Microsoft is marking the 10th anniversary of its Trustworthy Computing group (TwC), but has any significant progress been made since 15 January 2002 when Microsoft chairman Bill Gates sent an email memo to all employees, identifying trustworthy computing as the highest priority?
The weekly headlines about cyber attacks, data breaches, cyber crime and increasingly sophisticated malware would seem to suggest that Gates’s call to arms has failed to achieve its objective of building a trustworthy computing environment that is as reliable as utility services.
This media-driven perception, however, belies the progress made by Microsoft and the whole software industry off the back of its efforts.
“The greatest achievement of TwC is how it paved the way for the software industry generally to come out of the security closet," says Alan Levine, chief security information officer at US aluminium firm Alcoa.
Admitting there is a problem is the first step in solving it, which is what Microsoft did, he says. The company shed light on what the security issues were and what remediations were possible.
“The TwC concept was virgin ground 10 years ago when every security gap was a secret, every software patch was an emergency, and every cyber alert was a costly, risky surprise,” says Levine.
TwC changed all that, he says, by initiating an “honest, thoughtful, proactive security conversation with anyone who was smart enough to listen, engage, and improve.”
Levine believes Microsoft’s TwC group has laid out a path for others in the software industry to follow, and they have, according to Microsoft stats.
In 2004, Microsoft’s Security Development Lifecycle (SDL), which includes privacy principles, was introduced as a company-wide initiative, having been refined from the secure software development practices that kicked off within two weeks of the Gates memo two years before.
The SDL has helped set the standard for the industry, with other companies adopting it or building their secure development practices based on it as Cisco and Adobe have done.
Microsoft says there have been nearly 700,000 downloads of SDL tools and methodology, which is designed to apply to any platform.
SDL Agile, which is targeted at developers working on applications with shorter development cycles, and works across cloud platforms, has been downloaded over 18,000 times.
Internally, Microsoft measures the success of the TwC group in various ways, including the number of vulnerabilities identified in a product a year after its release.
In the case of Windows Vista, the first Microsoft operating system to be developed using the SDL, 45% fewer vulnerabilities were reported a year after launch than Windows XP developed before the SDL, and SQL Server 2005 had 91% fewer vulnerabilities than the pre-SDL SQL Server 2000.
Microsoft continually checks that newer products are harder to attack than older ones by comparing the number of vulnerabilities that are detected externally and how easy they are to exploit.
In evaluating TwC’s progress from a security point of view, Microsoft also compares the number of infections by product version that are detected and cleaned up from customers’ systems by the malicious software removal tool (MSRT) delivered through Windows Update.
Data collected by the MSRT, which runs on 600 million systems worldwide, forms the basis of the Microsoft Security Intelligence Report, first released publically in 2006 to inform security professionals of top security threats and to offer guidance to protect against cybercriminal activity.
But Microsoft’s TwC is not only about security. Reliability or availability and privacy are also key principles. Reliability is calculated using “crash” statistics and support call data. Privacy is not as easy to measure, but here Microsoft looks to customer satisfaction surveys that record attitudes and levels of trust.
According to Malcolm Crompton, a former Australian Privacy Commissioner, the recognition of the importance of privacy so early is one of the greatest achievements of Microsoft’s TwC group.
At a time when code quality and online security were the major focus in most people’s minds, simply including privacy as a key element was visionary, says Crompton, who is now managing director of data protection firm Information Integrity Solutions.
“In 2001 there were very few industry leaders, as opposed to specialist interests, policy makers and privacy regulators, who saw privacy as an equal pillar to the others,” he says.
Through TwC, Microsoft has established a very thorough, well-resourced privacy programme that has been effective externally as well as internally, says Crompton.
An early example, among many, he says, is its contribution to the Multi-Layered Privacy Notice initiative that was subsequently endorsed in general terms by the world’s data protection commissioners and then more specifically by the EU Article 29 Working Party.
Microsoft has been a trailblazer in other areas too, creating, in the early years of TwC, a joint legal and technical team to address cybercrime, now known as the Microsoft Digital Crimes Unit (DCU). In 2008, TwC introduced the Microsoft Active Protections Program (MAPP) for sharing vulnerability information with security software partners, in 2009 TwC introduced Microsoft Security Essentials, free anti-malware software for individuals and small businesses, and in 2011, Microsoft announced the BlueHat Prize contest, challenging security researchers to generate new ideas for defensive approaches to support computer security. The first winner will be announced at Black Hat 2012.
Taken together with Microsoft’s collaboration with law enforcement worldwide to take down botnets, TwC has made significant progress in the first ten years of its existence, but members of the group consider trustworthy computing as an on-going challenge.
“We have made progress and learned a lot of lessons, but we know we are not done. Computing is part of the fabric of society and trustworthy computing is still something we have to focus on,” says Steve Lipner, partner director of program management, TwC group at Microsoft.
As it takes stock of the past 10 years, Microsoft is looking to the future with a soon-to-be-released plan, dubbed TwC Next, which is set to expand operations to focus on privacy and security in the cloud as well as other new computing models and device form factors.
“Recognising the dependence we have on the cloud, we have to ensure that the security and reliability of online services improves consistently with our commitment to trustworthy computing,” said Lipner.
TwC Next will also examine how industry and government can collaborate to make a more trusted internet ecosystem and seek to tackle the major trend towards targeted attacks and persistent adversaries, he told Computer Weekly. “Our dedication to trustworthy computing is more important today than it was ten years ago,” he said.
Just as motor cars have become simpler and safer to drive, says Crompton, a much stronger focus is needed on “making the safe way the easiest way” for privacy settings on social networking sites and any device connecting online, rather than making the safe way a difficult option.
“Microsoft is in a position to lead the charge,” he says. From the sneak preview given by Lipner, that is exactly what it plans to do with TwC Next, due to be unveiled at RSA 2012 in February.