of security holes, including one serious flaw that Microsoft had not previously acknowledged. Mundie didn't mention it, but Microsoft also recently provided a separate fix for that hole after some customers reported problems installing SP1.

As another security measure, Microsoft beefed up the parental controls in MSN 8, the recently-released client for its online service.

More Doors Ahead

Security is a priority in future products, Mundie says.

"We view this as a long journey," he says. "The stage right now is remediation, fixing sins of the past, and making design changes for future."

Microsoft continues to develop its digital rights management technology, already built into Media Player and Reader to protect copyrighted material. Another major effort, called Palladium, is a hardware-software security measure about which Microsoft has revealed little publicly.

Palladium is designed to help devices that communicate with each other clearly identify their origin, including the software they're running and person using them, to enable greater trust and smoother information exchange, Mundie says. It is intended to extend to general devices the kind of security often built into specialized machines.

A year ago, Microsoft observed a dichotomy of goals regarding security, Mundie says. People wanted privacy online, and saw anonymity as ensuring it; while technical professionals striving for security saw anonymity as the enemy of security.

But today, "security is about making computers resilient to attack," he says. "As the bad guys get smarter and the tools they use get better, we have to further develop our defenses."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Peggy Watt

PC World
Show Comments

Father’s Day Gift Guide

Brand Post

Bitdefender 2019

Bitdefender’s best-in-class security solutions have been awarded Product of the Year. Get cybersecurity that 500 MILLION users already have and trust!

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?