A Matter of National Security: Microsoft Government Security Program Provides National Governments with Access to Windows Source Code



Craig Mundie, senior vice president and chief technical officer of advanced strategies and policies

REDMOND, Wash., Jan. 14, 2003 — As information technology has become increasingly central to our daily lives, computer security and privacy have taken on a growing importance. For national governments, the questions surrounding computing security are especially critical. From protecting personal data about their citizens to safeguarding secret information related to national defense issues, public agencies face a wide range of security issues that have profound social and political implications. That has made the task of implementing secure information technology systems one of the most pressing concerns for national governments.

Recognizing that government agencies have a vital interest in building and implementing information systems that they can trust to be safe and secure, Microsoft has established a new program that provides national governments with access to Windows source code and other technical information. Called the Government Security Program (GSP) this new initiative is designed to provide governments and international organizations with information about the Windows Platform, enhancing their ability to design and deploy secure computing infrastructures. The program will also promote closer collaboration and relationships between Microsoft security professionals and their government counterparts.

PressPass spoke with Craig Mundie , senior vice president and chief technical officer of advanced strategies and policies at Microsoft, about the new program:

PressPass: Can you start by telling us what prompted Microsoft to launch this new program?

Mundie: Sure. If you think about all of the different kinds of privileged information that government agencies at a national level are responsible for, from tax data and healthcare information about individual citizens to military data that has vital national security implications, it quickly becomes clear that governments have a profound interest in dealing with computing security and must place security at the forefront of their information-technology requirements. Designed to provide national governments with the information and access they need to conduct robust security reviews of our products and be confident in the security features of the Windows platform, the Government Security Program is one integral element in Microsoft’s efforts to help address the unique security requirements of governments and international organizations throughout the world. To do that, the GSP offers free access to source code of Windows 2000, Windows XP, and Windows Server 2003.

In addition, the program offers opportunities for government computing professionals to visit us here in Redmond to review Windows development, testing, and deployment processes, and to discuss ongoing and future projects with Microsoft security experts. This program is an integral element of our efforts to help address the unique security requirements of governments. It’s an important step toward the objective of Trustworthy Computing.

PressPass: What benefits do governments receive that from participating in the program?

Mundie: The program includes a number of specific benefits, starting with instant online access to source code for the most current versions and beta releases of Windows operating systems. Further, Microsoft discloses a wide range of technical information that is designed to provide government technical experts who participate in the program with an engineer’s eye view of Windows architecture.

As I mentioned, the program also includes an invitation for agency representatives to visit us in Redmond for one to two weeks. While in Redmond, they’ll get to see how Windows is built, and they’ll meet with the people here at Microsoft who really understand Windows at a deep, fundamental level and can help answer their questions and concerns about security-related issues. The program also includes access to cryptographic code and development tools, subject to certain requirements, such as U.S. export regulations.

I believe that governments that participate in the program have the opportunity to come away from the program with an improved ability to conduct security and privacy audits, better ideas about how to design, build, and maintain secure computing environments, and new ideas about how to troubleshoot and optimize their systems.

PressPass: This is a new program. Are any governments participating now? Are all governments eligible?

Mundie: There are a handful of countries that are subject to U.S. trade embargoes –Cuba, for example, or Iraq — so those nations aren’t eligible. And because the Government Security Program provides access to Microsoft’s intellectual property, eligibility depends to a great degree on a nation’s laws and attitudes toward intellectual property. At the moment, about 60 countries are eligible to participate, including major developing nations such as China, Brazil, and India. As more and more nations bring their laws and practices in line with international standards, that number will grow.

It’s important to note that agencies from these more than 60 eligible nations do not need to be Microsoft customers, or have a certain number of Windows seats installed, or use certain Microsoft products in order to participate in the GSP.

So far, NATO has signed a GSP agreement as well as Atlas, as authorized by the Federal Agency for Governmental Communication and Information (FAGCI) in Russia. Additionally, we’re currently in discussions with about 20 other governments about how they can benefit from the Government Security Program.

PressPass: You say that this program is aimed at national governments. What does that mean, exactly? What kind of government organizations can take part in the Government Security Program?

