January 16, 2003 12:37 PM PST
One year on, is Microsoft 'trustworthy'?
The company has spent millions to train staff in privacy concerns and secure programming, while building new tools and processes to help create reliable software.
But critics--and Microsoft's own executives--said much more work remains.
"A year after, the verdict is mixed," said Bruce Schneier, chief technology officer for managed-security company Counterpane Internet Security. "Some stuff, it's too early to tell; some stuff, they haven't gotten; and some, they've improved."
That's an assessment Microsoft readily concedes.
"We said that Trustworthy Computing is a 10-year project, sort of like (President) Kennedy sending people to the moon," said Scott Charney, chief security strategist for Microsoft. "We're (only) a year into it. We want to get to a point where the end user says, I trust this technology, my privacy is protected, and it is reliable."
In January 2002, Chairman Bill Gates sent a memo designed to rally Microsoft employees to the cause. The company typically uses such memos to indicate major changes in direction. Similar e-mail messages kicked off the company's .Net initiative in 2000 and its push to be more Internet-centric in 1995.
"Today, in the developed world, we do not worry about electricity and water services being available," Gates wrote in the memo. "With telephony, we rely both on its availability and its security for conducting highly confidential business transactions without worrying that information about who we call or what we say will be compromised. Computing falls well short of this."
As part of the company's internal celebration of the first anniversary of Trustworthy Computing--and as a less-than-subtle reminder for the troops--Microsoft will soon launch an internal Web site to let product groups and employees know what resources are available.
The company has made obvious changes in its approach to security and privacy, the two most visible of the four "pillars" that make up the initiative. Far fewer changes are evident in the other two areas: reliability and business integrity.
Among the most noticeable changes, Microsoft has delayed its Windows Server 2003 operating system, the server counterpart to its Windows XP desktop OS, three times. The delays have been attributed, at least in part, to additional cautions taken by Microsoft programmers to guarantee the operating system's security.
No obscurity for security
To its credit, Microsoft has shown no qualms about choosing security over the bottom line for Windows development. The company essentially halted product development early last year while about 8,500 developers were trained in secure programming and then vetted the majority of the Windows code. The total price tag reached about $100 million, according to company executives.
Michael Howard, senior program manager and the security trainer for the internal development staff, said early indications are that the training has paid off.
"My way of seeing whether we are making progress is looking at what is being checked back in (to the source code database)," Howard said. "If security bugs are being checked back in, then we are not doing our job. So far, with .Net server, the code we have reviewed has not had bugs checked back in."
Employees also treat the company's security personnel differently, said Jonathan Schwartz, the software design engineer for Windows Security at Microsoft. He joked that many of the security folk used to be seen as "the crazy voices from off in the woods."
"We understood what a buffer overflow was, and we would yell and scream until it got fixed," Schwartz said. Now the security team has the opposite problem: More people point out bugs, and many are relatively minor.
Such changes aren't readily apparent outside the company. The number of security advisories posted by Microsoft in 2002 jumped to 72 from 2001's 60. Yet, such numbers are not a true measure of what is happening at Microsoft, said John Pescatore, research director for Internet security with market researcher Gartner.
"The key indicator is whether they have changed the product-line mind-set," Pescatore said. "And there, I really see changes."
The software giant's first litmus test will be when Windows Server 2003--formerly called Windows .Net Server--ships in April. "When .Net server ships and people start hammering on it, then we'll know," Pescatore said.
But Microsoft's Howard is quick to limit expectations of a bug-free server. "I hate to use the analogy, but it's like terrorism," Howard said. "We have to get everything right, but the attacker only has to find one flaw."
At least one Microsoft customer is pleased with the company's progress.
"From the moment Microsoft acknowledged that they were lacking in the security arena, the program was a success," said Robert W. McLaws, president of Mesa, Ariz.-based Interscape Technologies. "There is an old saying, 'If you put your mind to it, you can accomplish anything.' When Microsoft puts their minds (and their massive checkbook) to a problem, nine times out of 10, it gets solved.
"They've done a great job patching up the existing flaws, and their new security models, with (Web server) IIS6 for example, are top-notch. They are by no means finished, however. They have a long history of lax security to make up for."
