Microsoft Security Chief Has Work Cut Out for Him

When Microsoft Corp. Chairman Bill Gates pledged in January to transform the company’s approach to security and privacy, the software industry sensed a coming sea change.

“Trustworthy computing is more important than any other part of our work ... the highest priority” Gates wrote in a memo to Microsoft employees Jan. 15.

The details of Gates’ strategy have been scant, but the company took a major step forward Jan. 31 with the hiring of former Department of Justice computer-crime head Scott Charney as chief security strategist.

Charney, 46, is a cybersecurity specialist at the accounting firm PricewaterhouseCoopers, where he oversees anti-hacking systems and conducts cybercrime investigations. He starts at Microsoft on April 1.

Charney brings credentials as an aggressive prosecutor experienced in the cross-border investigations that tend to follow today’s computer hacking episodes. Under his direction, the Justice Department in 1994 sent to jail members of the Masters of Deception, well-known hackers who had successfully obtained phone and credit agency records.

He will report to Craig Mundie, one of Microsoft’s two chief technical officers.

Security experts say that to succeed, Charney must fundamentally change the company’s design process, which is widely viewed as sloppy and error-prone. In scores of cases, the company has added features to a product, waited for users to encounter inevitable security holes, issued a software “patch” for the worst problems and ignored the others.

“The only way to change the culture is to put a barking dog at the head ... who can instill fear,” said Fred Hickey, editor of the High-Tech Strategist, a financial newsletter.

People often succeed at Microsoft “largely by dint of their relationships or the ability to convince people that they are right,” Mundie said. “To some extent, you can say [Charney’s] power emanates from me and Bill Gates.”

*

Some Wonder Whether Focus Will Be on PR

But as the outlines of Gates’ “trustworthy computing” initiative take shape, industry experts are skeptical about whether Microsoft is prepared for the depth of change it implies.

Charney will split his time between Washington, D.C., and Microsoft’s Redmond, Wash., headquarters. That arrangement, combined with his lack of engineering experience, suggests to some analysts that his focus will be tracking down hackers and lobbying lawmakers, instead of dealing with software design problems inside the company.

Charney may have been selected “because Microsoft needs good PR,” said John Pescatore, a security analyst with Gartner Inc.

But the way Microsoft introduced its new approach suggests it may be more serious. Sweeping pronouncements by Gates have been rare. His decision to orient Microsoft products toward the Internet in 1995, and more recently to build Web-based software services under the “.Net” rubric, radically altered the company’s products and the markets they dominate.

Even if the security effort is motivated partly by public relations concerns, analysts agree it is well timed. The Sept. 11 terrorist attacks vaulted security awareness to the top of public consciousness and the business agenda.

“Microsoft is in a unique position to shape the future of information technology and to help drive security as a critical component of our information infrastructure,” Charney said.

He faces a daunting challenge. Although no software is impervious to hackers, the dominance of Microsoft’s products has made it a prime target.

In December, a problem in the company’s flagship Windows XP operating system--touted as the safest ever--allowed hackers to take control of a user’s PC over the Internet. The problem was so dangerous that it triggered an FBI alert.

Bugnet, an online publication that tracks software flaws, has reported 287 security-related problems in Microsoft products since January 2000, or about one every 21/2 days.

Because the company’s software is nearly ubiquitous, improving its security would have far-reaching effects. And competitors would be compelled to clean up their own problems, said Doug Tygar, a professor of computer science at UC Berkeley.

“Using the Web has become an increasingly unpleasant experience because of the security and privacy problems,” he said. “Making the Internet a safe place is going to be absolutely key to its continued success.”

Heeding such warnings, Microsoft sent its entire Windows development team, about 8,000 people, into a security course the first week in February. They will cease development of all new features for the rest of the month, instead probing the Windows code base--the basic programming instructions that define the company’s operating-system products.

Mundie called the move unprecedented in the industry. He pledged that Microsoft would delay the release of new products if needed to close security holes.

