Microsoft: Does it pay to be safe?

An executive says the software maker is considering charging for extra security options and admits that the company didn't move on security until customers were ready to pay for it.

Peter Judge Special to CNET News
2 min read
PARIS--Microsoft is considering charging for additional security options and acknowledges that it didn't move on security until customers were ready to pay for it.

The company "may offer new security abilities on a paid basis," Microsoft Chief Technical Officer Craig Mundie said here at this week's RSA Conference on tech security. Such a possibility is one of many under consideration within Microsoft's security business unit, recently set up under its own vice president, Mike Nash.

The idea is still only hypothetical, but it represents an acknowledgement that Microsoft sees security not only as a necessary condition to reassure existing and future customers, but also as a potential source of revenue.

Speaking to CNET News.com at a Gartner conference in Orlando, Fla., Microsoft CEO Steve Ballmer clarified Mundie's statement.

Ballmer said Microsoft has a group chartered with developing additional security products. Currently, he said, there is no plan in place to charge customers a fee for additional security services. But Microsoft most likely will introduce new security software, similar to its existing firewall software.

In presenting Microsoft's secure-computing initiative, Mundie defended the company's reluctance to follow through and accept legal responsibility for the security of its products.

"If we took that responsibility, say for a big contract at Airbus, I would have to take out a giant insurance policy from Lloyds or another insurance broker, and pay a giant invoice," said Mundie. "The product would then cost not 50 euros, but 50 million."

Legal liability would cost the customer greatly, he said, and contracts like the one he described were the exact opposite of the usual situation. "In such a situation, the computer must not change, and only technicians could touch it. This is the antithesis of the general-purpose, mass-market business."

Windows runs an arbitrary set of applications in an arbitrary configuration with arbitrary devices, Mundie said. "The operating system is designed to run on machines that are not designed yet."

Although Microsoft could demand that it create the drivers for all hardware, the industry would not accept that. "Each time we accede to the reality of the industry, we accede to the problem," Mundie said.

Asked why it has taken Microsoft 25 years to put secure computing at the forefront of its efforts, he said it's "because customers wouldn't pay for it until recently."

Admitting this was a flippant answer to a flippant question, Mundie said that chief information officers had only recently begun to demand security and that it is only in the last 10 years that Microsoft has attempted to play in the security-heavy worlds of banking payroll and networked systems.

News.com's Mike Ricciuti contributed to this report from Orlando. ZDNet UK's Peter Judge reported from Paris.