Speech Transcript – Craig Mundie, American Chamber of Commerce in Thailand

Remarks by Craig Mundie, Senior Vice President and Chief Technical Officer, Advanced Strategies and Policy, Microsoft Corporation
“Information Security in the Digital Decade”
American Chamber of Commerce in Thailand
Bangkok
October 20, 2003

Host: Were going to go ahead and move forward with the program at this point in time. Please, continue to enjoy your lunch. It is my great pleasure to introduce to you Mr. Craig Mundie. Just a few moments, a few brief words of background information: Mr. Mundie is the Senior Vice President and Chief Technical Officer of a little company called Microsoft Corporation. Its nice to talk to you face-to-face and he has also said that he will take questions at the end of the presentation. So please join me in welcoming Mr. Mundie to the conference.

[applause]

Craig Mundie: Good afternoon, everyone. I would much rather talk with you a little bit and give you some things to think about and then answer questions than have you listen to a long talk about my biography.

Todaythis is my first visit to Thailand. Unfortunately, I wont get to see much of the country because the schedule doesnt permit, but I hope to be coming back. One of the reasons is I spend a lot of time in this region increasingly and in developing countries around the world dealing with these questions of technology policy. Clearly there are a lot of issues that we all face today. One of the things that is absolutely clear is that the information technology, software design in particular, has achieved a status now where society is broadly and critically dependent on it.

Society always goes through a stage where it invents something new, whether it was the printing press hundreds of years ago, which took actually several hundred years to ripple through the then [inaudible] societies and create fundamental change, to electricity, running water, advanced media, that each of these things is something that has affected the planet and the societies that are on it.

Computing is perhaps one that may have ultimately the greatest effect of any so far. It will be more pervasive in terms of its interaction with every aspect of living and working than almost any other thing in the past.

Certainly electricity touches many, many things today. Computing couldnt be done without it. But electricity is not a technology that in and of itself remembers anything. And one of the challenges that we have as we address computing these days is the fact that its a very malleable technology, and its one that is becoming more and more intimate with every aspect of our business and personal lives. And as a result, we have to face some new realities.

Its easy to sit and talk about the idea that computing is now a critical infrastructure, but its sometimes really hard to gauge, you know, how dependent are we today? And whats it likely to be in the future? For me it was quite a visceral lesson when the terrorist events occurred in the United States on 9-11, 2001. I have been a member for several years of a White House committee on National Telecommunications Security. And as such I have spent time with people talking both ahead of time, and subsequently after the fact, with what issues arise when there are outages in telecommunications. The Trade Center attack was notable in a number of ways, but some that were not quite as visible as the obvious planes flying into buildings included the effects on the cellular telephony environment in the United States and the New York Stock Exchange. When the buildings collapsed, the cell phone communications capabilities on the Eastern half of the United States basically went out for about 24 hours. Someone could say, Why did you lose the whole Eastern half of the country for radio-based telecommunications? You know, all that happened was these two buildings fell down. The answer was there was a switch that is in the basement of that building. And despite all the telecommunications planning capacity, when that switch was lost, the real ability to route around that loss of capacity affected all telecommunications on the Eastern seaboard of the country for more than a day. In fact, it extended quite a bit further. The New York Stock Exchange, as you may remember, which clearly was an integral part of not only the United States but the global financial infrastructure, didnt trade for a week. And notably, there was no physical damage to the New York Stock Exchange. It wasnt in the Trade Center. It was nearby. None of its direct infrastructure was affected by the attack or the collapse of the buildings. So why was it out for a week? And the answer? It took a week to restore telecommunications capacity in a sufficient level to allow the exchanges to begin to transact traffic with all of the other computer systems in stock exchanges on a global basis. The financial effect of not being able to operate that exchange for a week was certainly substantial in the United States and ultimately had some ripple effects around the world.

