Microsoft Corp. Chief Technology Officer Craig Mundie has one of the
most difficult jobs in a company full of difficult jobs. The tough-
speaking executive has found himself on several occasions addressing
red-hot issues at the time in which they were most heated -- such as
talking to a roomful of Linux developers in July, just weeks after
Microsoft executives had compared their operating system of choice to a
Tuesday, just one week after an independent programmer managed to write
a program that could expose credit card information stored in
Microsoft's Passport authentication service database, Mundie found
himself in a similar pinch: standing before nearly 150 industry
executives and security experts talking about the security behind
Microsoft's lofty plan for the Internet, called .Net.
As seen in the recent security snafu with Passport, the key
authentication technology that will facilitate .Net, Microsoft still
has a ways to go before it can ensure that its plans for pervasive
computing will be secure. Speaking at Microsoft's campus here, where
the company is hosting a three-day Trusted Computing Forum, Mundie
conceded that and extended an olive branch to those who might be able
to help solve the problems.
"Despite best efforts by smart people, it is unlikely that computing
will ever be perfect," Mundie said, comparing the problems facing the
technology to those faced with several innovations in history, from the
telephone to the credit card. "I don't think the people who designed
these networks ever would have predicted the problems they would face.
"In a way you could say it was a bit naive," he said.
But programmers have found ways to exploit Microsoft's naivete,
spreading worms such as Code Red and Nimda through Microsoft's Internet
Information Server software, and this has raised serious questions
regarding how the company and the industry can progress without falling
victim to similar malicious computer attacks.
Still, growing industry support was witnessed here in the comments from
attendees, many of whom are Microsoft's biggest critics and competitors.
"There is a lot to be said about Microsoft's progress in cooperating
with the industry on privacy," said Tatiana Gua, senior vice president
of integrity assurance at America Online Inc., the Internet service
division of AOL Time Warner Inc., who attended Mundie's presentation.
Citing the addition of new security technologies in its products, such
as P3P (Platform for Privacy Preferences) and Microsoft's efforts to
step up its cooperation with industry standards groups, Gua expressed
some support for Mundie's presentation. Still, she criticized some of
the technical points in Microsoft's security strategy. "Unlike
Microsoft, we don't believe that one size fits all," she said.
Robert Hahn, a research director with the American Enterprise
Institute, a Washington, D.C.-based think tank, who studies privacy and
government regulation, noted a similar shift in Microsoft's actions in
regard to ensuring a balance of privacy and security in its products.
"Microsoft is clearly thinking about security and privacy very hard,
and they've realized they're not going to solve it by themselves," Hahn
With government regulators and industry counterparts pressing down on
several aspects of Microsoft's business, from federal trust-busters to
industry chief technology officers who have been burned by the use of
Microsoft's bug-prone software, the company that arguably has been at
the center of the industry's security and privacy battle has now found
itself with a difficult choice.
If it gets too wrapped up addressing privacy -- appeasing critics such
as those who recently filed a claim with the U.S. Federal Trade
Commission regarding Microsoft's Passport service -- the company
endangers its ability to create secure products, Mundie said. If it
gets too wrapped up in security, devising Teflon products that are
impervious to malicious programmers, it could step on privacy.
"Compromise will be required," Mundie said.
As seen here in the vast complexity of the issues behind making a
secure and private computing network that also is a useful tool, Mundie
turned to analogies to identify many of the latest security and privacy
issues it is facing.
On hackers, Mundie compared the malicious coders who are poking holes
in Microsoft's software to the cells of terrorists that threaten the
safety of the U.S.: "The evolution of hacking is very, very akin to
this network of terror cells," he said. "And there is the potential to
treat them the way we treat terrorist cells."
On government's role in monitoring technology and the Internet, Mundie
says regulation has historically been done by policy makers who rely on
examples from the past. "It's like trying to drive a car looking
through the rear-view mirror," he said.
On government regulation of Microsoft's business practices and those of
other companies building similar Internet technology, Mundie compared
the company to goose that lays golden eggs. "Do we shoot the goose? Or
do we take more of a risk and let the goose keep running free for a
while?" he said.
With two days of discussion ahead, and presentations scheduled from
speakers including Federal Trade Commissioner Mozelle Thompson as well
as Richard Clarke, special advisor to President Bush for cyberspace
security, Microsoft is bringing the issues to the fore and looking for
"This is not a simple problem, and no simplistic approach is in and of
itself going to yield the desired result," he said. "But we're up to
the task of meeting our commitment."