Trusting in Microsoft

CTO Mundie says Trustworthy Computing initiative not a short-term fix but a continuous process.

When Bill Gates in January wrote his now-famous memo exhorting Microsoft Corp.s employees to make security their top priority, Craig Mundie saw it as a turning point in the companys history. As chief technology officer of the Redmond, Wash., software maker, Mundie bears much of the responsibility for the security and reliability of Microsofts products and ultimately will have to answer to Gates if the company fails to follow through on his plan. Technology Editor Peter Coffee and Senior Writer Dennis Fisher sat down with Mundie at the recent RSA Conference in San Jose, Calif., to discuss Microsofts Trustworthy Computing effort and whether the company can make it work.

eWeek: Much of the reaction to Bill Gates recent memo seemed to be "Are they sincere? Will they follow through this time?" Is that a fair reaction?

Mundie: Yes, but I think theres another thing which Ive been trying to say consistently. This is not a short-term fix. Theres no silver bullet for Microsoft or anybody else. Bills memo, no one should be confused, is a watershed event, at least for Microsoft.

eWeek: Do you think he intended it to be a watershed event for the whole industry?

Mundie: Sure. But when I stood up and gave the speech in November [at the Trusted Computing conference], it was largely to begin the dialogue and tell people, "Look, were going to change, and youre going to have to change, too." My message then and to some extent Bills message to the company is that people must realize it is a continuous process. So, to me, theres a medium-scale problem. And, in my mind, Bills memo to Microsoft is the beginning of what Ill call his medium-term effort, which says, over a period of years but within the context of computer systems as we know them today, we will move the needle. And you wont do that by measuring bug counts or vulnerability reports or privacy breaches or anything else. Bills memo is significant in that it says, "If we want to be rewarded in the future, both for our innovations in platforms and products and our innovation in services, then were going to have to build trust. Otherwise, people wont buy or subscribe to the services, and thatll be the end."

eWeek: You mentioned that you wont be able to measure this by bug counts. Do you think a lot of people take everything in isolation and dont look at the big picture?

Mundie: I think theres another fallacy that comes out of computing. People kind of think zero, one, black, white. Its perfect, or it isnt. And the reality is, nothing else in our life is binary. Its trade-offs. Economics and convenience get traded off against risk assessment. Anywhere that we have a vulnerability that gives us legal exposure, data exposure, system operational exposure, we want those things to be fixed faster and more consistently than they have in the past.

eWeek: One of the frustrations is that a lot of these trade-offs are made in a very opaque way. For example, Visual Studio .Net will tell you it found things that need to be updated before it can install, but it doesnt tell you what those things are.

Mundie: In the case of VS .Net, at the end of last summer, the VS team was asked by management to raise the bar a little bit and go back and think more about how you can have both a belt and suspenders. Over the last two years, weve been moving the company and the development culture from one that says youre feature-rich by default to one that says youre secure by default. But the bigger problem is, every time we become explicit about a problem that exists in a legacy product, the response to our disclosure is to focus the attack. In essence, we end up funneling them to the vulnerability.

eWeek: And you have data on this? This is something thats a measured phenomenon?

Mundie: Absolutely. One of our biggest challenges is to figure what the timing and the minimum disclosure is on some of these things, simply because we end up hurting more people than we help. Because the lag time on deployment is much longer than the lag time on exploits.

eWeek: Youve had some discussions with some of the major security providers about coming up with a two-tiered system [for vulnerability disclosure]. Where are you on the discussions on that?

Mundie: What were actually trying to do, with the people who are professionals in this area, is create a protocol by which vulnerabilities are discovered, identified, notified, mitigated and ultimately fixed. Weve been trying to encourage people to be responsible and work with the company and go to them and say, "Look, heres the problem." And as long as you believe theres earnest expedited action against the problem, then announce the fix at the same time. We will try to create an expedited process for handling these things. And that would extend not only to individual systems that have broadband connections like machines at home but would ultimately be a fully automated process for the enterprise.

eWeek: Do you think that during the next 10 to 20 years there may be a change in the legal and regulatory environment around software so that it starts to be held to the same standards of product liability that, say, automobiles or buildings are?

Mundie: Theres certainly the possibility because you just have to get a bunch of lawyers together anywhere on the planet, and they can effect this change. The mere fact that it could get done by any country makes it certainly a risk.

Ultimately, it [could result in] a huge contraction in the rate of innovation and the number of people who get to play.