WHY HACKERS ARE A GIANT THREAT TO MICROSOFT'S FUTURE
Bill Gates and Steve Ballmer dithered while viruses and worms cost customers billions. Now Microsoft is scrambling to put things right.
By FRED VOGELSTEIN

(FORTUNE Magazine) – NOBODY IN CHARGE AT MICROSOFT IS LIKELY to forget the dog days of August 2003. That month viruses and worms aimed at flaws in Windows software brought the Internet to its knees. Hard drives flooded with gibberish, computers and servers crashed, bogus e-mails proliferated, and for weeks, users fumed. The attacks snarled the transcontinental flow of freight on CSX Corp.'s railroads. They shut down the Maryland Department of Motor Vehicles for a day. Air Canada lost the ability to make reservations.

And Microsoft caught the heat. MICROSOFT WINDOWS: INSECURE BY DESIGN, said the Washington Post. A TEST OF MICROSOFT'S TRUST, said the Business Times of Singapore. OH, MY ACHING SOFTWARE, said the Seattle Post-Intelligencer. One worm, known as Blaster, didn't just mess up your computer, it embedded this message deep in the machine's software: "Billy Gates, why do you make this possible? Stop making money and fix your software."

The attacks marked a watershed for the software giant. Not only was Microsoft savaged in the media, but also it got socked in the pocketbook. When the company reported earnings on Oct. 23, analysts were surprised to hear CFO John Connors note that major corporate customers had put off signing deals to the tune of hundreds of millions of dollars. Investors hammered the stock, sending it down 14% in a matter of days.

This August, Microsoft unveiled a response to the hacker threat: a $1-billion-plus, 100-megabyte revision of its Windows XP operating system. The geekily named Service Pack 2, which customers can download for free, fixes thousands of weaknesses and flaws in Windows XP that hackers could otherwise attack. It represents the first meaningful improvement in the security of the software that sits on hundreds of millions of computers worldwide.

Microsoft has also been scrambling to ease corporate customers' concerns. It has rolled out tools that make it easier for CIOs to test and deploy security updates to companies' desktops and servers. And it has given sales reps training and incentives to develop security plans with their customers--historically not a Microsoft strength. "They are certainly doing a better job," says Dan Geer, chief scientist at Verdasys, a security consulting firm outside Boston. Geer is one of Microsoft's most vocal critics, claiming that the "monoculture" of Windows endangers modern society.

Microsoft's struggle against hackers is just heating up, and even chairman Bill Gates acknowledges that it will be long, disruptive, and expensive. "The people who attack these systems are getting more and more sophisticated. For every time we take a type of attack and eliminate that as an opportunity, they move up to a whole new level," he said in a speech earlier this year. "We can make it dramatically more difficult, but we have to keep this in mind: This is a measure-countermeasure-type environment. And so it's not a case of simply fixing a few vulnerabilities and moving on. The traditional responses, the way that the systems are architected, the way they're put together, all of these things have to change. My basic view is, I'm very optimistic about this, even though there are many years of work ahead of us." What Gates is saying is startling: Damage to customers from hacker attacks is forcing his $37-billion-a-year company to change the way it writes software. That's akin to Detroit changing the way it makes cars.

Microsoft has put itself through gut-wrenching transformations before--most famously in the mid-1990s when Gates belatedly declared that the company had to rework its entire product line to embrace the Internet. Within three years Netscape was toast and Microsoft was king of the browser world. Now Microsofties are mobilizing again. The company already has four executives at the rank of vice president or higher who are devoted to security, supervising a battalion of 1,000 engineers and marketers. And it says it now spends roughly $1 billion a year on security research, or 16% of its mammoth R&D budget.

