Microsoft Seeks to Build Trust in Software

Microsoft on Tuesday outlined a broad framework for building trust in software that company officials hope will help improve the security and privacy of the world's computer systems.

MOUNTAIN VIEW, Calif.--Microsoft Corp. on Tuesday outlined a broad framework for building trust in software that company officials hope will help improve the security and privacy of the worlds computer systems.

The plan, a comprehensive initiative conceived by Microsoft as a way to assess the security and privacy features of computer systems, was unveiled by Craig Mundie, chief technology officer for advanced strategy and policy at Microsoft, at the companys Trusted Computing 2001 forum here.

The centerpiece of the program is a kind of scoring system by which Microsoft assesses its own progress on security and privacy issues and which it intends to make available to industry groups for outside use. The three-pronged system includes a set of goals, such as availability and privacy; the means to achieve them, i.e., security and development practices; and the execution of the means, such as intent and implementation.

The plan is a result of Microsofts own dissatisfaction with the way that network security and privacy have evolved in recent years, Mundie said.

"We have to continue as an industry to do a lot better in the design and implementation of our systems," he said. "Many of the problems we have are human problems, not computer problems."

As part of the keynote, Mundie demonstrated an application with some integrated policy-management and privacy features. As the user took certain actions, such as registering for a conference or booking flights, the software alerted the user when information was being shared, with whom and for what reason.

The alerts also showed the consequences of allowing the data to be shared and gave the user the option not to share it.

Mundie cited the spiraling complexity and scope of networks and software as the main reasons for the poor integrity and availability of todays computers.

"We all have a big problem: too many processors, spreading too fast," he said. "There are too few knowledgeable people and no real hope that were going to get more of them. The way we program computers is unchanged from 50 years ago and is too error-prone."

During his speech, Mundie also said that Microsoft is working on a technology known as the Digital Rights Server that will apply the concept of digital rights management to all of the data on a users computer, giving users the ability to decide how people can use the data they share with them.

Mundie portrayed Microsofts framework as one piece of a larger, developing plan that must include industry cooperation as well as an increased investment in research by both the government and academia. Mundies plan drew a mixed reaction from the security experts and privacy advocates gathered at the event. While some praised Microsofts efforts to drive a greater focus on such issues, others questioned whether the initiative would gain the support it needs to succeed.

"The economics of it will be tough," said Chris Wysopal, director of research and development at @stake Inc., a security consultancy in Cambridge, Mass. "If theres no economic reason for people to go along with it, why would they?"

Mundie stressed that the plan is still in its formative stages and said that it would take a cooperative effort to make it work.

"We cant solve these problems in isolation," he said. "Theres not nearly enough research being done at the government or academic level to solve these problems."