So here you lost two buildings in one city in one country, and you ultimately have a fairly dramatic effect from that loss. So the real question is, you know, How dependent are we and how are we going to deal with the fact that we increasingly have these new dependencies? So this afternoon I really want to focus most of the rest of my remarks on this question of Information Security as it relates to trusting computer systems and telecommunications in the years ahead.

Some of you may have heard Colin Powell speak for this meeting. Certainly, even if you just read the newspapers, theres lots of terms that appear today in broad discussions about the international environment, particularly around attacks of different types. So theres a term WMD. It stands for Weapons of Mass Destruction. But in my world, which is more focused on cyber-terrorism and cyber-security than in the physical world, we also use WMD, stands for Weapons of Mass Disruption. The attacks that are being unleashed through the Internet, many of which are just malicious interference today, could certainly be thought of as weapons if in the hands of people who have much more malicious intent in the future. And when you look at the actual costs of these attacks and you look at the disruption they caused in business in daily life, you realize that if these things were able to proliferate much more widely than they even do today, the differences could be quite substantial. We often talk in cyberspace now about proliferation, but it isnt about nuclear weapons proliferation, its about the proliferation of the devices and the means not only to connect and reprogram them, but ultimately the means that are increasingly available for people to disrupt them or interfere with their operation.

We talked about critical infrastructure protection. And it isnt about bridges and critical roadways or the food supply. We talked about the Internet, communications links that bring it all together and how were going to be able to protect those things. So, it becomes very, very clear that the society is dependent on these technologies today. There is no going back. And yet its really a very young industry. Microsoft is a leader in this industry on a global basis, [but] as a company is only 27 years old; quite young relative to I expect many of the companies operating here in Thailand and in this room today. And yet, we increasingly recognize that we have an almost corporate social responsibility now, beyond our normal business responsibility, to deal with these questions of how do we make the computing intelligence communications infrastructure more trustworthy?

Two and a half years ago I started an activity called Trustworthy Computing at Microsoft. It had four pillars that held up the concept of trust. One was security. The others were privacy, reliability, and, ultimately, business integrity. Our analysis showed us that unless you can address these things in some uniform way, at the end of the day people will not trust these computers. And that basically would be a significant loss, not for us as a business, but given the importance that information technology plays, I mean, its leverage in productivity within our society, not only in business productivity, but increasingly in entertainment, communication, education, health care; there really isnt any aspect today of business, science or life that wont be affected hopefully beneficially — by the advent of these technologies. So it leaves us with a real challenge today.

This whole industry, unlike Ill say the printing press, or even electricity or other things, which were developed and evolved and affected the global society. Typically, over a period thatll ranged from Ill say 100-300 years, you have a technology here that was really only invented nominally 50 years ago. And in a very, very short amount of time has had more of a pervasive effect on the global economy and society then perhaps any of the others. And so an unfortunate byproduct of that is that many of these things were evolved at a time where neither the developers nor the users really thought of them as critical infrastructure. They just thought of them as a tool to improve their business or improve the efficiency. In many cases these technologies were adopted first by a grass-roots acceptance.

When people were offered the opportunity in the early 80s to buy a personal computer, put it on their desk and use it to do word processing or spreadsheets, there was no edict from Mt. High that said, Thou shalt go out and do a spreadsheet. It was just something that was very useful to people, and tens of millions of people took it up and brought it into the company. As such, it created a new platform that ultimately was used in very diverse ways. But this process, though, of offering new capability, having essentially a grass-roots mechanism that usually gets adopted broadly and then it is adaptatious to a broader array of problems, has resulted in a situation where a lot of remedial work has to be done to address these questions of security.

Increasingly there is a tension between security and privacy. Interestingly, I started this activity at Microsoft about the same time George Bush became president, which was before 9-11. And if you think back at that point in time, there was a lot more focus, particularly in government communities, around the question of privacy and how information technology was impinging on peoples privacy than there was about security at the time. The Internet and the problems associated with it were just nascent at that point in terms of viruses and other things. And yet the societies of the world were largely in a stable, fairly happy environment and people were increasingly thinking about their personal securityI mean their personal privacymore than they were about their personal security.

