Microsoft Corp. has come far to deliver on its “Trustworthy Computing” promise, but more needs to be done, Microsoft Chairman and Chief Software Architect Bill Gates said in an e-mail late Thursday.
“While we’ve accomplished a lot in the past year, there is still more to do — at Microsoft and across our industry,” Gates said in the e-mail sent to a mailing list that is part of a Microsoft marketing effort called Executive E-mail. ( www.microsoft.com/mscorp/execmail/)
The e-mail comes a year after Gates announced the Trustworthy Computing initiative, a Microsoft-wide focus on securing its products. As part of that initiative, Microsoft halted the development work of thousands of software engineers for 10 weeks to train them to look at software like hackers do. This resulted in the in-house discovery of many security bugs, Gates said.
In the past year, Microsoft created new product design methodologies, coding practices, test procedures, incident handling and support processes to improve the security of its products, according to Gates. The Redmond, Wash., company spent some US$200 million on improving Windows security alone, he wrote.
“A secure computing platform has never been more important. Along with the vast benefits of increased connectivity, new security risks have emerged on a scale that few in our industry fully anticipated,” Gates wrote. He cited data from the Computer Security Institute and the U.S. Federal Bureau of Investigation (FBI) that cyberattacks caused an estimated US$455 million in damage in the U.S. in 2001.
This year, Microsoft will release several new products that have gone through its new security review process. Windows Server 2003 is now due in April, after several delays. New versions of the SQL Server database, Exchange Server messaging software and Office productivity software are also planned.
When the products become available, users will notice that many features potentially posing a security risk will be disabled by default. In the past, a feature was typically enabled by default if Microsoft thought there was any possibility that a customer might want to use it, Gates wrote.
In the future, marrying software and hardware security on a PC will help eliminate “weak links” in computer systems, Gates said, referring to Microsoft’s Palladium project. Palladium has been hailed as either a potential saviour or a scourge for computer security and user freedom.
Gates in the e-mail also promoted the use of smart cards. Microsoft employees who want to remotely access their company’s systems now have to use one, Gates wrote. Smart cards can authenticate a person’s identity when inserted into a card reader.
“We are working with a number of major customers to implement smart cards as a way of minimizing the weak link associated with passwords,” Gates wrote. “Over time we expect that most businesses will go to smart card ID systems.”
Smart cards can be a part of Gates’ strive to make security simple. Customers should not have to choose between security and usability, he said, adding that this is “a long-term effort.”
“In the Digital Decade we’re now embarking on, billions of intelligent devices will be connected to the Internet. This fundamental change will bring great opportunities as well as new, constantly evolving security challenges,” Gates wrote.
For now, there are three things Gates said computer users can to do to help make computing more secure: “1) stay up to date on patches, 2) use antivirus software and keep it up to date with the latest signatures, and 3) use firewalls.”