Steve Ballmer Speech Transcript – Center for Strategic and International Studies – “Security in an Increasingly Digital World”

ROBERT HOLLEYMAN: Good afternoon. My name is Robert Holleyman and I’m president of the Business Software Alliance, and on behalf of the members of the BSA, it’s a pleasure for me to welcome you this afternoon.

As you know, BSA represents the world’s leading providers of commercial software and our key hardware partners. Many of our members are with us in the room today, including two of our CEOs, our guest speaker Steve Ballmer, and Art Coviello of RSA Security.

At BSA, we’ve been working on cyber-security issues in a variety of forma, both here in the U.S. and abroad. When our CEOs were here last October, they released a framework for action that outlines a framework that we believe can be used in all organizations to help enhance the security of networks.

We’ve also been pleased to follow up through several of the task forces from the DHS cyber-security summit that we co-hosted last December on issues such as software security across the development lifecycle; the framework for action that we created as part of a corporate governance task force that’s releasing its report next week; we’ve also been part of a great congressional process, through Chairman Adam Putnam in the House Government Reform Subcommittee — all of which is putting a lot of great ideas on the table.

But we all recognize that without cyber-security, we don’t have physical security, and we recognize in industry that more needs to be done, and we’re pleased to have this type of partnership with governments, both here and abroad, with industry leaders, and with organizations like CSIS.

We’ve hosted several events over the past year with CSIS, including an event for members of Congress. Dr. John Hamre, the president of CSIS, was the speaker at the BSA Global Tech Summit in Washington last fall. We’re delighted to have this opportunity today to co-host this event with CSIS and Dr. Hamre.

Before joining CSIS, Dr. Hamre was the deputy secretary of Defense and the under secretary of defense and comptroller. As comptroller, he was a principal assistant in working with the Secretary on preparation presentation, execution of the defense budget, and management improvement programs. Prior to that, he spent 10 years as a professional staff member of the Senate Armed Services Committee. He has substantial expertise, and I can attest to the fact that that of his staff here at CSIS had been invaluable as part of these public-private effort that are not underway to enhance and increase cyber-security in this country and around the world.

Please join me in welcoming Dr. Hamre, who will introduce our guest speaker.

(Applause.)

JOHN HAMRE: First, thanks to all of you. Robert, thanks. We are always — it’s really a privilege, always, to partner with BSA, and we cherish the partnership. Thank you. We really do. And Steve, thank you. We’re glad that you could join us. This is very important for us to provide a forum and a venue, frankly, for cutting edge issues, IT issues in Washington. I’m especially grateful to you because I — about a third of these people are my friends, and I never see them anymore, but they’re willing to come out and see you, so I’m grateful that you brought all my buddies back to the table. We normally only have, you know, six or seven cameras here when we have heads of state, but Microsoft is bigger than most countries, anyhow, so it’s — so, you know, it kind of all fits.

We really are pleased that you’re here, more than anything because if you get to one area of homeland security that has to be a partnership with the government and the private sector, it’s this. Matter of fact, you cannot do homeland security without a partnership with the private sector, and frankly, it’s not just a partnership, but in many ways, in this part of it, the private sector has to lead. And frankly, I learned that the hard way. I learned that by fighting this industry when I was at DOD, and for a long time was trying to force it to do what it didn’t want to do, and then I came to realize I could win that battle and I could lose a war, and it was only when we started making it a partnership, a real partnership, that we can collectively win.

We do not, as a country, profit and survive if our industry dies away through misgoverned processes on our part, so we only profit, we only survive as a country if our industrial base is strong and vital, and sees itself as being our partner, and I think that you’ve been instrumental in that, Steve. We’re delighted you’re here. I could read your resume, but hell, everybody knows you here. That’s why they’re here. So why don’t you come on up and get us started. Thank you.

(Applause.)

