It started with a memo
Malware hits the Mac but is it worth worrying about?
Yesterday marked ten years to the day since Microsoft founder Bill Gates sent an internal memo that led to the foundation of its Trustworthy Computing division.
The original memo is available here, but to summarise, Gates called Trustworthy Computing "the highest priority for all the work we are doing" and said "we must lead the industry to a whole new level of Trustworthiness in computing".
The concept was about more than trust and simple security, it was about capability; and, as Gates said, the 9/11 attacks and disruptive malware "reminded every one of us how important it is to ensure the integrity and security of our critical infrastructure".
With foresight of which HG Wells would have been proud, Gates said: “Computing is already an important part of many people's lives. Within ten years, it will be an integral and indispensable part of almost everything we do. Microsoft and the computer industry will only succeed in that world if CIOs, consumers and everyone else sees that Microsoft has created a platform for Trustworthy Computing.”
He also said that "eventually our software should be so fundamentally secure that customers never even worry about it". Well, we would like to think that it is, but has that actually been achieved? Of the key aims of the Trustworthy Computing project, Gates said it should include: availability; privacy; and security.
With regard to the latter, he said: “The data our software and services store on behalf of our customers should be protected from harm and used or modified only in appropriate ways. Security models should be easy for developers to understand and build into their applications.”
He also claimed that "our products should emphasise security right out of the box and we must constantly refine and improve that security as threats evolve"; he referenced changes in Outlook to avoid email-borne viruses, with any possible privacy compromise issues resolved first, as well as intention to better protect important data and minimise downtime.
“These principles should apply at every stage of the development cycle of every kind of software we create, from operating systems and desktop applications to global web services,” said Gates in 2002.
According to Threatpost, Microsoft held a small conference in Redmond on what it then called "trusted computing" ahead of the memo being sent, where software security experts discussed the principles and concepts that were the foundation of building more secure software. In the months following the memo, Microsoft began internal changes designed to refocus its developers on the idea of building secure software.
Yes, this led to some products being slower to market, but Microsoft saw the importance of building secure products – look at the long wait for Windows 8. Trustworthy Computing now focuses primarily on its monthly bulletins released on Patch Tuesday, identity and access management and the development of IT concepts, to name just a few.
My last direct dealing with Microsoft Trustworthy Computing was when I met with its general manager of communications, Adrienne Hall, at RSA Conference Europe, where she was evangelising on the future of the cloud.
It was not a great call to arms or a directive for all of Microsoft's staff to down tools and be more secure, but more about Gates's vision on the future of secure software and how his brand had to be a leader.Threatpost suggested that the memo created widespread acceptance that software security needed to be a top priority, and I would suggest it did more: it began a revolution that affected businesses around the world and the man on the street. It led to the industry as we know it today and Microsoft remaining as one of the most important cogs in IT and security.