Microsoft's About-Face: Security Now Job One

As the launch of Microsoft Corp.'s critical .Net Framework draws closer, Bill Gates is launching an all-out effort to repair his company's reputation for poor security and reliability.

Gates, chairman and chief software architect of Microsoft in Redmond, Wash., has developed a broad-based plan to combat present and future security and reliability problems in all Microsoft products. Gates last week sent an e-mail to all Microsoft employees outlining his vision for Trustworthy Computing, a design, development and implementation philosophy that he hopes will restore some of the confidence that the company's persistent security problems have eroded in recent years.

The heart of the plan involves a dramatic about-face for Microsoft, with Gates calling for security to be the company's highest priority, taking precedence over even functionality, which long has been the No. 1 concern for Microsoft software designers.

"In the past, we've made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible," Gates wrote in the message, a copy of which was obtained by eWEEK. "We've done a terrific job at that, but all those great features won't matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve."

In his memo, Gates praises his company's work on the .Net Framework but said that it will all be for naught if security, privacy and reliability continue to pose problems for the platform. "Over the last year it has become clear that ensuring .Net is a platform for Trustworthy Computing is more important than any other part of our work," he wrote. "If we don't do this, people simply won't be willing—or able—to take advantage of all the other great work we do."

Gates' memo comes on the heels of two embarrassing security and reliability gaffes for the company. For five days earlier this week Windows customers were unable to download a critical security patch for a vulnerability in Internet Explorer when a DNS error made the server with the patch unreachable. And, on Wednesday, the Microsoft Developer Network servers became overloaded when millions of developers simultaneously tried to download the final code for the .Net Framework.

The apparent shift in priorities to security has softened even some of Microsoft's harshest critics.

"As a longtime Microsoft skeptic, it's hard to take any press announcement from them seriously. But this one comes from Gates himself," said Bruce Schneier, chief technology officer and founder of Counterpane Internet Security Inc., in Cupertino, Calif., and a vocal critic of Microsoft's security practices. "I congratulate Bill Gates on his willingness to move the company in this manner. If he can actually implement these sorts of changes within Microsoft, it will represent a sea change for the company. To have Microsoft as a company focusing on security will make the Internet a safer place."

Copyright © 2004 Ziff Davis Media Inc. All Rights Reserved. Originally appearing in The Net Economy.