But Netscape was a foe Microsoft could see; hackers, like revolutionaries and saboteurs, are insidious. It is more difficult and takes longer to gauge the nature and scope of the threat, which partly explains why Microsoft allowed its security problems to get so bad before moving decisively. Until recently, the company didn't even write programs with the hacker threat in mind. That sounds incredible today, but think back to Microsoft's roots. Gates and CEO Steve Ballmer built their empire on standalone PCs. Rewriting software to make it more hacker-resistant was time-consuming and expensive--and it wasn't what customers cared about. They wanted an operating system that didn't crash all the time, and they wanted features that made PCs easier to use. This was true even five years ago, when Microsoft was developing the current version of Windows, XP. "If Microsoft had come to you back then and said, 'Here's Windows. It costs X. If we gave you a more secure version would you pay X plus Y?' the answer would have been a resounding 'No,' " says Michael Cherry of Directions on Microsoft, a consulting firm of former Microsoft employees who do nothing but analyze the company. "What consumers wanted was for Microsoft to keep it cheap and make as many peripherals [printers, scanners, cameras, and so on] work with it as possible. Think about airport security. No one wanted that until after 9/11. Security was viewed by Microsoft's customers as an inconvenience."

Broadband changed that. As tens of millions of consumers and businesses converted to high-speed Internet connections, the opportunities for hackers to make mischief grew exponentially. The virtue of broadband connections--that they are always on--also turns out to be their vice--they are always exposed. Firewalls and encryption programs and antivirus software are supposed to safeguard PCs, but even today most consumers and many businesses don't understand enough about computers to know why protection is necessary. Those who do understand often find safeguards too expensive or inconvenient. The entire antivirus business accounts for only about $3 billion in annual sales.

The resulting danger to Microsoft's reputation--and to its empire--is very real. In late 2001, after the Code Red and Nimda viruses crippled thousands of corporate servers and slowed Internet traffic to a crawl, General Motors CIO Ralph Szygenda, who oversees a $3-billion-a-year IT budget, gave Gates and his top executives a tongue-lashing. He threatened to replace GM's 125,000 desktop computers with Linux or Apple systems. Gates responded in early 2002 with a blunt e-mail to the staff saying, in effect, that unless Microsoft convincingly improved the security of its software, its business would be doomed.

Attacks on Windows since then have helped stoke demand for Linux, the upstart operating system that has the backing of IBM, Hewlett-Packard, and Oracle. Four years after IBM said it would sell support for any company using Linux, it accounts for roughly 20% of operating systems on corporate servers. And it is starting to get a serious look as a desktop operating system as well. Already it has about the same market share--3%--as Apple does in desktop computers, and that figure is expected to double by 2007, according to research firm IDC.

Why? CIOs like Joe Poole, who helps run IT at Boscov's Department Store in Reading, Pa., think Linux is cheaper and not as virus-prone as Windows, and that means less hassle. He uses Linux on the company's 45 servers and is itching to do the same with its 1,500 desktop computers. He can't yet because the accounting applications the company depends on don't yet work on Linux. But as soon as he can get a Linux version, he will. "I can save $350 a machine and not have to spend as much time fighting virus attacks," he explains.

No wonder Gates and Ballmer are calling for a cultural revolution. Microsoft has had to retrain more than 20,000 developers, who thought they knew everything about writing good software, to do their jobs a different way. Now as they work, the programmers must document the security of every feature, explaining how a hacker might exploit it and what the program will do to prevent that. Once a block of code is complete, Microsoft gives it to in-house hackers and to hacker-consultants who try to break in. Writing software to this standard takes longer and costs more. SP2, the newly released upgrade, involved a year of effort by nearly 6,000 people and forced the next version of Windows to be delayed and scaled back.

Security issues have also compelled Microsoft to rethink the way it relates to customers. Historically, Microsoft has often come across as elitist and aloof. But with SP2 it is trying to be far more proactive. The update's most visible innovation is the "Windows security center," a screen in which Windows tells you, in English, not tech-speak, the status of your firewall, your antivirus software, and your software update settings. Windows then begs you to turn on the firewall and explains why. It begs you to install antivirus software and provides links to Symantec, McAfee, and other major companies that offer it (See "A Trip to the Antivirus War Room"). And it begs you to turn on Windows update--a feature that lets Microsoft reach automatically into your copy of Windows via the Internet and install the latest fixes that might prevent a virus attack. Both the firewall and Windows update have always been part of XP. But security consultants say that only a fraction of users--especially home users--have them turned on.

