Steve Ballmer, chief executive officer at Microsoft Corp., was in Toronto at the end of February for the CanWin04 conference, and he took some time out to speak to ComputerWorld Canada editor Michael MacMillan and department editor Chris Conrath. The following has been edited for brevity and clarity.
This is the first time that we have seen really palpable anger directed at Microsoft, especially after the ASN.1 vulnerability. What is your strategy over the next two to five years to solve ongoing security concerns?
I’ll say two things. We have tried to be pretty articulate about a whole path of action that we’re taking to improve the entire security environment. They range from new patch technology, smaller patches, the ability to recall a patch. If you find an application compatibility issue that somehow prevents the patch (from working properly), we have new patch management technology out, Windows Update Services, new Internet firewall for each PC on SP2 version of Windows (XP), and shield and quarantine technology because you are not going to get all machines to update to XP. You have to have a way of checking before you let a machine on the network, whether that machine is actually clean enough to run on my network because that is a big source of virus transmission – people bringing a machine from home to work. Partnerships with the ISPs, because the ISPs can be an important part of shutting down these issues. And a new development process that is built around releasing more secure products both in terms of the way we train people, and the milestones that we put into our development process.
There is a huge amount of effort, so we’re going to be best in class. Whether we are best in class or not today, A: who knows and B: who would care? Nobody knows because our stuff is so much more popular than whoever the number two guy is in the market.
And number two, who cares because our stuff is not acceptable, it is not what people want in terms of a security experience and I know that and I understand that. So we have got priority one. This may sound like a funny thing to say in this environment: I think that security is going to be a strategic advantage for us over the next two to three years.
The second point that I want to make: security is not a strategic advantage for us today. Because the theory is that everybody attacks us and nobody attacks the other guys, the other guys must be OK. There is no reason to believe that either, if the other guys were popular, believe me, our guys would know how to hack them. We wouldn’t do it, but our guys would know how to do it. It is not like any other system out there is so unhackable; they’re just not that popular. But that is not the issue – we work to make security an advantage. So that if anybody does an objective evaluation, they say ‘yep, Microsoft is out front.’
The second point is exactly that: we need to be as good as we can be, and at the end of the day what we need to be is better than other guys. We are not good enough, we need to be both good enough and better than other guys.
But what is going to change internally? Are you going to fundamentally change the way you put out code?
We did. Done. We did three key things, very critical things. The world is more complicated and we are going to get attacked. Number one: We’ve got to teach our developers about that world and teach them what it means to design and write more secure code. That is number one – 11,000 people in Microsoft went through that training. It is a big step.
Number two: we are going to change our software development and release process. We have revamped the milestone process. How and when and where do you check, not just at the end, but all along on the security (process). We call that our trustworthy computing release process. We have put that in place. The first product to come out under that release process, with the training, was Windows Server 2003. In the first 10 months that it has been in market, nine important security bulletins compared to 40 on Windows Server 2000. Just to give you a sense. So that is second.
Third is tools and research. The truth of the matter is we have got really smart guys, really smart guys. But even really smart guys are people. The way you are supposed to do things in life, if you want someone to do something better, you give them a tool to help them do it better. So our research team is focused on how we provide tools so that our team produces more secure code. One is how do we produce tools that can somehow go through a source code and look for potential security vulnerabilities? We’ve done that, and those tools we’ll make available for our customers, since our customers need the same tools. The hacker who wants personal fame attacks Microsoft. The hacker who wants to make money doesn’t attack us, they’ll go and attack some bank or steal identities some place. So that is one thing that we have done. Another thing, we have our research guys designing new hacks, new threat models. It sounds like a crazy thing, but how can you train your programmers, how can you build your release process, how can you build your tools unless you are trying to get one, two, three steps ahead of the hacker in terms of thinking of a new threat model? So we have got a team working on new threat models so we have new defence models.
You made some changes to software licensing. Are you currently satisfied right now with licensing arrangements the way it is or do you see any tweaks or changes in the future?
