In 2002, then-CEO Bill Gates wrote a letter to every Microsoft employee stating that product security was a top priority for the software giant. While the fight against attackers is not over, the company has advanced significantly in making it harder to compromise the operating system and associated software, according to security experts in and out of Microsoft.
Gates sent the email to all employees on Jan. 15, 2002, outlining the Trustworthy Computing initiative and called on employees to deliver products that were "as available, reliable and secure as standard services, such as electricity, water service and telephony."
At the time of the email, Windows systems around the world were under siege by fast-replicating and destructive worms and viruses such as CodeRed, Nimda, "I Love You," and "Anna Kournikova." CodeRed used buffer overflows to exploit vulnerabilities in Windows Server's Internet Information Services (IIS) Web server and infected more than 300,000 computers.
Gates ordered everyone in the company to stop and begin focusing on security. If there is a choice between adding features and resolving security issues, the company would "choose security," Gates wrote. Microsoft needed to emphasize security "out of the box" and also "constantly refine and improve" the products because threats will evolve, according to the memo.
"If we don't do this, people simply won't be willing-or able-to take advantage of all the other great work we do," Gates wrote, adding, "We must lead the industry to a whole new level of Trustworthiness in computing."
Ten years after Gates outlined the company's three new areas of focus as security, privacy and reliability, these areas remain "just as important" as organizations move to the cloud, government roles evolve and new cyber-threats emerge, Adrienne Hall, Microsoft's general manager of TwC, wrote on the Trustworthy Computing blog Jan. 12.
Microsoft's Trustworthy Computing initiative permeates all parts of the company and touches upon many areas, including building security into products and services right from the design phase, regularly updating products and services, researching new and emerging threats, developing security products and working with law enforcement, Hall wrote. Under TwC, developers receive training on how to exploit migrations, and there are regular outreach efforts to external security researchers who probe the company's products for weaknesses. Security runs through Microsoft employees' veins, and Hall said, "It truly is in our DNA."