Analysts applauded those moves as tangible evidence of the company’s good faith.

“They are getting more serious,” Hickey said. “Gates senses that his company’s position is threatened if they do not follow through.”

*

Watching for Changes in Product Development

Other experts are waiting to see whether Microsoft will change what they view as a flawed product development culture.

“Look at the stars at Microsoft,” Gartner’s Pescatore said. “They’re not the ones who said let’s ship late, with fewer features, to make sure the product is secure.”

Unlike the push to the Internet, trustworthy computing is not a “bet-the-company” initiative, said longtime Microsoft watcher Jeffrey Tarter, editor of Soft-Letter, an industry newsletter. He compared the security push with a campaign in the 1990s to improve the company’s once-abysmal technical support. In that case, Microsoft spent billions of dollars to enhance phone and online response.

Tygar and other security experts say that Microsoft should look at the tight integration between the Windows operating system and applications such as word processing and e-mail. Such links increase user productivity, but often open security holes.

Microsoft’s has generally tried to shield users from the hassle of endless software settings by automating security functions.

Charney subscribes to that basic approach. “You can make a system so secure that it’s not useful,” he said.

Ironically, experience suggests that hiding complexity with too much zeal can run contrary to secure operations. For example, Microsoft boasts that its server software, designed to manage Web sites and networks of computers, is easier than competing products to set up and operate. That may encourage complacency among users, analysts say.

“You get an awful lot of Microsoft servers set up with simple default settings or security patches not installed, because the people who run those servers, on average, are less skilled,” Tarter said.

Vulnerabilities involving Microsoft server software accounted for more than 85% of 129,000 hacking episodes at 300 companies in the last half of 2001, according to Riptech Inc., an Alexandria, Va., computer security firm.

Mundie acknowledged that computer users must get used to spending more time and money keeping their systems safe and that Microsoft and other vendors face a public education and customer confidence challenge.

Charney described his own security philosophy as one based on prevention.

“A lot of people ... want security to be an event, like [responding to] a fire,” Charney said. Instead, it requires continual vigilance and reevaluation of how products are designed, he said.

Experts view that approach as enlightened. But they say that Microsoft should also tie pay raises and promotions to strong security.

Mundie said that security has always been a factor in Microsoft’s compensation and may take on added importance. But the company plans no fundamental shift in incentives.

(BEGIN TEXT OF INFOBOX)

Microsoft Security Bugs

Microsoft Security Bugs

Notable Microsoft security incidents. Microsoft or independent anti-virus firms have issued software fixes for the problems.

Dec. 20, 2001: Windows XP operating system shown to have flaws that could allow hackers to take control of a userearss PC over the Internet.

Nov. 13, 2001: Flaws revealed in Microsoftearss Internet Explorer Web browser that could allow hackers to break into cookies--the electronic files that contain personal Web-surfing data and account information for e-commerce.

Sept. 18, 2001: residentresidentNimda,earsears a malicious software residentresidentworm,earsears begins its infection of more than 1.3 million PCs and Web servers using MS Products.

July 19 and July 31, 2001: Two strains of the residentresidentCode Redearsears worm infect and temporarily shut down hundreds of thousands of Web servers that use Microsoft software.

July 15, 2001: The residentresidentSircamearsears virus spreads via a security flaw in Microsoftearss Outlook e-mail product, infecting millions of PCs.

May 3, 2000: residentresidentLove Bug,earsears the worst virus ever, spreads via Microsoft Outlook, infecting millions of PCs.

Microsoft software runs about a quarter of Web servers, but is the target of the majority of Web defacement attacks.

Web server software market share *

Microsoft:26%

Other:74%

Percentage of defaced sites

Microsoft: 60% Other: 40%

Defacements: about 30,000 since April 2000

* Market share as of Jan. 2002

Sources: Alldas.de archive, Netcraft.com.