But it was a very rapid transition for us, certainly post 9-11, where it became clear that these infrastructure things had to be addressed. And then as the Internet began to be more and more a tool for hackers and people who were seeking malicious mischief with all of our computer systems, then we realized that we had to dramatically ratchet up our focus on security as well.

So, for the last two years we have done, for us, some fairly dramatic things. It was two years ago this month that I intervened with my colleagues on the Management Committee and we actually stopped the development and, in fact, stopped the shipment of one of our major new products that had been in development for three years. And we did that because we said, Look, were going to change the standard within our company for what constitutes sufficient scrutiny relative to these security requirements. And, of course, the first reaction was, The developers would really hate this, and the customers would be upset because they had been promised this new capability but we were going to delay it. And I said, Trust me, everybody will be happy that weve done this. And indeed that was the case, it was a very, Ill say, successful experiment. So successful that we ended up ultimately directing in the last 15 months virtually every product [inaudible] at Microsoft to stop development, take all their people, put them through these special training sessions related to security practices and security design to instill new processes of tracking and control relative to how we develop our technologies. And then to restart the development activities and to hold ourselves internally to this newer standard.

When I think about security and computer and network security, the best way I can explain where we are in this evolution is to do it by analogies to what we all understand as epidemiology and public medicine and health. Today the computer world is really dealing with the threat of epidemics. And yet we havent really learned as much as the health professionals have about what it really takes to control epidemics when they occur. In essence, were at the early stages of medicine where we just sort of invented antibiotics, and when you get sick we give you some medicine to fix it, pretty much after the fact. And thats, of course, important, because not all diseases have broad reach and people are going individually with problems. But at the end of the day you have to be able to remediate things that are not well. But one of the things weve learned now as weve monitored these new classes of attacks is that there are, in fact, a few classes of global disease. And for these the analogy is, you want to have vaccines. And you want to have some way of delivering these things on a global basis. And so just 10 days ago we made some announcements about what we will focus incrementally on in the next few months and deliver early in the next year, which are a new class of tools to address computer and network security.

The one thing youve been able to do is to identify four or five specific classes of attack vectors that seem to be prevalent either as a function of a way software has been developed, not only by Microsoft, but pretty much throughout the world for the last 20 or 30 years, and also some attributes of the Internet as it exists today, and until it is also advanced beyond its current state, that are likely to continue to produce a lot of these failures, or falls. First, we want to have say for networking itself. We have to intervene more in this connectivity than we have in the past. Microsoft is changing all of the default configurations of our products in a very aggressive way to minimize the attackable surface area and to change the default configurations to essentially have a maximum shielding effect. And thats really antithetical for the way the company grew up. Our business success originally translated from being able to add new features and offer them to the community at large, turn them on, let them discover them and become happy to use them. But that resulted in a very large array of products that were deployed, without any real conscious idea of whether the features were used or not. And that lack of administration ends up leaving a lot of latent potential attack [inaudible]. And that has largely been whats been exploited in the most popular viruses and worms in the Internet in the last few years.

In addition, we recognize that these things have to be centrally managed more than left to individual chance. In essence, we have to have ways of controlling within the society, if you will, how people address these problems. One of the things that we do in health, and, for example, if you look at the SARS epidemic this year, as an example, they realize its not only important to be able to identify that somebody was sick, but if the diagnosis said they had SARS or was suspicious of SARS, then we quarantine them. And thats the key idea in epidemiology, [that] what you want to do is reduce the rate of reinfection. That if you can get that to be less than one person infects one more person, then by definition, the disease will vamp out quite quickly. The problem weve got with the Internet is its the ultimate efficient mechanism for spreading things and spreading them very quickly. And so now we have to be much more aggressive in intervention, in quarantining and being able to take machines, or even perhaps parts of the network, that are sick or under attack and be able to segregate them. And I think there will be more effort to do that.