STEVE BALLMER: Good afternoon. I really want to thank both the BSA and CSIS for inviting me here today to talk about the importance of improving security in an increasingly digital world, and about the work that we’re doing at Microsoft, and in partnership with many other companies, to help make that possible. I especially want to thank all of you for taking the time and attending. They told me the ceiling would be narrow and the room would be full, and man, is it, and I am very, very appreciative.

BSA and CSIS have really a long history of helping shape public policy on emerging global issues, and security is clearly one of the most important of those issues. I appreciate all the time and energy that has been dedicated to it, including the technology conference that CSIS sponsored, and that Bill Gates spoke to here, which was just, I guess, last summer that Bill was here.

Ensuring a more secure information technology infrastructure is absolutely essential to our societal and economic future, to public safety, and to our national security. As we all know, IT is really a driving force in the world economy. It has led to significant increases in productivity. It sparked the Internet revolution, which in turn led to important new developments in e-commerce, global communication, education, entertainment, and many, many more.

Through most of the 1990s, I have to say our industry focused on making computing easier to use, more affordable, more powerful, to meet the spectacular growth and to help drive the spectacular growth in worldwide demand. Over the past few years, however, two new factors have come into play which are significant:

First, the Internet. High-speed connections and millions of new computing devices have converged to create a global network, but also a network, frankly, through which these malicious worms or viruses can circle the globe in literally minutes.

Second, we’ve seen a dramatic rise in the frequency, the boldness, and the sophistication of such criminal cyber-attacks coming from far-flung, and by and large, anonymous hackers around the world. The attacks are serious crimes that harm consumers, that disrupt business and government. One need only imagine the impact of a truly concerted assault on the IT operations of our nation’s critical infrastructure — the electric utilities, water, financial systems, transportation, and healthcare, just to name a few. The kinds of attacks we’ve seen, that have these kind of crazy names, like Blaster, and SoBig and MyDoom, once unimaginable, are crimes we need to both anticipate and act against.

This was one of the topics, actually, I discussed yesterday, when I met with Secretary Ridge of Homeland Security, and it’s a subject that is often discussed when Microsoft executives meet with government officials here as well as in other countries around the world. So we’re at a pivotal point today. As we continue to advance the frontiers of innovation in computing, we must also make the computing experience safer and more secure.

As a global leader in software, our company, Microsoft, and our products are often the prime targets for cyber criminals, yet this is not about any single technology or computing platform or company. It’s bigger than any single company. Everyone in our industry — from IBM to our new partners at Sun Microsystems, to Apple Computer —

(Laughter.)

I say that genuinely. We can come back to that in questions. — from AOL to Cisco, we all have a responsibility to move quickly and aggressively to develop the technologies that do more to help consumers protect their computers and their networks.

Government also has a vital role to play. First, we look to government as a collaborator with industry and academia on basic cyber-security research. Second, governments need to implement the criminal-justice system that will deter hackers, and we look to government to help us drive cyber-security awareness amongst consumers and consumer education.

Computer users also have an important role. Every individual, every business, every organization, every government agency that uses a computer also has a responsibility to ensure that they’re protected. This is a responsibility not only to themselves, but also to their neighbors. In today’s interconnected world, a hacker can break into one insecure computer and launch thousands, literally thousands, of cyber-attacks.

I come from Detroit, and my father worked for many years at Ford Motor Company, so let me maybe give you a car analogy which is easy to — maybe easy to understand. We need to take care of our computer systems the same way we think about our transportation infrastructure. The people responsible for roads and highways have a responsibility to keep them well maintained, safe for everyone to travel, patched, particularly after the bad winters, when necessary. The auto industry has a responsibility to continue to deliver safety innovations and to make sure that cars become more and more safe, but car owners also have a need to make sure that we’re not driving old rattletraps that are a danger to ourselves and others. This analogy works well in our industry, where the technology providers, the customers, the government, the infrastructure providers all have to play a role.

I’d like to say a little more about the nature of this cyber-security threat, because it’s important that we all understand what we’re facing. In the weeks, months, years ahead, there will be times when the security challenges we collectively face seem actually to be getting worse, not better. There’s no silver bullet, no one magical answer. As security threats change, our responses must also adapt and change. All of us in the IT business are now, whether we anticipated it or not, permanently in the security business as well.

