Security, security, security!

That's the clarion call this month from CEO Steve Ballmer, who has a new objective: Put code vulnerabilities behind the company once and for all.

Charles Cooper
Charles Cooper Former Executive Editor / News
Charles Cooper was an executive editor at CNET News. He has covered technology and business for more than 25 years, working at CBSNews.com, the Associated Press, Computer & Software News, Computer Shopper, PC Week, and ZDNet.
8 min read
REDMOND, Wash.--Little in Steve Ballmer's two years as CEO resembles the scope of the challenge Microsoft embarks upon this month, when the company will go into lockdown mode to conduct a top-to-bottom review of its software code.

Call it March Madness, one month early.

The unprecedented move follows a company-wide memo that Chairman Bill Gates sent to employees in January, urging them to write more secure software and make customer privacy a priority.

Clearly, the heat is on to fix a software vulnerability that has dogged myriad Microsoft products over the years, a problem brought into sharp relief last summer by the Code Red and Nimda virus attacks.

But Ballmer, a larger-than-life figure who has a well-earned reputation as a relentless motivator, says the objective is within reach. "We're a company that pretty much can do anything of a software nature that we set our mind to," he says. He likens the impromptu mobilization for better security to Microsoft's 1995 about-face, when it suddenly focused its ambitions on Netscape Communications and the challenge posed by the Internet.

CNET News.com recently spent time with Ballmer to learn more about the company's security review and get an update on Microsoft's ongoing .Net migration.

Q: Against the backdrop of the transition to .Net and the recession, what's going to be the toughest nut for Microsoft to crack in 2002? What's at the top of your agenda?
A: Number one, we really have to work on these trust and quality issues. I'd really put that as job one. We have to work harder, smarter, better, more effectively. I could defend parts of our record and can feel ashamed of other parts of our record. I just feel we have to scale our game up, and we're dedicated to that...Everybody's read Bill's memo on that. It's trust and quality, trust and quality.

The second thing is we really have to get .Net to that next level of momentum, in the way we're building on it internally and the way we're getting third parties outside the company to build on top of it. The shipment of Visual Studio.Net is an important milestone; the shipment of the Windows .Net server will be an important milestone. And this is a set of things that we've got to do, but we have to ratchet things up in importance and help start proliferating in priority.

The Gates memo made clear the importance you're now putting on trust and security. But it seems somebody's been asleep at the switch. There's a palpable sense of frustration out there. The feeling is that Microsoft products are just full of security holes.
People are never going to applaud the dogs that didn't bark. They're just going to get mad at the dogs that barked in the middle of the night. For years, I would say, customers thought things were fine. If you go look at our customer surveys two years ago, security was not (an issue) that would have shown up at the top of the list...and it actually doesn't show up high on the list except through the lens of security today. It's a different kind of issue. We did apply ourselves responsibly to many of the issues that are important. It's also important to remember that both because our products are popular and because we are (who we are), our stuff is a target. It's a target because it's popular, and it's a target because it's more fun to disrupt our stuff than Linux's stuff.

Then you get the economic climate and 9/11 when, in general, people's focus on security is higher, and we get two really bad issues in the summertime against our stuff: Code Red and Nimda. We had fixes, but people aren't applying patches--again, it gets back not to the reliability issue but to the maintainability issue of how easy is it to deploy...Bill and Craig (Mundie, a Microsoft senior vice president) are deeply involved in the issue, and we just say we're a company that pretty much can do anything of a software nature that we set our mind to. (Banging table for emphasis.) Darn it! We're going to set our mind to it in a very new way. But people have to feel it in a tidal-wave sense, just the way we felt the Internet.

Partly, your legacy is one of building products for individual desktops and local area networks. But now that you're moving to the Internet, is there a core code issue?
I think the core code is OK. It's not like the core design is bad...The core design is like the core design of other operating systems. There are about five decisions people get to make differently, but basically, a lot of these decisions get made more similarly than differently. I do think that in terms of our testing and validation approaches, we need to emphasize more the things that we were not emphasizing.

