Microsoft--forget PR, clean up the code

COMMENTARY--Have you noticed that Microsoft is on the offensive? After countless months of reading press clippings about the pathetic state of Windows security, the folks in Redmond, Wash., have decided to fight back with one of their strongest weapons--public relations.

This communications-centric policy has always served the company well, so the Microsoft speechwriters and sound-bite coaches have added security to their "trendy topics" list.

At the August press conference to announce the arrest of Jeffrey Lee Parsons, the Minnesota teenager who admitted to creating and releasing the Blaster.B worm, the U.S. Justice Department and Microsoft used the occasion as a media event. U.S. Attorney John McKay issued the tough-love statement that "with this arrest we want to deliver a message to cyberhackers here and around the world, they need to be convinced that the handcuffs are not cybercuffs. They are real."

Microsoft’s general council Brad Smith offered a more empathetic statement aimed at the Microsoft customer base, saying, "The damage done to Microsoft in this instance is a small tip of damage that was done to computer users around the world."

Like the United States at large, Microsoft is fighting a new and different type of fight. The company faces its own war on terrorism.

More recently at a speech at the Churchill Club, Microsoft CEO Steve Ballmer used a similar mix of tough talk and empathy. Ballmer conceded that his company was under attack from a combination of "thieves, con artists, terrorists and hackers." He then asked the technology industry to help Redmond combat this threat while proclaiming that "many of our customers are feeling the pain. We have to raise the bar on the quality of products when it comes to security."

This recent communications blitz underscores a new and troubling reality. Like the United States at large, Microsoft is fighting a new and different type of fight. The company faces its own war on terrorism.

Anonymous enemy
Redmond is used to winning battles with a combination of pricing, packaging, software integration and marketing rhetoric. These tactics have proven successful against corporate competitors such as IBM and Novell. This time, Gates & Co. are fighting a guerrilla war against an anonymous enemy. The stakes aren’t even financial; they’re religious.

Microsoft’s enemies hate the company and claim to fight for moral causes like greater software quality and openness. The Blaster.B worm that caused millions of dollars in damage contained the message: "billy gates why do you make this possible? Stop making money and fix your software."

To its credit, Microsoft recognizes its security problems and is using its vast economic and industry resources to win its war on terrorism. Redmond’s 2002 "Trustworthy Computing" initiative dedicated $400 million toward improving security. The company has made positive strides such as pulling all of its developers off projects for a two-week security training course and shipping its products with default configurations that lean toward security rather than convenience.

Along with these worthy efforts, Microsoft seeks to ride the security train toward greater market share and profitability. Whether you support or oppose the company's Next Generation Secure Computing Base (NGSCB, formerly Palladium) technology, there’s no getting around that Microsoft is looking to inject itself into the whole digital rights management conundrum with this initiative. Moves like these raise suspicion about Redmond’s true security motives and further inspire the black hat community toward a software jihad.

This year Microsoft has issued 39 warnings; experts warn that this is just the tip of the iceberg.

Like the United States, Microsoft's battle with terrorists has many dependencies. While the United States must find and secure abundant targets like ports, reservoirs and power grids, Microsoft has to discover and fix every vulnerability in its code base. This year Microsoft has issued 39 warnings; experts warn that this is just the tip of the iceberg.

Burnt bridges
And just as the United States reaches out to nations such as China, India, Pakistan and Russia for support in its security effort, Redmond needs help from the technology industry and its customers to win the war. Unfortunately, Microsoft burned a few industry bridges on the road to world domination, and its customers are sick of time-consuming, software-patch installations and the expense of additional security tools that serve as Windows-based bouncers.

Money won’t win this war. Nor will additional security tools or yet another PR blitz. People are already voting with their pocketbooks buying more and more Linux--and security is a big reason why. The only way Microsoft can hold its own is to fundamentally change the way it writes, tests and packages its code. The company must think security first, integration second and abundant features a distant third. To do this, Microsoft must separate its code base, test and retest code for security, and then guarantee some level of quality for its products.

Microsoft is already losing its war on terrorism, and if the company continues its current tactics, we are bound to see more destructive "malware" more frequently. Unfortunately, this is a situation where we all lose. To avoid this scary scenario, Microsoft customers, partners and shareholders should use their consolidated influence and dollars to persuade Redmond to change its habits. If we don’t wake the sleeping giant, we’ll all end up suffering.

biography
Jon Oltsik is a founder and principal at Hype-Free Consulting, a research and consulting firm.