Security is absolutely the — I was going to say a, but I’ll say the — top priority for us at Microsoft, and today, I’d like to share a little progress report with you on the security work we’ve been doing since Bill Gates declared our trustworthy computing initiative a top priority just two years ago. Specifically, I really want to discuss the four key areas of security R & D that we’re investing in, the partnerships that we’re creating with government and industry, and the educational initiatives underway to help customers really understand how to be more secure. All of these, taken together, underscore our commitment to meeting the security challenges of the new century.

Let me talk first about the technology solutions. We’re committing a significant percentage of our almost $7 billion in research and development to investments that will help customers be more connected and protected — connected and protected, both of which being very important. These efforts include four specific areas of focus that I want to run through.

The centerpiece is something we refer to as isolation — kind of a funny word in a broadly connected world, but let me explain it. We talk about isolation as preventing malicious code from getting into computers, and beyond that, making those computers more resilient when they’re actually attacked. When we protect users through isolation, the great thing is that it still allows them to enjoy the benefits of a connected experience, yet stay isolated or shielded, in a sense, from harm.

We’re also focused on making it easier to keep software up to date, on improving the quality of software, and on strengthening the tools for keeping intruders out — what we call authentication and access control. Without getting too technical today — I’ll try to avoid that — I’d like to take a few minutes to explain some of our work in each of these areas, just to give you a little bit of a feel.

First, isolation and resiliency. One of the ways we’re trying to make computers safer is by preventing malicious code from gaining a foothold on computers and on networks. That’s really the centerpiece, because of the way these cyber-attacks are evolving. The Blaster worm, just as an example, hijacked individual computers, turning innocent users into unknowing propagators, if you will, of these swarming attacks. These kinds of attacks are intentionally coordinated by the perpetrators to cause multiplied, cascading effects. A whole new kind of threat, they’re on a much bigger scale — much bigger scale — in terms of the damage they can do than anything we’ve seen before. They require that we draw a stronger line of defense around each computer and each network, so even as these threats continue to evolve to levels of sophistication unknowable today, the isolation can help deliver better protection

Isolation secures the point of entry to the network of computers, or to the individual computer, and provides a level of protection for all of the computers inside the isolation layer, including any of the literally hundreds of millions of installed base of computers which have yet to be upgraded to the most recent and more secure software. That’s what we’re doing through many, many different technical advances.

If you just take our flagship operating system, Windows XP, in the next few months, literally, we’ll be releasing what we call a Service Pack, or update, that will provide a number of key advances. First, a protective firewall will be turned on automatically, reducing the attack surface of PCs and networks. With the Slammer and Blaster worms, you were protected if your software was up to date, but even if you were running old software, you were still protected if the firewall in Windows XP was turned on

When we shipped Windows XP in 2001, customers told us they didn’t want it turned on by default, so the user had to explicitly turn it on, but the world has changed since then. Users can still turn the firewall off in this new service pack, but otherwise, it’s going to be on, from the day people download the service pack or get a new computer with Service Pack 2 installed.

Other advances: Internet Explorer will automatically block unwanted pop-ups or downloads coming in from Web sites, which can carry damaging code. E-mail and Instant Messaging will handle file attachments in better and safer ways. The new Windows Security Center will help monitor and notify users about key security information on their systems. And new technology will help make it harder for worms and viruses to exploit what are called buffer overruns in a computer memory.

Later this year, we’ll be releasing similar advances for our Windows Server product, Windows Server 2003, plus other technologies that will give IT administrators more control over how servers are configured, to make them more secure. We’ll also release new, stronger firewall protection for corporate and government networks.

And because many attacks are sent through e-mail and e-mail attachments, we’re working on new technology to block malicious e-mail and junk mail — the junk mail is kind of a peripheral benefit, not directly security related, but many of us suffer from it — to defend against e-mail attacks and various viruses that get delivered via e-mail, and to help you encrypt e-mail messages to make them more secure. We call this technology Exchange Edge services, and it’s also designed to provide a real foundation, not just for our company, but for other software developers to do even more advanced work in e-mail filtering, encryption, and e-mail security solutions.

