Want CNET to notify you of price drops and the latest stories?

Gates: Security is top priority

An internal Microsoft e-mail tells the software giant's employees that security and privacy are the most important issues for the company's products.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
Microsoft Chairman Bill Gates has set security as the top priority for the software maker's products, a shift that analysts say can't happen soon enough.

In an e-mail sent to employees Tuesday, Gates said the company intends to shift from focusing on features to spotlighting security and privacy.

"When we face a choice between adding features and resolving security issues, we need to choose security," Gates wrote in the e-mail, a copy of which was forwarded to CNET News.com. "Our products should emphasize security right out of the box."

Calling the new initiative "Trustworthy Computing," Gates billed it as the "highest priority" for the company.

Gates also addressed the matter of privacy. "Users should be in control of how their data is used," Gates wrote in the memo, which was first reported on by the Associated Press. "It should be easy for users to specify appropriate use of their information, including controlling the use of e-mail they send."

The message to the Microsoft troops comes after a recent set of security and reliability problems that have added fuel to long-simmering worries about the defensive capabilities of the company's software.

"Microsoft has a serious image problem when it comes to the reliability, security and stability of its network services and products," said Richard Forno, chief technology officer for information assurance company ShadowLogic.

On Tuesday, the software titan finally fixed a technical glitch in one of its servers that had caused consternation among Windows users. The error caused the company's automated updating system to fail frequently during a five-day period.

Microsoft, feds: Security plagues them both
Alan Brill, managing director, Kroll Security

="" onclick="window.open('http://www.cnet.com/radio/radio_load.html?showType=ondmd,sid=nws,asset=0117kroll','radioplayer','toolbar=no,location=no,directories=no,status=no,top=no,scrollbars=no,resizable=no,width=295,height=175,left=200,screenX=200,top=100,screenY=100');" rel="follow">Play clip
That problem reflected poorly on Microsoft's .Net initiative, a major undertaking designed to give consumers secure, easy and round-the-clock access to businesses via the Internet. The .Net umbrella covers virtually all of Microsoft's development, governing how new software should be designed, and involving new products for building the software and hosting services.

Last month, the company revealed a serious flaw in its flagship Windows XP operating system--software that had supposedly benefited from its latest push for program security, known as the Secure Windows Initiative. The efforts have produced mixed results.

In addition, the Code Red and Nimda Internet worms last year attacked vulnerabilities in Microsoft's Internet Information Server Software. In November, a flaw in Microsoft's Passport authentication protocol--a key part of .Net--allowed intruders to access consumer financial data stored in the company's Wallet, an e-commerce buying service.

Gates apparently does not send many memos to all Microsoft employees, particularly since turning over the CEO position to Steve Ballmer at the beginning of 2001.

"It's significant when he does send out an issue-oriented memo," a Microsoft representative said.

"The mail demonstrates a stepped-up commitment in the area of security and a call to action from the executive level on down aimed at the critical challenge of building safe and secure software and services for our customers," the representative added.

Analysts agreed that the change is an essential one.

"Obviously, Microsoft's .Net strategy could never succeed if they kept having as many security problems as they have been having," said John Pescatore, research director for Internet security at Gartner. "It's one thing to buy a CD-ROM with a security problem. It's another thing to connect your computer over the Internet to theirs.

"Without security, .Net fails, and Microsoft made a big bet on .Net and Web services," Pescatore said.

In the memo, Gates said the Trustworthy Computing concept is vital to the success of .Net.

Gates added that his call should carry the same weight as two earlier, major strategy shifts for the company--the outlining of .Net two years ago and the now-famous Internet "tidal wave" memo Gates penned in the mid-1990s that led to the company finally tackling the Web head on.

"Over the last year it has become clear that ensuring .Net is a platform for Trustworthy Computing is more important than any other part of our work," he wrote.

Pescatore said the new focus on security reflects a change in Microsoft's customer base.

"The culture was built on desktop operating systems; it was built on putting all the control in the hands of the user," he said. "(Then) they started selling software to enterprises, and enterprises said, 'Wait a minute, we don't want to put control in the hands of the user.'"

But while the new strategy comes with orders from on high, it may still take awhile for the company--and customers--to change gears.

"You're looking at 18 months. They moved very quickly in 1996 in changing things around" to a focus on the Internet, Pescatore said. "But the Internet was like a new feature. It's another thing to say, 'Floss your teeth every night.'"

ShadowLogic's Forno thought the message sounded similar to Gates' Internet memo, and he offered a critique that echoed reaction to that exhortation.

"My gut feeling on this announcement today is that it's a PR blitz, pure and simple," Forno said.

Staff writer Joe Wilcox contributed to this report.