Nick Wingfield: Microsoft once stood for everything wrong with security in technology. Its products were so infested with vulnerabilities that the company’s co-founder, Bill Gates, once ordered all of Microsoft engineers to stop writing new code for a month and focus on fixing the bugs in software they had already built.
But in recent years, Microsoft has cleaned up its act, even impressing security specialists like Mikko Hypponen, the chief research officer for F-Secure, a Finnish security company, who used to cringe at Microsoft’s practices.
“They’ve changed themselves from worst in class to the best in class,” Hypponen said. “The change is complete. They started taking security very seriously.”
Still, episodes of online hacking have become even more startling, including the theft of personal data from millions of Target customers and terabytes of private emails from Sony Pictures Entertainment — both companies use some Microsoft products. While Microsoft has not been blamed for the attacks, critics have insisted that the tech giant do even more to make digital systems resistant to breaches and snooping.
Microsoft’s chief executive, Satya Nadella, says he is listening. Recently he delivered a speech to government technology workers in Washington about the importance of security in the technology business and how Microsoft has evolved to confront that threat. He pointed out that most companies will probably be breached at some point.
Nadella, in a phone interview, said he intended to lay out how Microsoft products make it harder for hackers to compromise PCs, and how the company has eliminated the corporate divisions that separated security managers from each other to improve how threat information is shared.
“It’s kind of like going to the gym every day,” said Nadella, who himself runs about three miles a day. “You can’t say I’m serious about security without exercising the regimen of keeping security top of mind every second, every hour of the day.”
Talking about security was long taboo in the technology industry. But in recent years, it has become a marketing tool. Silicon Valley companies like Google and Facebook have started to advertise the work they do to secure their infrastructure and customers’ personal data, particularly in the aftermath of disclosures by Edward J Snowden, the former National Security Agency contractor who leaked classified information.
Nadella’s security push coincides with one of his top business priorities: cloud computing. Microsoft and others in the industry are aggressively promoting cloud services, which means persuading companies to store their corporate data outside their own walls. Analysts have warned that companies that do not take security seriously risk losing corporate customers, particularly foreign customers, to cloud-based services overseas.
Microsoft estimates that it now spends more than $1 billion a year on security-related initiatives, including acquisitions. It acquired three security startups in the last year alone, and the number of security employees at the company increased 20 percent during that time.
Soon after he became Microsoft’s chief executive in February of 2014, Nadella instituted a monthly meeting with security leaders from across the company. They meet to discuss industry trends and analyze threats.
He also altered how Microsoft watched the Internet for hacker attacks, an effort that had been splintered among different product groups and other divisions within the company. Microsoft now pays hackers more when they find and turn over a security hole.
Recently, Microsoft’s security managers moved into the same physical space after being scattered around the company’s campus in this Seattle suburb. On a recent tour of the new facility that Microsoft calls its Cybersecurity Defense Operations Center, workers were busy outfitting walls with large television sets that will display data about malware and other threats.
“To me, that speaks profoundly to the importance of connecting people” across the company, said Brad Smith, Microsoft’s president and chief legal officer. “They might still sit in different organizations, but they sit together, and they work together. We’re connecting the information systems so that people see the complete picture and not just information silos.”
Plenty of bugs are still being discovered in Microsoft’s code. But fears about the security of Microsoft’s programs have gradually abated. In a couple of recent widespread attacks, hackers exploited weaknesses in Adobe and the Java programming platform, not Microsoft software.
Once an attempt on one customer is detected — say, a phishing scheme, in which hackers try to steal passwords, credit card numbers and other private data through legitimate-looking emails — Microsoft says it can quickly deploy a solution that prevents all other customers on its corporate email services from falling prey to the ruse.
Microsoft carried out one such fix to its cloud customers early last year after the Syrian Electronic Army, a group of hackers who support President Bashar Assad of Syria, began a phishing attack on Microsoft’s own employees.
Still, Microsoft has been criticized for not acting fast enough. Last year, a dust-up ensued after Microsoft took more than 90 days to fix several serious bugs in its Windows software that were discovered by researchers at Google. Google went ahead and released the bugs before Microsoft had issued a patch, in keeping with Google’s 90-day policy, angering Microsoft executives.
Microsoft is also increasingly trying to limit government access to customer information. Microsoft is challenging an attempt by US authorities to obtain the emails of a customer whose data was stored on a server in Dublin. The company argues that a victory by the government would make it much harder for US technology companies to object when authorities from China or other countries demand data relevant to legal proceedings in their own nations.
To allay privacy concerns among European customers, Microsoft recently announced that two new data centers in Germany would be managed by T-Systems, a subsidiary of Deutsche Telekom, putting customer information there out of reach of U.S. law enforcement agencies.
Christopher Soghoian, principal technologist of the American Civil Liberties Union, said Microsoft was not seeking to make customer data off limits to government, only to limit it to the local authorities.
“Microsoft sees itself as a good corporate citizen,” he said. “They don’t want to deliver products that thwart government.”
There is no doubt, though, that Microsoft has made thwarting hackers a priority. Microsoft’s latest version of its operating system, Windows 10, has a feature called Windows Hello that allows people to log in to a PC with a scan of their finger, iris or face instead of using a password — weak versions of which are a common cause of data breaches.
“My goal inside the company is to get rid of passwords,” said Bret Arsenault, Microsoft’s chief information security officer.