I would not make changes lightly. We didn’t make changes lightly last time but somehow we wound up with the weirdest situation. We went out to do something to simplify licensing, to keep us revenue neutral and to keep the customers whole. And the customers said, ‘I am not sure it is simpler, because I understand your old thing and now there is a new thing to understand, number one. Number two, it looks like to me like it might be a price increase, but then our financial reports don’t show any sign of a price increase.’ So what you could say is we had this sort of triple crown of backfire.
So do I think there is an ongoing opportunity to improve the way people license our products? Yes. Would I move slowly, ponderously, deliberately, methodically before I ever make another change? Oh so slowly, so ponderously. In what way? I don’t want to say too much because that would imply that we are close to a change. This morning we had roughly 1,000 folks (at the Metro Toronto Convention Centre).
I asked, “Any questions?” A guy wants to talk about licensing (Ballmer claps loudly, referring to the response from the audience). So what is the question?’ When are you going to make it simpler?’ So I ask: ‘Do you want us to have fewer options to license our product?’ (Ballmer claps but this time lower volume in response to less of a crowd response). If we had a tool that just ran through your environment and gave you a report, and as long as you had purchased enough licenses to meet within that report, is that what you are asking for (less clapping)? Then I say to them, ‘Suppose we have some kind of – pure thought speculation – thing where I have this many PCs, and I’ve got this many servers, and we ran some formula based on the number of PCs and servers that you have, that for this amount of money per year you can use it for everything we do’ (huge response). They are screaming in the aisles.
But can I get rid of the licensing? No, because some guy would probably figure out that it cost him more than what we have today. So that is how we wind up with all these options. We hate to take away one option when we introduce a new one because somebody might find it more expensive, more complicated.
Is Microsoft confident it can take on all comers?
We are coming from behind in high performance clusters, let’s face it. But, with a few exceptions, I absolutely think that we have the best value propositions in the market. And as long as, let’s say, the merits of the argument in a sort of a business sense carry the day, we tend to do quite well. There are some governments, not in Canada, primarily where the issues tend to get politicized and it is not the merits of the argument. People want to get into culture, mono-culture, bi-culture, multi-culture, people want to get into Americanism versus non-Americanism, people want to get into right wing politics versus left wing politics. You go to Extremadura, Spain which is a problem place for us just like Munich, none of it has to do with the merits of the case. For the city of Munich it is clear: they took a path that is now looking to be clearly higher total cost of ownership.
Explain Microsoft’s total cost of ownership advantage over Linux.
Absolutely. When we are talking about total cost of ownership, our software is not that expensive. For most IT projects what percentage of the cost is our software? Two per cent, one per cent, four per cent over the life of a project? What are we, three per cent? There is hardly a company around where our software is more than like two per cent of their IT budget. So total cost of ownership isn’t about our software licensing, it is much more about what it takes to implement, make it happen, do the development, run the applications. It always is.
I am not saying that our prices are too high, too low. Somebody can have that argument. But in the total cost of ownership argument, our software is not the thing that throws this over the hump. Do you have to write your applications or buy applications off of the shelf? Do you have to manage the tools? For all the discussion about security, there is still much more of a security environment around Windows, much, much, much better security environment around Windows than there is Linux. There are plenty of people who can help protect one, that won’t help you protect the other. You put it all together, and what you find is total cost of ownership, and I’ll take the test every time, and we are gonna to lose some. Particularly in government if the cost of procurement is lower, maybe that is the thing that makes the difference. You will have some non- politicized governments and some politicized. Munich was politicized. I was told flat out in Germany, that you are going to get the business back as soon as party X get thrown out and party Y gets back in.
There is a move off of Unix onto the likes of Linux. How does Microsoft stack up?
Look, if I’m gonna build a line of business application, if a company has Unix skills, or if they are porting folks from Unix, I think that we have got a winning case. OK. If you have somebody that is trying to do Web hosting, that is an area that I think we have a stronger value proposition, by far today, but I think that it is an area where we didn’t have the strongest value proposition two years ago. The best way to save money is to move to cheap Intel compatible hardware (off of proprietary Unix hardware), and I actually think we have a pretty good case for the move. You know, we are not able to argue today. We have a better Unix than Unix. Linux can probably argue that they are better at Unix than we are even though I actually think that we are awfully darn good.