Mundie: Because the GSP was created to help address security concerns and vulnerabilities at a national level, we expect to work with those central national agencies that focus on security as a core priority, and that have the responsibility of conducting overall security reviews on behalf of their central governments. So what we’re probably talking about is a national interior ministry or a dedicated security department. The program is not designed for government agencies at a state, or provincial, or local level. Nor is it aimed at government agencies that require source-code access for product support or development purposes unrelated to security matters. The needs of those agencies would likely be served best by the Shared Source Initiative program.

PressPass: How does the GSP fit in with the Shared Source Initiative programs?

Mundie: The Government Security Program is one more important element in Microsoft’s ongoing efforts to do two things. First, to make security a central focus of all of our product development efforts so we can help meet the security needs of every customer, including government organizations, and second, to make Windows source code more transparent to customers and partners.

To address that second point, Microsoft launched the Shared Source Initiative in 2001 as a balanced approach to code sharing that makes source code broadly available while preserving the intellectual property rights that have sustained innovation and growth throughout the software industry over the past quarter-century. SSI serves as a foundation for a wide range of source-licensing programs that are geared to the specific needs of different groups that we interact with, including enterprise customers, partners, educational institutions, and government organizations. In the context of the Government Security Program, by sharing source code, we help Windows users build computing environments that are inherently more secure.

The GSP is also another important step toward realizing the goals we set out to achieve when we announced the Trustworthy Computing Initiative in 2002. That is the first point I alluded to. Trustworthy Computing aims to improve the inherent security, privacy, and reliability of all Microsoft product and services. We’ve made a great deal of progress by, for example, reducing vulnerabilities in the code, making systems more resilient in the face of a malicious attack, and adding new features that help ensure that systems are available when they are needed and that they perform at the levels that users expect. With the GSP we are continuing this progress by providing program participants with the information and access they need to have confidence in the security of the Windows platform. Taken together, then, with the Government Security Program we are demonstrating our commitment both to making Windows source code more transparent to customers and increasing customer trust in the security both of our products and the IT industry generally.

PressPass: Microsoft has called the Common Criteria Certification awarded to Windows 2000 in October for its high level of security quality assurance a “milestone toward Trustworthy Computing.” Did that award have any implications for national governments? And does it tie in with the Government Security Program at all?

Mundie: Common Criteria is a globally-accepted, independent standard for evaluating the security capabilities of information technology products. It enables customers to make technology decisions with the confidence that comes from knowing that the technologies have been rigorously tested. In the process of receiving that certification, the evaluation of Windows 2000 went significantly further than that of any other operating system, and the Common Criteria Certification awarded to Windows 2000 covers a broad set of real-world scenarios that no other operating system can match.

Many government agencies around the world require Common Criteria Certification as part of the acquisition process. GSP takes it one step further. Now not only can national governments implement Windows-based technology systems with the confidence that comes with Common Criteria Certification, but they can then work with us through the Government Security Program to examine Windows source code and collaborate with our security experts. When they’re done, they’ll be able to conduct stringent security audits of their technology infrastructure and build systems that offer the high levels of security that are required when the issues are as large as national security.

PressPass: Are there any final points about the GSP you want to make?

Mundie: The IT security needs of national governments and international organizations are pronounced. They demand IT products and systems that are secure, and can protect data against loss or unauthorized use, disclosure, or modification. When making their IT purchase decisions, security considerations must necessarily be at the forefront of their information-technology requirements. In talking with these government customers we were told that a program providing both access to source code and other technical information about the Windows Platform as well as increased opportunities to collaborate on IT security issues would help them address that concern. It’s because of this customer feedback that we created the Government Security program. Through it we look forward to helping governments respond to today’s unprecedented security challenges, making resources available to them that facilitate the development and implementation of secure computer systems.

Related Posts

Microsoft and China Announce Government Security Program Agreement

Representing the China government, the China Information Technology Security Certification Center (CNITSEC) signed an agreement with Microsoft at the State Development & Planning Commission (SDPC) office to participate in the recently announced Government Security Program (GSP).