Clearly, electronic mail is now prevalent throughout the world and we need to have cipher mechanisms for doing that. And so were doing a lot of default settings of our products and producing new mechanisms that make it much, much harder for people to have malicious attachments affect their e-mail.

Browsing, which has been essentially the vehicle which has driven the Internet into broad adoption as the new computing platform also was a very open and free environment, and the scripting and controls that people are able to embed in that environment have also been the source of a great many of the network and computer security problems. And so much more scrutiny is being applied to those things. Were adding new mechanisms including in the future new machine hardware that will actually analyze execution of programs in real time in order to be able to stop some of the traditional mistakes that have been embedded in many programs, both by Microsoft programmers over the years as well as other people, and these will take whole classes of attacks and eliminate them.

And then finally were moving to a lot more of what we call perimeter inspection. The idea that you can establish some boundary around your enterprise. It wants to be a place where you can examine the health, if you will, of the machines that are going to be involved in your corporate network. Today Microsoft has had for some time a system where if you take a computer and you attach it to our network, whether its from my hotel room in Thailand or anywhere else, the first point of attachment automatically quarantines my machine. Its been examined, sort of given a physical, and determined whether or not it in fact meets some minimum standards that we consider are required for it to be a safe member of our community. Then, and only when it passes those tests, does it actually gain access to the rest of the corporate network. The tools with which we do that now we are packaging up and are making available to all of the companies that use our technology, and in doing so we hope each of them can move to have similar capabilities that will assist with protection of their network…

There are many new applications of computers. Today I was on a panel talking about intellectual property here at the APAC conference, and so this is a critical concept because its ultimately the way society rewards invention and from that, you know, you get incentive to continue to do R & D. One of the things thats really [inaudible] today is that many of the important assets in an information service economy are not just the tangible goods that are manufactured, the tangible assets that have great value. That is true whether its a formula for Coca-Cola, the formula for prescription drugs, the toad of a Microsoft piece of software, the designs of an automobile. All of these things today are very, very valuable and yet we have never had effective means of protecting them. So one element of security in computer systems that will be enhanced quite dramatically in the next few years is to endow the machines and the software with the ability to be given a set of rules with which you want these intangible assets to be managed and to have that enforced on a global basis as the information transitions from one application or user to another, even from one business to another company or individual. So the general term that we use for this is digital-rights management, and in fact the new version of our Office system, which actually is being announced in the United States tomorrow, on Tuesday, is the first of our products in the business sense to have this capability. It allows you to take any document that you author, and to basically write a set of rules. If Im going to write a speech and I want it to be reviewed by people, but I didnt want it to end up in the newspaper early, you know, today its a real challenge. Somebody could take that, forward it, print it, do whatever they want. In the new world I can actually say, Look, I want this reviewed by the following five people. They can comment on it, they can send it back to me, but they cant print it or forward it. And therefore there is some isolation of that document until I authorize further distribution. And so that is the capability we have in the documents that we product going forward.

Weve already had this capability in software media, and weve been applying it for a couple of years, the protection of media assets. So my [Windows Media music players have been one of the few in the industry that actually honor copyrights and have a way of enforcing people to not pass music around or share it indiscriminately. And that has been the beginning of building a legitimate offering in music across the Internet. I think increasingly you will see this used in both video delivery systems and other media communications environments in the future.

