Microsoft closes Trustworthy Computing as part of layoff strategy

In a surprise move, Microsoft has effectively closed its Trustworthy Computing (TwC) Group as part of the loss of 2,100 jobs in a restructuring plan announced late last week.

Stuxnet flaw remained unpatched for four years
Stuxnet flaw remained unpatched for four years

The software giant has folded responsibilities for its security and privacy programmes into its Cloud & Enterprise Division, as well as its Legal & Corporate Affairs group.

Microsoft launched its TwC initiative in January 2002. At the time, Microsoft co-founder Bill Gates said that he was redirecting the firm's software development activities to include a "by design" view of security.

TwC was launched in direct response to internet problems caused by the Code Red and Nimda worms of a year earlier, with Gates saying at the time that he wanted Microsoft to stay ahead of the curve on security.

In his briefing to employees and Microsoft users of the time, Gates said that the industry must develop technologies and policies that help businesses better manage ever larger networks of PCs, servers and other intelligent devices, knowing that their critical business systems are safe from harm.

"Systems will have to become self-managing and inherently resilient. We need to prepare now for the kind of software that will make this happen, and we must be the kind of company that people can rely on to deliver it," he explained.

Interestingly, John Lambert, general manager of network security and science within TwC, tweeted late last week that TwC was "just moving to a new home," and that SDL (security development lifecycle), operational security, pentest, MSRC (Microsoft Security Response Centre) and Bluehat are "just under a new roof."

The key question that CSOs and other security professionals will now be asking themselves is how this move will affect the security of their Microsoft products.

Steve Smith, managing director of security consultancy Pentura, said that it is initially hard to say what impact this will have on the security of Microsoft products. It could, he explained, represent a decentralisation of security management, with each development team taking responsibility for including security in the build.

"Irrespective of how Microsoft develops and builds security into its products, popular software will always have vulnerabilities that hackers will seek to exploit - and no vendor is infallible. It highlights the importance for organisations to deploy multiple layers of security to ensure maximum protection for their IT infrastructure and sensitive data against application-borne exploits," he said.

Professor John Walker, director of CSIRT and cyber forensics with Cytelligence, was not impressed. Microsoft's move is, he said, a very sad indictment on just how seriously we would seem not to be taking security.

"Not only is the world - and its IT user base - dictating the need for assured security, but our industry needs the resilience of assured security," he said, adding that, when viewed against the backdrop of the continuing success of cyber-criminals, closing the TwC operation makes no sense whatsoever.

Professor Walker, who is also a visiting professor with Nottingham Trent University's School of Science and Technology, went on to say that there are still several organisations that rely on compliance and governance to ensure the security of their IT systems.

"We would seem to have arrived at a juncture at which it is not only the main board of big name organisations who should have sleepless nights, but they should be joined by their clients, many of whom are end users of their products. For this reason, the closure of the Microsoft TwC operation needs to be viewed with great sadness," he explained.

Dennis Fisher, editor of Kaspersky Labs' ThreatPost wire, was equally less than impressed by the effective closure of the TwC, noting that, over the years, the TwC group accomplished a great deal within Microsoft.

"Breaking the group up may disperse into the rest of the company the expertise that's been concentrated in TwC, enabling the security experts to work more closely with the engineering teams and other groups inside the company," he said.

Perhaps worse, he went on to say in his analysis that it may lead to an exodus of talent from Redmond.

"Either way, it signals a turning point for Microsoft and its decade-long effort to make security a priority. Computing has evolved dramatically in that time, as have Microsoft's product offerings, priorities and challenges. Microsoft's decision to eliminate the TwC group is just another indication of those changing times," he concluded.

Sign up to our newsletters