This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

It started with a memo

Share this article:
Malware hits the Mac but is it worth worrying about?
Malware hits the Mac but is it worth worrying about?

Yesterday marked ten years to the day since Microsoft founder Bill Gates sent an internal memo that led to the foundation of its Trustworthy Computing division.

The original memo is available here, but to summarise, Gates called Trustworthy Computing "the highest priority for all the work we are doing" and said "we must lead the industry to a whole new level of Trustworthiness in computing".

The concept was about more than trust and simple security, it was about capability; and, as Gates said, the 9/11 attacks and disruptive malware "reminded every one of us how important it is to ensure the integrity and security of our critical infrastructure".

With foresight of which HG Wells would have been proud, Gates said: “Computing is already an important part of many people's lives. Within ten years, it will be an integral and indispensable part of almost everything we do. Microsoft and the computer industry will only succeed in that world if CIOs, consumers and everyone else sees that Microsoft has created a platform for Trustworthy Computing.”

He also said that "eventually our software should be so fundamentally secure that customers never even worry about it". Well, we would like to think that it is, but has that actually been achieved? Of the key aims of the Trustworthy Computing project, Gates said it should include: availability; privacy; and security.

With regard to the latter, he said: “The data our software and services store on behalf of our customers should be protected from harm and used or modified only in appropriate ways. Security models should be easy for developers to understand and build into their applications.”

He also claimed that "our products should emphasise security right out of the box and we must constantly refine and improve that security as threats evolve"; he referenced changes in Outlook to avoid email-borne viruses, with any possible privacy compromise issues resolved first, as well as intention to better protect important data and minimise downtime.

“These principles should apply at every stage of the development cycle of every kind of software we create, from operating systems and desktop applications to global web services,” said Gates in 2002.

According to Threatpost, Microsoft held a small conference in Redmond on what it then called "trusted computing" ahead of the memo being sent, where software security experts discussed the principles and concepts that were the foundation of building more secure software. In the months following the memo, Microsoft began internal changes designed to refocus its developers on the idea of building secure software.

Yes, this led to some products being slower to market, but Microsoft saw the importance of building secure products – look at the long wait for Windows 8. Trustworthy Computing now focuses primarily on its monthly bulletins released on Patch Tuesday, identity and access management and the development of IT concepts, to name just a few.

My last direct dealing with Microsoft Trustworthy Computing was when I met with its general manager of communications, Adrienne Hall, at RSA Conference Europe, where she was evangelising on the future of the cloud.

It was not a great call to arms or a directive for all of Microsoft's staff to down tools and be more secure, but more about Gates's vision on the future of secure software and how his brand had to be a leader.

Threatpost suggested that the memo created widespread acceptance that software security needed to be a top priority, and I would suggest it did more: it began a revolution that affected businesses around the world and the man on the street. It led to the industry as we know it today and Microsoft remaining as one of the most important cogs in IT and security.
Share this article:
close

Next Article in Security Cats Blog

Sign up to our newsletters

More in Security Cats Blog

The information security implications of change

The information security implications of change

Microsoft has recently warned businesses that they should be well on the way to upgrading their legacy desktop environments.

The beginning of the authentication ice age

The beginning of the authentication ice age

This week I was invited to sign the new online Petition Against Passwords which I was delighted to do and I urge you all to do the same.

The chilling effects of the Volkswagen injunction on British research

The chilling effects of the Volkswagen injunction on ...

At this week's Black Hat conference in Las Vegas, Charlie Miller and Chris Valasek will present on on-board car computer insecurities to thousands.