We know that the attacks of both the criminal elements and people that are just curious will continue to be elevated in sophistication. So one of the things that weve been working on for a few years is an architecture that has been agreed upon by a number of companies on a global basis to create what we call X-Generation Security Base for Computing. And here were going all the way back down to the design of the microprocessors themselves, and adding the capabilities that will allow general purpose computers to establish and maintain a chain of trust very similar to what you see done today with things like SmartCard systems. Now today we do trust, in some sense, automatic teller machines, we trust the cable television or satellite distribution systems to a large degree to control the distribution of the media content. We havent really been able to do that in any sense with computers because they are general purpose, and because everything is visible to the expert user. And so increasingly we will change the architecture of the machines themselves as well as the upper tiers of the software in order to not only have these things like management architectures in the products, but to ensure that the chain of trust that they are built upon extends all the way down. What this means is that in the future we will be able to more reliably identify it. In fact, very reliably identify people, programs and machines. And in fact it is those three entities that will interact across the global network and through many, many different devices. Today most people think of computing as that thing on my desk. Maybe talking with that thing in the back room, but more and more youll find that most of the computers in the world today wont even be called computers in the next few years. They will be your cell phone, your car, your television, your game machine, your microwave oven. There will be more computers by and large in those devices, and they will all be connected to the network, they will all be part of this programmable Internet computing environment. If anything, weve already deployed it in society in the enterprise. And so each of these things represents some new issues and opportunities.

Let me just close by talking about where I think our industry is, and how it might affect decisions that youll have to make in the coming years about your own business and the use of information technology.

I have a thesis that says that the whole computer industry in a macroscopic sense moves in long cycles, and if these cycles are driven by ways of innovation that occur in a somewhat independent research and development track. Part of that is attributed by the intellectual common to the university, part by government research and part by industrial research. But at certain moments these things come together in an innovative way and they create a new platform. Arguably the computer industry since its inception, I will say, has only been truly three and a half years. The first year you can think of as the mainframe and the terminal era. The second, the mini computer era, where we began to put these things in departmentally. The third year was the personal computer and client-server computing. And each of those went through a cycle where people first bought the machines for some dedicated applications and then programmed them to be used more broadly. To make it really clear, if you think about how does a personal computer come to be the worlds most broadly adopted computing platform — it was this two-stage process where a few killer applications, and in this case word processors and spreadsheets were so popular that people made personal decisions to apply that computer and put it on their desk.

Once that was there, you know, to the tune of 10 or 20 million copies, people realized, Well, this is a general purpose computer. I should program it to do more. I can hook them all together, I can give it more storage. And so the personal computers value wasnt strictly that it had word processing and spreadsheets. It wasnt that [inaudible] diversity of the applications that ultimately were developed by the worlds programmers that made it so important. So what is the new computing platform and how has it emerged? Well, I contend the new computing platform is and will be the global connection of all of these intelligent devices, of which, things we have historically called the “computers” will just be a relatively small percentage. And whats different about this global computing environment is that it really transcends the historical notion of security boundaries. Today if you wanted to automate something or use computers you largely were constrained to thinking about doing it within the environment of your business. If defying the security parameter, the identity environment in which you were able to manage this. But the Internet is essentially a global trans-national network, and all the devices that are connected to it can now be programmed as if they were one giant computer system. And in fact thats what the industry has been very focused on, including Microsoft for the last few years. And there is a general agreement that that is the next big step. Whats notable about that is that this new platform was similarly established by a grassroots adoption process driven by, again, two killer applicationse-mail clients and Web browsers. And in this period of time there were only, I will say a handful, relatively speaking, maybe a couple of thousand people in the world who had been involved in the development of the popular e-mail clients and Web browsers. And so the question is, What are all the other 10 or 20 million programmers doing? The answer is, Not that much. All right? They are still kind of maintaining or developing things in the model of the client-server architecture that was the last platform. I can say thats a very natural thing, but we are at the end of this confusion phase of the Internet as a computing platform. In that environment it was largely a publishing medium. Everybody put their Web pages up there. Everybody pushes e-mail messages around. But its largely not a world where programming has been very important. That is about to change. In two weeks time Microsoft will hold one of its occasionally held global development conferences. There are 8,000 people signed up to fly in and essentially look at this new computing model, which has been fairly fully established now. There is no question, you can talk to IBM, Hewlett Packard, Microsoft, any of the leading companiesthis new architecture where people will program the Internet at large built on a new programming model thats loosely coupled with construction of applications, which is all about that idea [inaudible] assembly of services as the architecture for computing. There is really no question that thats whats going to happen next.