Further out in time, we’re working on some major advances in what we call Active Protection Technologies. That’s quite a mouthful. But the key idea here is to make the computer more resilient — and resiliency really is the key word — in the presence of increasingly sophisticated worms and viruses.

One example of this is what’s called behavior-blocking, which are really technologies about identifying and intercepting code that looks suspicious, before the computer is infected. You think it’s kind of an odd idea, but you actually don’t know what a program does that comes onto the machine, but the computer can kind of look at it and say, “Doesn’t smell right to me. I won’t execute this without asking the user for permission.” And that’s really an important area of breakthrough.

Another example of resilient technology we’re working on is network quarantine, and this is the notion of making sure that we inspect PCs to make sure they’re secure before they’re allowed to attach to a corporate or government network. Many of these viruses have been spreading as people take laptops home, to the hotel, and then reintroduced them to the corporate network, and it’s like a back door into the network for viruses.

Around this core of isolation and resiliency, we’re working in three other very important technical areas. One of them is software updating. Updates are a primary way that customers do protect against exploits of security vulnerabilities, so making updating super easy and automatic is really very important. Some of you may be familiar with a little balloon that periodically appears on your screen, saying “New updates are ready.” That’s the type of thing that we’re talking about when we talk about updating.

There are two points on this. First, please, as a point of recommendation from me to you, please do install those updates. They really are very important to your computing safety.

And second, we’ve made some really great advances in how we deliver updates, and there’s more good more good things coming.

Today, with Windows XP and with Windows 2000, consumers and businesses can download and install important security updates automatically, and we have about 100 million customers using our on-line services today. You can turn it off with a single click or turn it on with a single click. If you go to microsoft.com/protect, it will tell you exactly how to automatically get those updates down on your machine. For larger customers, we offer services that help IT people to quickly deploy critical security updates to any desktop and any server machine, and we’re strengthening those services, as well. For both consumers and businesses, we’re extending automatic upgrade services beyond Windows to other key Microsoft products. That’s something I’m personally very, very enthusiastic about.

Of course, the first line of defense against hackers is creating software code that is engineered with security in mind, and that’s where our commitment to quality comes in.

In today’s security environment, code needs to be written with the assumption that it’s going to come under attack. Yet software engineers right out of university often have very little knowledge of how to write code that is secure. We are in the process at Microsoft of funding curriculum and university projects on topics like wireless security, privacy technologies, secure software engineering and dependable systems, so that there’s a better flow to all of us of talent in this key area.

Internally, we’ve undertaken a very rigorous initiative for engineering excellence, so that every one of our engineers is trained and understands and uses best practices in secure software design, development, testing, and release. Our research engineers have developed very powerful new software development tools that automatically will look through a piece of software, a program, and test and look for common coding errors before the product is released, and help developers go back and look for potential security flaws. We’re using those tools in developing all our new products, and we’ll soon be offering those more broadly to all software developers who use our tools.

We’re doing this because software vulnerabilities are not, as I mentioned a few minutes ago, just a Microsoft issue. There’s an industry-wide issue of software vulnerabilities. For example, a new study by the analyst firm, Forrester Research, shows that between the years 2002 and 2003, nearly twice as many security flaws were actually found in Red Hat Linux as in Windows. I don’t care if it’s our product, a competitive product. We all need to work to eliminate the vulnerabilities in these popular software products.

We’re working certainly to eliminate as many of the vulnerabilities as we can, and those efforts are really paying off, most importantly, for the customers buying our new products. With Windows Server 2003, in its first 11 months — first 11 months on the market — the number of critical or important security bulletins was more than 75 percent less than the prior release, Windows Server 2000 had in its 11 first 11 months on the market — a 75 percent decrease because of the training, ,because of the tools we put in place. So we’re making progress, but even with that level of progress, rest assured we know there is a lot, lot more work still to do.

