January 15, 2005 -- a Saturday -- will almost certainly pass quietly on the bucolic Redmond, Washington, campus of Microsoft Corp. But for those in the field of information technology security, who often make a sport of following the company's struggles to secure its products, the date is certain to attract some notice: it's the third anniversary of a now-famous internal Microsoft e-mail dubbed the "Trustworthy Computing" memo.
Three years after the release of the 1,500 word memo from the company's founder and Chief Software Architect , Bill Gates, those inside and outside Microsoft credit Trustworthy Computing with setting in motion vast changes that have improved the security of many of Microsoft's products. At the same time, customers and industry experts wonder aloud whether Microsoft will ever fully realize Gates' vision, taming the company's massive stores of legacy software code and reconciling its desire to please consumers with its duty to protect them from threats.
Addressed to all full-time employees at Microsoft and its subsidiaries, Gates' Trustworthy Computing memo announced an ambitious program to make Microsoft's technology more secure and reliable, and signalled a profound change in the culture of the world's leading software maker. In it, Gates re-oriented the priorities of the company he founded in 1978, and which made him into the world's richest man in the 1990s by turning out easy-to-use software applications that were tightly integrated with the company's dominant Windows operating system.
Written just months after the Sept. 11, 2001 terrorist attacks in the U.S., the Trustworthy Computing memo likened the need to secure his company's software to the new imperatives of securing the nation's critical infrastructure such as airlines, electrical, telephony and water services.
Compared to the reliability of such critical services, "computing falls well short," Gates said, noting that the insecurity and instability of computing systems had a subtle but pernicious effect on technology adoption.
As explained by Gates in the memo, four important aspects comprised the new initiative: availability, security, privacy and trustworthiness.
On the issues of availability and security, Gates proposed an end to two of the most frequently heard complaints about his company's software: that it crashed far too frequently, and that it was riddled with vexing security holes that exposed customer information to harm.
Microsoft should also protect the privacy of its customers' data and allow them to control how their data is used, Gates said. Finally, Microsoft needed to look beyond bugs and availability, creating an industry-wide computing ecosystem that was "trustworthy" from "smart" software and services down to the processor chip, Gates said.
Within Microsoft, the memo "absolutely changed the mindset of the company," said Gytis Barzdukas, director of product management in Microsoft's Security Business and Technology Unit.
Barzdukas worked in Microsoft's Office product group when the memo was sent. As an example, he recalls halting development on Version 11 of Microsoft Office, the company's most profitable product, for an entire month in 2003 to conduct a security review of all Office components.