Gates Stresses Trustworthy Computing, Names Security Chief

by Timothy Prickett Morgan

Microsoft is not exactly known for the rugged security of its software, and the company knows it has a business problem as well as an image problem if customers do not believe that the company's server and desktop operating systems and the applications and middleware that run on top of them are secure. Microsoft is finally doing something visible about security, starting with Bill Gates and working down to the most junior programmers at the company.

A few weeks ago, Microsoft's chairman and chief software architect, Bill Gates, sent out a lengthy memo to all Microsoft full-time employees outlining his view from the top on the security of Microsoft's products as well as for those of other vendors, and committing Microsoft to making security the number one priority of the company.

"Every few years I have sent out a memo talking about the highest priority for Microsoft," Gates explained in the email. "Two years ago, it was the kickoff of our .NET strategy. Before that, it was several memos about the importance of the Internet to our future and the ways we could make the Internet truly useful for people. Over the last year it has become clear that ensuring .NET is a platform for Trustworthy Computing is more important than any other part of our work. If we don't do this, people simply won't be willing--or able--to take advantage of all the other great work we do. Trustworthy Computing is the highest priority for all the work we are doing."

That is how the latest Gates memo starts, and it pretty well sums up the situation that Microsoft faces--and indeed all IT vendors who are relying on Web-based services either directly or indirectly to produce their revenues and profits. (You can read the entire Gates memo by clicking here. So how serious is Microsoft about security? Dead serious, apparently. "In the past, we've made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible," explained Gates in the memo. "We've done a terrific job at that, but all those great features won't matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security."

One important side effect of this emphasis on security will be a longer development cycle for Microsoft's products and a diminishment of feature creep in these products as well. It is unclear what effect more staunch security coding and testing will have on Microsoft's development costs and the prices it can charge for products, but what seems clear is that for Microsoft to better succeed in the data center and retain its dominant position on corporate desktops, its products have to be made more secure. Attaining high levels of security in Microsoft's products is complicated by the fact that hackers the world over seem to take great joy in attacking Microsoft programs. The reason is not simply a hatred of Microsoft, but rather that the pervasiveness of Microsoft desktop and server operating systems presents a relatively uniform breeding ground for viruses and a vast, interconnected network for hackers to roam and wreak havoc. If Unix was as pervasive as Windows at small and medium businesses on the Web and on corporate desktops, we would all be complaining about Unix viruses.

Aside from getting the troops behind increasing the security of Microsoft's products, Gates also did something else significant recently to help Microsoft better understand the security and privacy issues of its corporate and consumer customers: The company has hired Scott Charney, the principal partner at PricewaterhouseCoopers' cybercrime prevention and response practice, to become Microsoft's chief security strategist. Charney will be heading up the Trustworthy Computing initiative outlined by Gates in his security memo, and will start working for Microsoft on April 1.

Charney joined PwC in 1999, and was responsible for setting up proactive and reactive computer security services for the Big Five accountancy's clients, including designing new computer security systems, testing existing network and server security, and hunting down hackers and other cybercriminals. Prior to joining PwC, Charney worked at the U.S. Department of Justice as chief of the Computer Crime and Intellectual Property Section of the Criminal Division. Prior to joining the DOJ in 1991, Charney was an assistant district attorney in Bronx County, New York, where he was ultimately promoted to the position of deputy chief of the investigations bureau. Charney has bachelor's degrees in history and English from the State University of New York and has a JD from the Syracuse University School of Law.