Another important focus for us is working with other industry leaders on next-generation technologies that control who gets access to networks and computers, and how they get that access. My colleague, Art Coviello from RSA Corporation, is here today, and I’m proud of the work our two companies are really doing together in order to create better authentication and access control technologies for the world at large. The kinds of things we’re talking about in this area include smart cards, what we call two-factor authentication.

These are technologies, by the way, that are very and increasingly important to really many, many government agencies. Things like biometric ID cards are really just around the corner, and some of these sci-fi things, where the computer recognizes you and identifies you securely — those things will become real over the course of the next, what, several years, I would say.

Let me give you just one example of the kind of work we’re doing in this area. Authentication is super-important for wireless computing, but it’s harder to achieve, because anybody can gain access to a wireless signal. I don’t know how many people walk by a Starbucks or many other stores now, or you walk through a hotel or you walk into a building. Your computer will show you all of the wireless networks that are around.

At Microsoft, we’re very dedicated, though, to deploying these wireless technologies across our own campuses worldwide, in order to enable our employees to connect to our corporate network while they’re at meetings, visiting field offices, and so forth and so on, but we know it needed to be as safe, if not safer, than current wired technology. So, working with a variety of other industry business partners, we developed an authentication solution that has advanced features which make it much, much harder to really crack, if you’re a hacker, this wireless network.

I cite this example because we believe that as we advance security, we shouldn’t retreat on the freedom that technology provides. We’re focused on ways to upgrade security so users can feel free, and connected, and secure. Users shouldn’t have to give up any one of those benefits.

Now, one point really underlying this whole discussion is, the best technologies in the world are ineffective if IT companies do not make security easier to use, and people don’t know how to exercise their security choices. It’s really a major challenge, given the hundreds of millions of computer users around the globe, frankly at every level of technical sophistication and security savvy. That’s why we’re also investing in education programs worldwide to help customers understand how to make their environments more secure. We’re also working with governments to deter cyber-crime, and with law enforcement to help investigate and prosecute it.

Let me give you an analogy. The best lock in the world is useless if people leave the front door unlocked, or the [key under the mat], so we’re investing in basic consumer education about commonsense measures that can help people protect themselves and effectively their neighbors. We have a worldwide campaign called Protect Your PC that provides simple guidance on the three key steps every computer user should take, even home users. I’ll even mention them now. You don’t need to write them down if you don’t want to. They’re very easy to remember, and all the details can be found are on Microsoft.com, anyway, if you’re interested: One, use a firewall; two, stay up to date with security updates; and three, use and keep antivirus solutions up to date. Less than 30 percent of all computers that have antivirus installed actually have that antivirus software up to date less than 30 percent.

We are working for security education with partners in our industries and with groups such as the Consumer Federation of America, the National Consumers League, Consumer Action and the National Cybersecurity Alliance, supported both by DHS and by the FTC, and we’re appreciative of all the efforts that those agencies are putting in. We’ve joined forces with companies like Computer Associates, Symantec, Network Associates and others, to create incentives for customers to install antivirus and personal firewall software on their computers. For IT professionals, we’re hosting 21 security summits around the U.S., including one actually that’s here in Washington D.C. tomorrow, for those of you who around technically inclined, to provide free technical security training. We’ve set a goal of reaching, in person, 500,000 business customers by the end of this year with information on how to optimize systems and networks for a secure world.

Everyone in the IT industry is used to competing hard, but on cyber-security we know we have to come together and collaborate in very new ways on this industry-wide national and international problem. To give you a few examples of where this is happening, we helped form something called the Virus Information Alliance, which includes 10 leading antivirus vendors, to help Internet users find information about the latest virus threats; we’ve worked with many Internet service providers who connect people to the Internet to form the Global Infrastructure Alliance for Internet Safety, which played a critical role in identifying and curbing the so-called MyDoom virus; and we’re working with law enforcement on a global basis to catch and prosecute hackers.

