I was not at Microsoft ten years ago this week, but the ten year milestone for Trustworthy Computing (TwC) has a lot of significance for me, given that I have spent most of that time working with people here at Microsoft to improve security and privacy for Microsoft products. I was hired in December 2002 as part of what I think of as the “TwC Ramp Up” phase following the kick off of Trustworthy Computing.
Everyone has their own perspective on what Trustworthy Computing means to them, but I thought today would be an appropriate opportunity to share my perspective on how unique and important TwC is within the industry.
When I graduated (ECE, Purdue) and started my first job, I was lucky enough to immediately get involved in the field of information security. Along with risk assessments, research and consulting, one of the areas I supported was the National Security Agency predecessor to the Common Criteria scheme. We served as government-funded consultants in two phases:
- In the first phase, we offered guidance and consulting to companies that were developing a product with the goal of passing a particular security certification (which would then allow them to sell to government customers)
- In the second phase, we shifted to an adversarial role, critically applying the criteria to their products and advising them what they had to fix or improve to meet the requirements
In doing this work, I learned the the word most often paired with security by software teams was “minimum.” I truly came to detest that word and all that it represented. “What is the minimum we must do to meet the security requirements?” “Yes, I understand your advice, but what is the minimum we must do?” “What is the minimum bar?” I understand of course – it was a cost issue. Security was simply an obstacle between their product and a government deal, so why do even a smidge more than the minimum?
Microsoft responded to the rise of Internet worms with Trustworthy Computing, kicked off by an email from Bill Gates to all employees. I’ve read and re-read that mail over the past several years. Contrast that detestable word that I’d heard so much, minimum, with “Trustworthy Computing is the highest priority for all the work we are doing.” Such a different attitude. Unprecedented.
Of course, many people were skeptical. When my old boss and colleague, Steve Lipner, reached out to me from Microsoft, I was skeptical too. But the more I talked to Steve, I had to ask myself, “what if they meant it? How different would that be?” Taking it a step further, what Security Guy wouldn’t want to be part of the TwC effort if Microsoft were truly committed to it? So, later in 2003, I joined Microsoft and the Trustworthy Computing initiative and since then, I’ve repeatedly been amazed at the dedication and passion of the people working here to make computing safer. More significantly, I’ve observed the commitment from the top of the company again and again. Unprecedented.
Of course, there were mis-steps along the way, but when you are taking the risk of breaking new ground – going where no one has gone before – you sometimes end up having to backtrack before forging ahead again.
Let me close by quoting Scott Charney from his post today on the Official Microsoft Blog:
“However, computing, society and the threats we face all continue to evolve. Attackers attack, defenders defend, and each learns about the other’s techniques and weaknesses. While Microsoft will remain vigilant in its focus on building dependable software and systems, it’s impossible to reduce vulnerabilities to zero, so we must continue to develop innovative ways to mitigate threats.
Craig Mundie, Microsoft’s chief technology officer, today shared a memo with Microsoft employees highlighting the evolving role of computing in society and our responsibilities as an industry leader. Computing has become a major part of the fabric of modern society and in the coming years, security, privacy and reliability will become increasingly important as cloud services continue to expand. Craig’s memo notes that because threats are becoming more sophisticated and persistent, our dedication to Trustworthy Computing has never been more important.”
I agree, Trustworthy Computing has never been more important. This week, join me in marking the 10 year milestone of Trustworthy Computing, as Microsoft affirms that the commitment is as important as ever.