The reality is, unless you happen to be in our industry, you might not really realize that this change was about to occur. That the next phase will be about, again, millions or programmers writing millions of new applications that in fact are able to do things quite dramatically beyond anything weve achieved with computers to date. This will be because they expanded the security boundary and because in fact they will be presented to you in all these different devicesyour telephone, your car dashboard, your microwave oven control panel, I mean whatever it is, you know, youre going to find a computing present there.

There are many reasons to believe that this will be quite dramatic in its effect because in fact there are lots of new technologies that have come along behind it. We now are right at the point where we can change the users interface to computing from point-and-click and type to talk and computers that listen and speak and even see. These are all things that will happen in commercial products within the next few years. We have microprocessor-based devices that are substantially more powerful than people really realize. You know, this is one of these new SmartPhones, you know, they are on sale in many, many countries of the world. This computer is a little more powerful than a desktop PC was in terms of its CPU performance and memory capacity of a PC in 1998 or 1999. So no one should be confused about whether you can do really interesting things if you just program this as if it was a desktop computer. You just have to have a different interface for the firstthat interface now is essentially voice and not point and click and type. But these are very powerful computers that will continue to be increasingly attached together.

We see new radical forms of wireless connectivity. People now talk about WiFi, but there really are even more radical wireless technologies that are coming down the pipe. To the point where you will be able to have video-rate communications virtually for free between any two devices that are within, you know, a few tens of meters of one another. And, you know, this dramatically changes everything we know about media distribution. It ultimately provides even the potential to have new notions of community networks where the assets are owned by the people who bought the devices and not by the traditional notion of telecom operators. And when you think about the ultimate ramifications of that they can be quite profound.

We have these new trusted computing platforms that will allow us to really depend on the computer to reliably control, manage and distribute information whether it is trade secrets or in fact just audio and video content that needs to be sold. So for us its been kind of interesting to look at the last six months. There have been a number of articles Im sure that youve read them even here in Thailand as everyone else has, even companies like IBM. They have [inaudible] where they said, you know, The industry has entered the post technological period. Its really going to be a time where we focus more on services. The Harvard Business Review had a story that said, It was the end of IT. People in Silicon Valley have been moaning the fact that the IT doesnt matter any more.

The reality is that this is a very natural phenomena when you get to one of these inflection points where you have a new platform that has been established but it hasnt actually been {reached] yet. People start to say, Hey, Ive seen all Im going to see. When Bill Gates and I and others sit around at Microsoft and read these stories and look at the investments that have been made and the things that we think are imminently available, it almost seems kind of funny. Weve never seen society just stop moving ahead, and certainly not in one as young as this industry. And so while we do have many challenges in terms of security and privacy and ultimately these other aspects of trustworthiness in these systems, there is no doubt in our mind that we will ultimately remedy those things. It will require some combination of both technological focus and policy change. The society is going to have to come to the realization that it has as much investment and dependency in these new intangible assets as it has in the tangible world as the past. But Im quite confident that we will achieve that in the course of the next, you know, 10 to 20 years. So it really is with some great anticipation that we look forward to the next 10 years because its a time where programming will be important. Its a very important thing to realize because particularly when you look at the developing economies what many of them recognize is their greatest asset is their people. And if they can train them and teach them, which is a challenge, there is an opportunity now to use this for the betterment of each of these global economies.

So our focus on the policy side at Microsoft is now to try and figure out how we can accelerate the formation and emergence of the local economy and software in every country of the world. And, you know, I think we are going to make some pretty good progress there and we have a lot of programs to try to help in that space.

We couldnt be more optimistic about the impact that technology will have, and IT in particular will have. Were confident we can resolve some of the problems that we all face given the novelty of the global inter-connection, and were very enthused about the impact that the new programmable Internet will have in business and society at large.