If you look at most of the issues that have come up in the form of a big problem, most, frankly, were stupid, small coding problems that people took advantage of. Shame on us. We'll be in a position where it's not mostly small coding problems sooner than later. Then we'll get into harder issues.

But is it a question of taking Outlook or even Office applications and starting from zero?
There are some modifications we have made and will continue to make in the extensibility model, which will be helpful. Again, it doesn't involve a complete throwing out of the old, in with the new.

The security review could slow things down from the development side of things when you recheck your code. When it gets down to crunch time for shipping deadlines and people find security holes, what are you going to do?

Wouldn't that hurt your bottom line?
It might or might not. I think it's going to help our bottom line. (Business consultants) will tell you that quality always adds to profit. It doesn't hurt it. Does it really hurt you to delay a product for a month, two months, three months? If your customers are a lot happier, they're much more inclined to buy it. They are more inclined to deploy if you don't have so many support costs behind it. I don't think it hurts our bottom line. I think it's entirely consistent with our bottom line.

The other problem with security is that people don't know when you do it right. But they always know when you do it incorrectly. From your thought process, how are you going to sell the security side of things?
I don't know if we will. I think your characterization is correct. People are never going to applaud the dogs that didn't bark. They're just going to get mad at the dogs that barked in the middle of the night...You have to get into a position where you've been doing it so well for a lot of years and then your competition doesn't do it well. That's the only way you get a differential advantage.

I know where we're coming from, shall we say. We've got a long time before we'd be in a position to throw stones at anybody else. We have some competitors who are happy to throw stones at almost anything, so who knows what's good for them. But for me, I just think it's something we have to work at. It's key to making this a more and more successful company.

Are there any circumstances under which you guys would be interested in participating in the Liberty Alliance?
Editor's note: The Liberty Alliance Project was founded by Sun Microsystems and other computing giants. It aims to simplify how digital identity is handled on the Internet, and it competes with Microsoft's Passport authentication service.

I'm the kind of guy who's pretty optimistic about everything in the long run and pretty pessimistic about everything in the short run--until there's some data to the contrary. It's conceivable. We've certainly talked to a variety of participants in the Liberty Alliance about participating, but there's always a bunch of issues about IP and what patents you have to give up.

Are customers coming to you asking about that?
Some of the ones who are in Liberty have said they'd like to have (Microsoft) in Liberty.

After all the e-mail that came out in the antitrust case, there's been a lot of interest in the security issue. Are you going to create an API (application programming interface) that other people can interoperate with?
The (digital rights management) stuff will be in the operating system, so you'll be able to create an application on Windows that allows you to author and read content that has a set of security rules associated with it. That is a feature that will be built into the platform.

Do you have any feel for the extent of the expected rebound in the coming year?
I'm probably a guy who thinks that things are going to be slow for the next six months and not fast for the six months after. I'm not trying to say they're going to be as slow as they are now. But I think things will start picking back up in the second half of the year. I think a lot of people want to be more optimistic because they want to be more optimistic.

I'm the kind of guy who's pretty optimistic about everything in the long run and pretty pessimistic about everything in the short run--until there's some data to the contrary. I have no great crystal ball, but I do know from talking to some of our customers and other participants that we're probably more bearish than some players. But we're pretty consistent with some of the guys I would think of as the guys who have the best overall visibility.

In the future, isn't the bigger money going to be in offering services rather than in software?
I like the software business, myself. There are other great businesses and other people should be in other great businesses. We're a software company. When I see the money in .Net, I see software money. I don't see service money for Microsoft. But you could say, "Oh, but the overwhelming big revenue will be in services." And I say, I'm happy to be in a very profitable, big business that we know how to manage, that we are oriented around, that we can think about. It's a little like going to a pharmaceutical company and saying the big money is in running hospitals: "Why do you want to just be in drugs, man? You could really make some money."

What's the importance of .Net to Microsoft's future?
It's our future platform. So everything we do, all the businesses, have to embrace it and build on top of it.