Microsoft, Your PC's Security Guard?

In January, 2002, Microsoft Chairman Bill Gates declared security to be the new top priority at the world's biggest software maker. In a speech to employees and in a public statement, he declared war on bugs and vowed to shore up product security. Of course, the bugs keep popping up, and serious security vulnerabilities continue to be exploited in Microsoft's ubiquitous operating system and applications. Witness the horrific MSBlaster worm that crashed untold thousands of Windows 2000 and XP machines worldwide during the week of Aug. 11.

So how's this for a delicious irony: Microsoft now appears to be targeting security software products as a new growth opportunity. That's an area where the Colossus of Redmond has previously shown only faint interest, but now savvy observers say the giant is locking in on it.

Microsoft won't break out exact figures, however, most estimates say it will derive less than 1% of its estimated 2003 total revenues of $32 billion from security software and related services. This is in a global information-technology security market for hardware, software, and services that's now worth $17 billion and is set to grow at a 15% clip for the foreseeable future, according to John Pescatore, research director at tech consultancy Gartner. And that would seem to be an alluring opportunity for a company so dependent on the slow-growth Windows operating system and Office software suite. Not to mention so unable to build bug-free, unassaultably secure software itself.

TELLTALE SIGNS. Mike Nash, the Microsoft vice-president in charge of the security effort, has played coy when asked whether the giant will use its new focus on security to mount a competitive attack on that sector. But now a confluence of signals is pointing to Microsoft's imminent arrival. In June, 2003, it announced the purchase of Romanian antivirus company GeCAD for an undisclosed sum. And details are starting to surface about ongoing Microsoft trials of what appear to be antivirus and personal firewall software that would compete directly with the likes of Symantec, Network Associates, and Zone Labs, a smaller but quickly growing company in San Francisco.

Web surfers have posted screenshots of test versions of the new Microsoft security software at two popular Windows forum sites, Neowin.net and Activewin.com. The screens portray a combination antivirus/personal firewall interface combined with a data backup utility. According to a screenshot posted at Activewin, Microsoft has contacted an unknown number of former beta testers who also had .Net accounts to participate in security trials as part of a program dubbed the "PC Satisfaction Trial." Microsoft won't say whether the trials are happening and declined to comment for this article, but others in the field confirmed that they knew the trials are under way.

Microsoft's effort appears to target the consumer market. That it would choose to tackle this segment rather than big corporate installations is no surprise. Security geeks who guard corporate networks remain highly suspicious of Redmond's security chops. An April, 2003, poll by Forrester Research found that 77% of security experts at 35 big companies said Microsoft products remained insecure. Consumers, however, may have a rosier view and might be willing to try out an enhanced Microsoft personal firewall that goes beyond the existing bare-bones version now built into Windows.

BIG SPLASH. "The debate is what will the product look like, and how long will it take to get there. And no one has expected it this fast," says Gene Munster, a software analyst at US Bancorp Piper Jaffray. Munster spotted the Web postings and outlined what he believes to be the evidence of Microsoft's security software effort in a July 15 research note.

The implications of Microsoft entering the desktop-security market are huge. It could easily integrate more robust security features into Windows. However, it probably wouldn't give security software away unless it wants to face the prospect of another European Union fine, something it's likely to get hit with for its tight bundling of a free copy of Windows Media Player with the Windows operating system. Still, Microsoft jumping into this pool would be like the big kid doing a cannonball in the deep end: It would generate plenty of waves and perhaps a great deal of shouting, too.

As it stands now, all the desktop-security software companies, which attempt to secure either individual consumer or corporate PCs, need and generally receive access to Microsoft's secret Windows code to ensure that their products are compatible with the operating system. Still, it stands to reason that Microsoft would enjoy an advantage here because no one knows how to make Windows-compatible products better than Microsoft.

PART OF .NET? That's hardly a new concern. Access to Windows' so-called kernal code has fueled numerous disputes between Redmond and software companies that build applications for Windows. But the security sector has become so important in protecting the overall structure of the Internet that the kernal issue could prove a much hotter button here.

Further, access to operating system's guts is even more important to building security software that can protect Windows machines because a broad overview of the processing going on inside an operating system affords the best vantage point for securing it.

Gates & Co. also enjoy a distribution advantage. Microsoft could easily build security software as an offering into the .Net subscriber package of Web-based computing services. .Net is Microsoft's grand plan to get Web surfers to entrust all sorts of online services to it, from managing digital wallets to tracking software updates. Microsoft could piggyback sales and marketing of security software atop its other consumer efforts. It also has a track record of pushing PC makers to offer Microsoft-branded services and software prominently on default screens.

FRIGHTENING SIGHT. At the very least, Microsoft would prove stiff competition and possibly accelerate an ongoing consolidation among the dozens of players clawing for market share. Symantec now has the largest share of the consumer desktop-security market and, therefore, probably has the most to lose. Symantec officials declined to comment for this story.

Any serious effort by Redmond could also scare off startups and choke innovation, say some critics. "It would be too bad if all the venture capitalists pulled out of desktop security because of a Microsoft threat," says Gregor Freund, CEO of desktop software firewall concern Zone Labs, whose interest in keeping the giant out of the industry is obvious.

Freund further worries that if Redmond could also corner the market in security software -- hardly a given, even for Microsoft -- it would create another software monoculture, this time in an area of increasing importance. "If we not only used Windows and Office but also Microsoft security products, it means we have a single point of failure," says Freund.

RAPID-RESPONSE UNIT. He doesn't see the trials as a sign that Microsoft is ready to enter the market. Freund thinks that won't happen for at least 18 months or perhaps longer. He points out that while building a product gets you to the starting line, to remain competitive Microsoft would still have its work cut out for it.

For example, it would have to build a continuous update capability akin to those of other desktop-security companies. This is more intense than the software patching capability Microsoft now has. It would have to build and maintain a crack SWAT team to keep updating virus and attack "signatures" -- the digital fingerprints of each virus that antivirus and firewall programs store and check against incoming data. And it would have to make sure that those signatures fly out the door mere hours after a new attack shows up.

That's different than building software patches, which are usually released days after a vulnerability is announced or after Microsoft is able to work with the bug finders to build a fix before the hole goes public.

LOW-HANGING FRUIT. Nevertheless, in the past only a handful of software companies have managed to compete effectively when Microsoft moves into their sector. And in those cases, for the most part Gates & Co. faced a dominant incumbent, such as Intuit (INTU ) in personal-finance software. The desktop-security market remains widely fragmented, with no one company holding more than 32% of either the firewall or antivirus market.

As Microsoft casts a wide net to find new sources of revenues, security software seems like a low-hanging fruit -- and one it appears set to take a bite out of in the not-so distant future. After all, someone has to protect users against all the holes in Microsoft's software.

BusinessWeek Online originally published this article on 14 August 2003.