Gates: Microsoft Spent $100M on Security

After suffering a series of security flaws that have shaken customer confidence, Microsoft chairman Bill Gates has taken to e-mail to reassure customers that Microsoft has heavily invested in its “Trustworthy Computing” initiative and is on track to ensure the security of its products.

Writing to about 1 million users who receive one of Microsoft’s customer newsletters, Gates noted that “the development work of more than 8,500 Microsoft engineers was put on hold” while the company analyzed what amounted to “millions of lines of Windows source code.”

The “standdown,” Gates wrote, took two months and cost Microsoft in excess of US$100 million as the company put its engineers and other employees through “special training in writing secure software.” Similar efforts are to be applied to Microsoft Office, Visual Studio .NET and other products.

Long Overdue

Some say the move is long overdue. Giga Information Group vice president Julie Giera has told the E-Commerce Times that Microsoft “realizes that without security and user confidence, the potential damage to its market and brand name is tremendously large.”

To create a trustworthy computing environment, Gates said the company must make software code even more secure and reliable and stay ahead of security exploits by distributing updates via the Internet and providing early recovery from problems with “minimal intervention.”

Keeping In Touch

Gates claimed his letter is the first in a series to be penned by himself and CEO Steve Ballmer, as well as by other Microsoft executives, to keep interested users abreast of technology and public policy issues they have identified as important.

Gates acknowledged that in his conversations with customers over the past year security has emerged as a top concern. “They are concerned whether their data is being protected,” said Gates. “They are frustrated that their technology doesnt always work consistently” and are seeking assurances that the industry is working to resolve these problems.

Indeed, attacks against software code in general have cost companies and others $13.2 billion, according to Computer Economics.

The Microsoft chairman said that six months ago he issued a call to action to the company’s 50,000 employees, making a trustworthy computing environment the “highest priority” over the next decade.

Gates envisions computing that is “as reliable as the electricity that powers our homes and businesses today.”

Not There Yet

The company, said Gates, has tried to “eliminate weak links such as passwords and fake e-mail” by employing such technologies as smart cards.

“We’re also working with others throughout the industry to improve Internet protocols [and] to stop e-mail that could propagate misleading information or malicious code that falsely appears to be from trusted senders,” said Gates.

“And, we are making fundamental changes in the way we develop software, in our operational and business practices and in our customer support efforts to make the computing experiences we provide more trustworthy.”

While Microsoft will continue to invest in the new features and functionality that users demand, security improvements have become even more important.

Gates noted that changes to Outlook — blocking email attachments “associated with unsafe files” and preventing access to user address books, as well as giving administrators greater control over e-mail security settings for the enterprise — have already resulted in a dramatic drop in e-mail virus incidents.

Baby Steps

The company will continue to conduct “a rigorous and exhaustive review” of its offerings to identify and “minimize” security threats.

In an effort to create a more secure environment, Microsoft has already taken some critical first steps, Gates said, by changing the way it designs and develops software. “Our new new processes should greatly minimize errors in software and speed up the development process for new products and services,” he said.

Through the Software Update Services tool, IT administrators can now deploy critical updates to Windows 2000-based servers as well as desktops running Windows 2000 Profession and XP Professional. Microsoft has also released a Baseline Security Analyzer to identify security misconfigurations, and the company plans to ship .NET Server 2003 as “secure by default,” Gates said.

“We believe it is critical to provide customers with a foundation that has been configured to maximize security right out of the box.”

That will likely come as a relief to customers who have endured weekly — and sometimes almost daily — reports of Microsoft security vulnerabilities.