Bill Gates published the Trustworthy Computing memo yesterday — 15 January 2002. The text is now public. The substance is genuine; the implications are large.
A first read of what the memo says and what it changes.
What the memo says
The full text is widely available online. The substantive claims, in my reading:
Security is now a top priority for Microsoft. Specifically: "in the past, we've made our software and services more compelling for users by adding new features and functionality... Now, when we face a choice between adding features and resolving security issues, we need to choose security."
This is the strategic shift that the rumours had described. The text commits Microsoft to security over features in cases of conflict. The phrase is unambiguous.
Specific architectural goals. The memo commits to four characteristics of trustworthy computing: availability, security, privacy, and trust. Each is described in detail. The security section commits to:
- Secure by design (architecture and code review).
- Secure by default (restrictive default configurations).
- Secure in deployment (better tools for operators).
This is exactly the secure-by-default agenda I have been advocating.
Engineering process changes. The memo commits to security training for all developers, threat modelling as part of design, and security review as a release gate. The cultural commitment is explicit.
Customer focus. The memo acknowledges that customer trust has been damaged by the year's incidents. It commits to repairing that trust through demonstrable improvements.
How seriously to take it
My probability estimate after reading the actual text:
Probability that the substantive shift is real: 80%, up from my prior of 75%. The text is more direct than I had expected; the commitments are specific.
Probability that it produces visible product improvements within 2 years: 65%. The cultural change is harder than the rhetorical commitment.
Probability that it produces visible product improvements within 5 years: 85%. The structural shift, if real, will manifest over multi-year horizons.
What this changes for operators
The medium-term implication: Microsoft products in 2003-2005 should be measurably more secure than in 2001. The current products will continue to need vigilant patching for some time; the improvement curve starts now.
For capital decisions: a 2-3 year horizon for substantial Microsoft improvement is now my central estimate. Decisions about platform choice should account for this.
For my own writing: the structural-improvement story will be a recurring theme through 2002. I will write about visible signs of the commitment as they appear.
What signals to watch
Three things I will be paying attention to over the next 12 months.
The Windows development pause. Microsoft has reportedly paused some Windows development for security review. The duration and substance of this pause will tell me how seriously the commitment is taken internally.
The first major patch cycle post-memo. Microsoft's response to the next serious vulnerability will be informative — speed, clarity, completeness.
The shipping of products committed to under the memo. When Windows Server 2003 ships (probably 2003), its default configuration will be the empirical test of "secure by default". When IIS 6 ships, the same.
A small reflection
I have been writing about Microsoft's structural problems for over three years. The Gates memo is, in my reading, the strongest possible response that could come from senior leadership. Whether the response translates into actual product improvement is the next question.
For the broader industry, the memo will produce pressure on other vendors to commit similar improvements. The cumulative effect of the major commercial vendors taking security seriously could be substantial over years.
For my own work: more reason for optimism than I have had in some time. The structural problems may be addressable; the timeline is years rather than decades.
More as the response materialises.