Last November, Microsoft established the Antivirus Rewards Program. In cooperation with the FBI, Secret Service and Interpol, we’re offering significant cash rewards for information that leads law enforcement and results in the arrest and conviction of cyber-criminals. We’re collaborating with governments to protect critical infrastructure here in the United States and in many, many other countries. We recently began work with National Security’s National Cyber-Security Division on raising awareness of cyber-threats through the release of very prompt and well-formed security bulletins. Along with our industry partners, we’re proud to be involved in the effort to connect much of the federal Homeland Security community into a national network for information sharing and intelligence analysis. We’re also eager to work with government on policy matters, including more resources for law enforcement, ratification of the Council of Europe Cyber-Crime Treaty, investment in basic research, and broad consumer education campaigns, as I noted before.

I could go on, but I want to leave some time for questions and comments, so the point I really want to make in closing is that Microsoft is very strongly committed as an industry leader to addressing security head on. We’re committed to shipping more secure products; we’re committed to making it easier for our programmers and other programmers in the industry to write secure code; we’re committed to working with customers so they’re better educated about security and better understand their security choices; we’re committed to working with industry and law enforcement to stop cyber-crime at its source. Simply put, we’re committed as a company, as a top priority, to building a more secure computing infrastructure, both here and around the world.

These are real threats, and the stakes for society and for economic future and national security are very high. But I think every challenge is actually an opportunity, and I believe that this challenge is also an opportunity to invent, a challenge to innovate, and a challenge to change the world, an opportunity to change the world, for the better. Microsoft was founded with a vision that software could do some of the most amazing things and offer tremendous benefits to its users. In an era of great challenge, that prospect, that opportunity to change the world through software is greater than ever.

I want to thank you again very much for your attendance and participation and interest, and I’ll look forward to a few questions and comments.

Thank you very much.

(Applause.)

JIM LEWIS: We have time — Hi, I’m Jim Lewis from CSIS. We have time for two or three questions, so if we’ve got some around the room. Stunned into silence? Oh, there’s one. Go ahead, please. If you introduce yourself, and there will be a microphone in a minute.

QUESTION: Chandler with the Senate Commerce Committee. Recently one of — a software vendor in the industry has decided that they caught a lot of flack for charging for their patches. And I was just curious, you know, what is Microsoft’s position on this? And is there any future in, you know, having customers pay for patching software?

STEVE BALLMER: Well, I think each business needs to make the appropriate decisions in its and its customers’ business interest. We have not taken a stance that it is appropriate for us at this stage to charge customers for security patches. Point of fact, we’re trying to get as many of those patches out as quickly and easily as we possibly can. There is an appropriate role in our industry for people that charge for software to be maintained. I think there are some things, though, that you’ve got to view as sort of the price or cost of doing business, and certainly that’s the way we see these security patches right now. The issue on which I’d say we feel more commercial pressure is, do we continue to provide security patches for free to people who have pirated our software?

(Laughter.)

STEVE BALLMER: No, it’s a complicated issue. Because the pirated version can do as much damage to other users, frankly, as the legitimate version. Today our policy by and large is to also let pirated copies have access to security fixes at no cost. I can’t commit that I would expect to see that extend forever, however.

QUESTION: Hi. I’m Barbara Matthews with the Financial Services Committee, staff of the Financial Services Committee, let’s make that clear. In the financial services sector, of course, there’s a lot of information that is processed and a lot of code that is written outside the United States. Could you describe in addition to the European convention what your other international security priorities might be, and if there are any specific ones that are relevant to the financial services industry?

STEVE BALLMER: Yeah. Let me say, there are a couple of things which are absolutely global. Any technology that we build for security, to the degree it meets export requirements coming out of the U.S. government, will be available globally, which is important, because these attacks can propagate through non-U.S. computers as well as U.S. computers, so I think it’s very important to think of that as a global infrastructure we’re building.

