Gates: Security Over Features

Microsoft chief mandates about-face; plan met with skepticism and applause.

As the launch of Microsoft Corp.s critical .Net Framework nears, Bill Gates is kicking off an all-out effort to repair the companys reputation for poor security and reliability.

In an internal memo last week, Gates, chairman and chief software architect of the Redmond, Wash., company, articulated a broad-based plan to combat security and reliability problems in the companys products.

The e-mail, sent to Microsoft employees, outlined Gates vision for what he called Trustworthy Computing, a design, development and implementation philosophy that he hopes will restore some of the confidence that the companys persistent security problems have eroded in recent years.

"As software has become ever more complex, interdependent and interconnected, our reputation as a company has in turn become more vulnerable," Gates wrote. "Flaws in a single Microsoft product, service or policy not only affect the quality of our platform and services overall, but also our customers view of us as a company."

At the heart of the plan is a dramatic about-face for Microsoft, with Gates calling for security to be the companys highest priority, taking precedence over even functionality, which has long been the No. 1 concern for Microsoft developers.

Users, however, were less than optimistic about the companys sudden strategy shift.

"They have the capability to pull it off, but in light of their history, Im skeptical," said Steve Durst, research engineer at Skaion Corp., a software company in North Chelmsford, Mass. "I have a problem with them sacrificing everything in the name of usability. Their security is a catastrophe. A lot of the things that cause problems are just sloppy programming practices. Good coding could go a long way toward good security."

Critics such as Durst point out that in the last six months alone, Microsoft products such as Outlook and Internet Information Services have been the vehicles for the Code Red and Nimda worms and the Goner and other viruses. Security researchers also recently have found several serious vulnerabilities in Internet Explorer.

This is not the first time Microsoft has made promises about improving its products security. Last spring, the company unveiled its Secure Windows Initiative and in the fall introduced its Strategic Technology Protection Partnership, both aimed at improving the security and reliability of software code. But the company has always returned to usability as its focus. No more, Gates said.

"In the past, weve made our software and services more compelling for users by adding new features and functionality and by making our platform richly extensible," Gates wrote. "Weve done a terrific job at that, but all those great features wont matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security."

Such talk sits in stark contrast to past pronouncements from Gates and other Microsoft executives and has softened some of Microsofts harshest critics.

"This one comes from Gates himself," said Bruce Schneier, chief technology officer and founder of Counterpane Internet Security Inc., in Cupertino, Calif. "I congratulate Bill Gates on his willingness to move the company in this manner. To have Microsoft as a company focusing on security will make the Internet a safer place."

As part of the new security emphasis, any employee who contributes even a single line of code to .Net Framework will be trained how to write secure code, Microsoft executives said.

In his memo, which was meant for employees only but was later leaked to the press, Gates praised his companys work on .Net Framework but said that it could all be for naught.

"It has become clear that ensuring .Net is a platform for Trustworthy Computing is more important than any other part of our work," Gates wrote. "If we dont do this, people simply wont be willing—or able—to take advantage of all the other great work we do."