Microsoft's private war
Trustworthy Computing's second pillar, privacy, is another area where Microsoft has made missteps in the past. Like its security push, the company's efforts aren't all that visible from the outside.
Microsoft has created a privacy handbook that spells out each employee's data-protection responsibilities. As with security, the company has instituted training courses: Privacy 101 for everyone in the company and Privacy 104 for Microsoft.com workers.
Finally, the managers overseeing privacy concerns have created a Privacy Health Index. The measuring system will become a permanent part of the company's overall Organizational Health Index, which helps management see which units are meeting company goals.
"This is a real culture shift for Microsoft," said Richard Purcell, corporate privacy officer for Microsoft. "There's no reasonable expectation of making this a quick fix."
Certainly, the company has had mixed results this year on the issue of privacy. In August, Microsoft signed a consent decree with the Federal Trade Commission, agreeing to 20 years of oversight for possible violations of policy in its Passport authentication service. The company counted the public's muted response to its Windows Media Player privacy controls as a win, however.
Of the groups focusing on privacy, the Microsoft Network seems to be doing the most. The business unit has created a privacy "champ" in every group--a person who evaluates everything the group is doing from the viewpoint of protecting data. And policies are set at monthly meetings of a 15-member Privacy Cabinet.
Those efforts will continue throughout the company, said Purcell. "We want to move on in the next year to look forward to a fuller design process for privacy," he said.
What's not to like?
The Trustworthy Computing initiative's two other pillars--reliability and business integrity--are largely in the planning stages.
On the reliability side, the most visible initiative may be Dr. Watson, the bug reporting program that pops up within Windows every time an application crashes. Despite some privacy problems, the program has been successful, leading to the discovery that nearly 50 percent of all crashes are caused by only 1 percent of applications.
S. Somasegar, corporate vice president of Microsoft's Windows engineering services group, said the company needs more tools and initiatives to make its products more reliable.
"If the customer decides to buy a product, how do we in the product group provide the best product experience?" Somasegar asked. "That is what we are looking at in this initiative."
Somasegar, who's responsible for a diverse array of engineering services, stressed that programs such as Watson, along with new bug-catching tools and better support automation to allow for quicker responses to customers, are just some of the ways Microsoft is improving its products and services.
"I want every customer out there to feel and know that they have a good relationship with Microsoft," Somasegar said. Although the company's engineering staff got the message, it's another matter to put it into practice all the time. "If you talk to an engineer today, they will tell you all the right things. But is everyone connected to the customers in the best way? No, we have a ways to go."
The company's reliability initiative needs work, but it's underway. However, business integrity--Microsoft's catchall term for initiatives that improve the company's relationship with customers--has hardly begun.
"We have learned a lot this year--especially with the licensing issues--that we should go out early and talk with the customers," said Susan Koehler, chief Trustworthy Computing strategist, whose job is to make sure all the pillars of Microsoft's effort work together. Koehler is also acting as the head of Microsoft's business integrity initiative.
A change in software licensing raised hackles in 2002. The Windows XP and Office XP licensing plan, announced in May and implemented earlier this month, compels customers to switch to a model where they annually pay up front for upgrades under a two- or three-year contract known as Software Assurance.
Many analysts criticized the plan, with Gartner saying it effectively raised fees for companies that buy large volumes of software. Many Microsoft customers have also slammed the plan and say they are looking at alternatives to Windows and Office.
Koehler believes better communication on Microsoft's part could have diffused the problem.
"When people think about licensing, they feel it's all about price," Koehler said. "But in reality, price is one aspect and value is another."
While many critics are waiting to see whether Trustworthy Computing starts gaining more credibility among businesses, the software industry is already feeling pressure to match the company's stated commitment.
"Trustworthy Computing is a statement of a need to make technology as secure as development processes can make it," said John Swartz, president of security software company Symantec. "We strongly subscribe to that belief, but there is a lot of work to be done."
Microsoft doesn't disagree. However, Steve Lipner, director of security assurance, stresses that the company can keep the momentum going in the right direction.
"It's not something that--bang--you realize Trustworthy Computing," Lipner said. "One morning two years (from now), you'll look back and say, Things are really different."