Bill Gates Announces Microsoft's Strategy Shift Toward Security, Privacy

Microsoft Chairman Bill Gates announced a major strategy shift across all its products, including its flagship Windows software, to emphasize security and privacy over new capabilities.

In an e-mail to employees obtained Wednesday by The Associated Press, Gates referred to the new philosophy as "Trustworthy Computing" and said his highest priority is to ensure that computer users continue to venture across an increasingly Internet-connected world.

Gates compared the significance of his 1,600-word message, sent Tuesday, to his so-called "tidal wave" e-mails during the mid-'90s, which changed the course of Microsoft, and much of the software industry, to focus its products on the Internet.

He said this new emphasis on security for Microsoft was "more important than any other part of our work. If we don't do this, people simply won't be willing — or able — to take advantage of all the other great work we do."

"When we face a choice between adding features and resolving security issues, we need to choose security," Gates continued. "Our products should emphasize security right out of the box."

The dramatic change comes after the discovery of major security problems in Microsoft products, such as flaws in the latest versions of Windows that allow hackers to seize control of a user's computer. Another problem allowed the Code Red viruses to cripple hundreds of thousands of computers running Microsoft products.

"Gates saying that security needs to come before features is a huge statement for the software industry, not just a huge statement for Microsoft," said Marc Maiffret, the founder of eEye Digital Security Inc., which discovered both the XP flaws and the Code Red viruses. "If anybody has the ability to shape the software industry, he's the man."

David Smith, vice president of Internet Strategy at Gartner Inc., an analysts firm, welcomed the move but said the strategy shift may be coming too late. Smith faulted Microsoft for developing broad, Internet-based strategies without paying enough attention to security.

"It's about time, perhaps overdue," Smith said.

In the e-mail, Gates also referred to the Sept. 11 terror attacks as a reason to focus on security. He noted that last year's events "reminded every one of us how important it is to ensure the integrity and security of our critical infrastructure, whether it's the airlines or computer systems."

Other Microsoft executives declined to comment late Wednesday.

Shares of Microsoft were down $1.68 Wednesday to close at $67.87 on the Nasdaq Stock Market, but they gained 38 cents in extended trading.

Microsoft products can be found in almost every government facility, from the White House to aircraft carriers at sea. One person with knowledge of the change said new products and features will be tested for security risks before going any further — if they fail, the feature won't be included.

"Things are going to have to go through a crucible, and the crucible will be security-first," according to this person, who spoke only on condition of anonymity.

Compensation plans of Microsoft product engineers, such as raises and bonuses, will also be tied to how secure their products are.

Russ Cooper, a security expert with TruSecure Corporation, said the change occurred in part after a new security team assigned to attend every product meeting met resistance from product teams.

Microsoft has long been criticized for focusing on making products more feature-rich rather than emphasizing security and stability. For example, Windows XP added DVD player-software, a rudimentary Internet security utility and a new instant messaging program.

Customers could also see a downside, though. Other than fewer new features, product upgrades could come less frequently or could be pushed back.

Privacy is also a focus.

"Users should be in control of how their data is used," Gates wrote. "It should be easy for users to specify appropriate use of their information including controlling the use of e-mail they send."