Microsoft: Users may have to pay for security

RSA 2002: Microsoft is considering charging for additional security options, and admits it didn't move on security until customers were ready to pay for it

Microsoft "may offer new security abilities on a paid basis," according to the company's chief technical officer Craig Mundie. The possibility is under consideration within Microsoft's security business unit, recently set up under its own vice president, Mike Nash.

"Our work was diffuse, but we have quite a few security initiatives," said Mundie, speaking on Tuesday at the RSA Conference on IT security in Paris. "Mike is assessing that. The unit will have inputs into products, marketing, training and other areas."

The idea is still only hypothetical, but represents an acknowledgement that Microsoft sees security not just as a necessary condition to reassure existing and future customers, but also as a potential source of revenue.

Speaking to CNET at a Gartner conference in Orlando, Florida, Microsoft chief executive Steve Ballmer clarified Mundie's statement.

Ballmer said Microsoft has a group chartered with developing additional security products. Currently, he said, there is no plan in place to charge customers a fee for additional security services. But Microsoft is most likely to introduce new security software, similar to its existing firewall software.

In presenting Microsoft's trustworthy computing initiative, Mundie defended the company's reluctance to follow through and accept legal responsibility for the security of its products. "If we took that responsibility, say for a big contract at Airbus, I would have to take out a giant insurance policy from Lloyds or another insurance broker, and pay a giant invoice," said Mundie. "The product would then cost not 50 euros, but 50 million."

Legal liability would cost the user greatly he said, and contracts like the one he described were the exact opposite of the normal situation. "In such a situation, the computer must not change, and only technicians could touch it. This is the antithesis of the general purpose mass market business."

Windows runs an arbitrary set of applications, in an arbitrary configuration, with arbitrary devices, said Mundie. "The operating system is designed to run on machines that are not designed yet." While Microsoft could demand that it creates the drivers for all hardware, the industry would not accept that. "Each time we accede to the reality of the industry, we accede to the problem," he said.

Asked why it has taken Microsoft 25 years to get trustworthy computing into the forefront of its efforts, he said: "Because customers wouldn't pay for it until recently." Admitting this was a flippant answer to a flippant question, Mundie said that chief information officers had only recently begun to demand security, and it is only in the last ten years that Microsoft has attempted to play in the security-requiring worlds of banking payroll and networked systems.

For more information on Trustworthy Computing see "Trustworthy Computing - could try harder" on's Mike Ricciuti contributed to this report from Orlando. Peter Judge reported from the RSA Conference in Paris.

More enterprise IT news in ZDNet UK's Tech Update Channel.

For a weekly round-up of the enterprise IT news, sign up for the Tech Update newsletter.

Have your say instantly, and see what others have said. Go to the ZDNet news forum.

Let the editors know what you think in the Mailroom.