On the eve of the 1980 Presidential election, candidate Ronald Reagan posed a 10-word question to the voting public that may have cost Jimmy Carter his re-election: "Are you better off than you were four years ago?" Reagan asked on national television.
Today, 10 years after then-CEO Bill Gates sent his all-hands e-mail of Jan. 12, 2002, ushering in the Trustworthy Computing (TwC) era at Microsoft, the same question should be asked of the computing public.
Are we better off than we were 10 years ago?
The answer for most folks is "no," but it's not all Microsoft's fault. The Trustworthy Computing initiative doubtless prevented many problems, and saved perhaps trillions of dollars, but today's computing is less trustworthy than computing was in 2002. Or at least not better.
In 2002, Gates was responding both to historic challenges and new threats propagated over the Internet. In his e-mail, Gates wrote:
"Every week there are reports of newly discovered security problems in all kinds of software, from individual applications and services to Windows, Linux, Unix and other platforms."
"We have done a great job of having teams work around the clock to deliver security fixes for any problems that arise. Our responsiveness has been unmatched – but as an industry leader we can and must do better. Our new design approaches need to dramatically reduce the number of such issues that come up in the software that Microsoft, its partners and its customers create. We need to make it automatic for customers to get the benefits of these fixes. Eventually, our software should be so fundamentally secure that customers never even worry about it."
Following the memo, Gates ordered Microsoft's 8,500 programmers to stop current projects and focus on finding and fixing security issues in existing and forthcoming products. The effort reportedly cost $100 million and helped instill a higher level of security consciousness at the world's then-most-important software company. It fixed lots of problems, too.
Has Trustworthy Computing Helped?
I think we can agree that Gates' "eventually" is still on the horizon, as despite tremendous effort and accomplishment, customers must today worry about security issues more than ever before. While the threats in 2002 were large and widely publicized, many of today's are kept largely hidden. Any feeling that enterprises are more secure today than in 2002 is a mirage created by the changes that resulted in today's more dangerous, more difficult-to-detect enterprise threats.
For consumers, the threat used to be losing data on a PC. Today, it is losing the contents of your bank account and having your credit cards run up by identity thieves. Corporations, however, have learned to deal with this as a cost of doing business, even if customers find it difficult to recover from the assaults.
To be fair, Microsoft's products are more secure than ever before and the company responds mostly well to threats. Its Security Development Lifecycle (SDL) initiative changed how software is developed at Microsoft and across the industry.
Windows 7 is perceived as a far more secure operating system than its predecessors, and the company offers free tools to deal with many common malware problems, some of which run automatically when updates are downloaded.
Microsoft's enterprise software has become more reliable, yet as large-scale threats decrease, Advanced Persistant Threat attacks and other emerging dangers leave us with even more fears and concerns than before.
Today's security threat is less likely to take down your servers and more likely to steal your most confidential data. It seems we have replaced clearly untrustworthy systems with systems that look trustworthy but are not. As Microsoft has become less of a target itself, Adobe apps and Java have risen to take Redmond's place.
Social engineering targets individual users who willingly give up user names and passwords to otherwise-mostly secure systems. Increasing user education may help fight these threats, but the ability of hackers to use information gathered from multiple sources to create attacks targeting specific individuals and companies can make these attacks very difficult to thwart.
Microsoft announced last week that Trustworthy Computing (TwC) is now TwC Next, which the company says "will focus on the PC-plus era, the new world of devices and cloud computing, and the role of governments in computing. Security, privacy and reliability strategies must evolve to remain potent."
Godspeed, Microsoft. The world needs all the security help it can get. But Microsoft is a less powerful player against many of today's challenges than it was when it began this battle a decade ago.
In 2002, Microsoft could have a dramatic impact on secuity across the computing industry and did. Not so much today. The scale of the problem is so much larger -- growing as the available targets have grown -- and many of the world's most talented programmers seem to have opted for a life of crime, often with little chance of prosecution.
I'd like to end this post on a positive note, but I have trouble finding one. In the end, the good guys have to win, but how we get there and what we give up or must change along the way (think SOPA as one example) remains hazy at best.
Sorry, that's the best I could do.