Here's how obsessed Microsoft has become with making sure consumers get the help they need. When SP2 was unveiled, Microsoft's support center started getting calls from customers who were struggling to install the new code. Richard Kaplan, one of Microsoft's vice presidents of security, recalls: "We had this conference call every morning around the customer experience installing Service Pack 2. The team was saying, 'We don't know what the problem is,' and the customers couldn't tell us. So I told one of the support guys, 'Drive out to someone's house and get their PC.' He said, 'What do you mean, go to their house?' I said, 'Some of these people live near our support centers. If you get one of them on the phone and they give you their phone number, and you notice that they live nearby, just ask if you can drive over and get their PC.' Everyone thought it was a little weird, but it demonstrated that we were listening and responding quickly." The goal was twofold: Fix the machines, and make sure that when other customers called in, technicians on the phone could tell them exactly what to do.

Microsoft is finding that security is costing more time and money than anyone realized. For example, even if every Windows XP user wanted SP2 today, the file is so large that it would take Microsoft at least four months to download it to most of its XP user base. Doing it faster, the company fears, would gridlock the Internet. And SP2 makes only a dent in the security challenge; it does nothing to help the hundreds of millions of computers running earlier versions of Windows like 2000 or 98. Microsoft isn't going to spend the money to revise programs that old; it is waiting for them to upgrade to receive security benefits. The security woes eat at customer loyalty; indeed, for the first time since Microsoft vanquished Netscape, users are giving alternate browsers a look, like Mozilla's Firefox.

Meanwhile, the virus problem seems to only get worse. The MyDoom virus in late January spread faster than any previous virus and caused billions of dollars in damage. In May the Sasser worm infected more than a million Windows PCs. Symantec's twice-yearly Internet Security Threat Report said in September that the company had identified nearly 4,500 new Windows viruses in the first six months of 2004, 4½ times the number in the same period a year ago. As this article went to press, a virus called Bagle that bypasses antivirus programs was rumbling through computer systems.

None of that will stop Microsoft from trying. For starters, says Mike Nash, another Microsoft vice president of security, it aims to better educate users about dealing with viruses, a strategem meant not only to help make their computers safer but also to take some of the heat off the brand. Today when a virus knocks out computers, users tend to blame Microsoft. But should they, if Windows XP includes a firewall and antivirus protection that work if they're turned on? The challenge, explains Nash, is to get users to take responsibility for their machines. They need to think of PCs less as appliances and more as cars--devices that need to be maintained, and that you have to remember to lock.

On the technical front, another year or two should bring programs that make security more foolproof and high tech. Gates calls this kind of software dynamic system protection. For example, you won't be able to take your laptop from home and plug it into your corporate network until Windows tests the computer for security holes. Other programs will incorporate "behavior blocking" intelligence to spot and isolate aberrant activity that might be caused by a virus. If an e-mail virus, say, tries to delete your Microsoft Outlook mail or turn your PC into a spam machine, the computer will thwart it. The challenge for programmers, says Kaplan, "is to figure out a set of behaviors that should be expected and allowed, and a set of behaviors that shouldn't be expected and allowed." Even though the behavior being blocked is the computer's, not the owner's, Kaplan admits behavior blocking has Big Brotherish overtones that could make it tricky to sell. "But it's something we're working hard on, and I think we can get it right," he says.

Microsoft is also getting into the antivirus- software business--two years ago it bought GeCAD Software, a Romanian antivirus startup, to jump-start the effort. Symantec CEO John Thompson obviously doesn't want Microsoft horning in on what has become a lucrative niche. His has been one of the best-performing tech stocks in the past two years. But Microsoft's logic is straightforward: Since its reputation gets hammered every time a big virus hits, its responsibility to both customers and shareholders is to do what it can to stop that. If this means virus software has to be Microsoft software so that it's installed and up to date on every computer, so be it.

For now Microsoft still has breathing room. Most users think the hassle of switching to Linux or Mac outweighs the benefits. As long as Microsoft can convince users that it will slow the rate of virus infections and reduce the damage they cause, they'll stick with Windows and other Microsoft mainstays. "Even Microsoft would tell you that some of the [bashing] is richly deserved. They didn't do things that could have been done to fix their software early enough. But I like the progress they are making," says GM's CTO Tony Scott. "We recognize this is not something you do overnight." Microsoft can only hope that executives like Scott understand it won't be next year either.

[This article contains a table. Please see hardcopy of magazine or PDF]

 

 

FORTUNE.COM SUBSCRIBERS ONLY Read more about security online, including "Windows Security: The Next Generation."

FEEDBACK fvogelstein@fortunemail.com