The education initiatives that I talked about are global education initiatives. So do we have a team that will be in Bangalore in India teaching the writing of secure software? You bet. Will some of that software be used by U.S. financial institutions? Absolutely. And so we need to get to the people who write the code at the source, wherever they happen to be in the world. Specifically, you highlight some of the issues in financial services where increasingly people are writing code outside the United States, and I think we well recognize that, and we also have good partnerships with many of the companies who are writing some of that software so we can help get their folks trained right at the source.

There are a set of security issues which are, I won’t say unique to financial services, but where the financial services industry has a particularly strong point of view. When I talked about authentication and access, particularly important. Some of the security attacks that will probably cost the most long-term damage are not the ones that are in the newspaper. If I steal your identity, I don’t want to be in the newspaper. If I’m a hacker who wants to get his name — well, I don’t know about his name — his virus’s name, or her virus’s name on the front page of the paper, yes, then I want to be well known and attack everywhere. So there are a variety of things in financial services which are potentially more dangerous but a little less visible than some of the attacks we’ve seen so far.

QUESTION: My name is Philip Steger. I’m from the Embassy of Austria. I’m a Mac user, and as such I’ve been spared many of the viruses. And one of the questions that of course comes up when you see a lot of your colleagues who are working with a specific other operating system, the question — and having, you know, a lot of problems — the question comes up is, isn’t the preponderance of one major operating system part of the problem?

STEVE BALLMER: No.

(Laughter.)

STEVE BALLMER: No, I’d be happy to explain it, too. But the answer is no.

(Laughter.)

STEVE BALLMER: Let me give a little context around that. There are an installed base of about 600 million computers in the world. That’s a good thing. I hope nobody disagrees that it’s a good thing that there’s a lot of computers installed. If we’re going to continue to see computers flourish and have many, many more hundreds of millions of computers, the truth is whether there is one or two — not that I’m desirous to see there be a lot more than Windows. I love Windows, but whether there’s one or two or three operating systems that have some high percentage of that installed base, the truth is, hackers will go after one or two or three. They will go after what is popular. They will go after what is popular.

If we said, “Whoa, wouldn’t it be great if the world had 100 million different operating systems, because then none of them would be popular, and nobody would ever attack any of the operating systems?” Well, that’s obviously not a very good idea, because when you get things spread that thin, there’d be no critical mass of computers that people could write applications for, so the computers would have much less value. The truth is, we have a lot of the users, but, you know, Linux gets attacked all the time. The Mac, less so, because the Mac’s an even more narrow percentage of the population. We’re glad you love your Mac. We’ve got a new version of Mac Office. I encourage you to take a look at it.

(Laughter.)

STEVE BALLMER: So, we are not anti-Macintosh in any sense. But I think that as long as there are a handful or less of operating systems that are popular, hackers will figure out how to attack each and every one of them, because there will be profit to be made, national security interests to be pursued, and mischief to be done. And so I don’t think — I don’t buy into the argument, which I have heard articulated before, that you raise.

QUESTION: Hi. I’m Chris Rothis with the U.S. State Department. You have integrated a firewall into the Windows operating system. Is there any plans to integrate anti-viral software into the operating system as well?

STEVE BALLMER: We don’t have current plans to integrate anti-virus software. We remain open to the idea, but we’re trying to figure out what is in the broad best interests of our customers and our industry partners. We need innovation around anti-virus in our environment. Yet I think our customers probably would like some basic level of anti-virus capability built in. We don’t have a plan to do that, but I won’t be so naive as to imply that there aren’t customers who have said exactly what you said, which is just go do it. So we’re trying to have the right kind of a dialogue to say what should we do? What should be the integrated fundamental innovation, like behavior blocking, which I talked about, and how do we still have the right kind of relationship, not only with companies like RSA, but Network Associates and Symantec and others? And so today we focus on those relationships, and we’re in constant dialogue about sort of the way to take the entire industry to the next level, which is a way of saying, no, no plans today, but we can’t be closed minded on the issue.

JIM LEWIS: Okay. Well, join me in thanking our speaker, please.

(Applause.)

STEVE BALLMER: Thank you very much.

(Applause.)