Click Here to Install Silverlight*
United StatesChange|All Microsoft Sites
Microsoft
PressPass - Information for Journalists 

Remarks by Bill Gates, Chairman and Chief Software Architect, Microsoft Corporation
Technology Trends Conference
Co-sponsors: Center for Strategic and International Studies, Information Technology Industry Council
Washington, D.C.
June 25, 2003

BILL GATES:  Thank you.  It's great to be here and I think it's a very timely gathering, talking about the issues of security and how the new Department of Homeland Security is going to take a lead role in addressing some very tough issues.

One hundred years ago today, Eric Arthur Blair was born in India.  Most people know him by his pen name, George Orwell.  In his book, "1984," he painted an apocalyptic portrait of a world where technology was a force for repression, where it led to less security and less privacy for individuals trying to escape the ever present eye of Big Brother. Now, Orwell's vision didn't come true and I don't believe it will. A point I'd like to make today is that in the conversation America is having about homeland security, information technology will be a force for more security and more privacy; for freedom and for freedom from fear at the same time.

I'm honored to be here today and glad that both ITI (Information Technology Industry Council) and CSIS (Center for Strategic and International Studies) have joined together to address the important topic of information technology in homeland security. For those of us in technology, we remain vigilant about how governments could use or misuse technology.  But we also have a new and growing concern about how those trying to destroy our government and our way of life could use the tools of technology against us. The very technologies that connect us and bring us closer together could be exploited to drive us apart.  We worry not only about weapons of mass destruction, but also about weapons of mass disruption, ways to bring down our financial, government, military and other computer systems.  This threat is real. The question we face is: Will the continuing threats to our security and privacy lead us to retreat from the use of information technology because it introduces new risks, or will all these threats advance our technology and make us stronger than we would otherwise be?

We at Microsoft take the optimistic view. We've cast our vote that we can't retreat from innovation out of fear, but neither can we ignore the dangers we face. So today, I'll spend a few minutes talking about the challenges and opportunities offered by information technology in the realm of homeland security and our commitment to working with the government and the entire industry to build a more secure computing infrastructure here and around the world.

2001 was the first year of what I like to call the Digital Decade.  This is the decade where computing technology will go from being an add‑on, overlaid on our normal activities, to becoming part of the fabric of our everyday lives. It's during this decade that the way we deal with photos and music and calendars and business information will all go digital.  The devices we use will be far more natural.  We can use ink to write notes, to annotate articles.  We'll be able to use speech to navigate software systems in a very natural fashion. This technology is moving forward faster today than ever before: wireless networks, high-resolution screens, and the magic of software that makes these the most empowering tools that we've ever created.

Now, we need to bring that benefit to that empowerment without any of the negatives, particularly in the areas of security and privacy.  More and more of the computer technology we come into contact with is in the form of specialized computers: the kind found in mobile phones, gas pumps, cash registers. These systems actually use the majority of all microprocessors produced today and they're taking on more and more PC‑like characteristics, where you're accessing your important e-mail.  And they're communicating seamlessly with their traditional PC counterparts.

And so, the same issues that exist on the PC will exist on all of these intelligent devices.  Using these devices together will lead to a fundamental change in the way we think about computers.  Using them will become like using electricity when you turn on a light.  Like electricity, computers will play a role in almost everything we do, but computing won't be something we think about as a discrete experience. We will be focused on what we're doing with the computers, not on the devices or the software itself.  But today, in spite of this increasing role of computing technologies in areas like global commerce, air traffic control, rich electronic mail, we can't take computers for granted because we don't completely trust them.

Many people see a bright red stop sign when it comes time to enter personal data into their computer. This ends up having a chilling effect on the growth and dispersal of information technology.  The interconnectedness that makes the technology so potent and powerful needs to be built on trust. At a time of increased uncertainty about homeland security, computers must be available wherever and whenever we need them.  They must reliably secure personal and corporate information, and give people and organizations control over how their information is used. When problems do arise, they must be handled efficiently and predictably by all the software that runs on these computers.  The elements of security, privacy, reliability and business integrity are at the heart of an initiative that Microsoft calls Trustworthy Computing.

Our commitment to Trustworthy Computing involves every part of the company.  It's become the top priority in all the work we do.  Last year, we had all 8500 Windows developers move away from developing new features and spend months doing nothing but reviewing the security of their code and reducing the vulnerability of that code. The cost was hundreds of millions of dollars and the engineering work moved out the release of our recent Windows Server 2003 product by over six months.  But we know that that was a very appropriate step.  It was a critical step to secure the security of the key software platform.

Not so long ago, most people paid little attention to cybercrime, but today, there's a broader recognition that IT security is a vital element of homeland security.  Many of us experienced, directly, the effects of viruses like I‑LOVE‑YOU or Code Red and Nimda and the attacks that have taken place against all software platforms. The estimated damages of those attacks are very large, but an assault against the backbone of one of our nation's critical infrastructures -- for example, the use of software to drive energy, water systems, communications systems, financial markets, transportation systems, health systems -- any one of those would disrupt Americans' physical and economic well‑being and have a far broader worldwide impact. In each of these areas, it's the information systems that have become fundamental.  And so, preventing cybercrime is no longer a secondary consideration; it's central to the issue of security. 

We face a problem that this combined global connectivity, anonymity and lack of traceability quite simply make it hard to locate the criminals operating online. In addition to making it easier to identify who is operating online, we must build higher walls and stronger vaults, and government must continue to step up the priority given to this kind of crime while protecting the privacy of consumers.  Otherwise, the fact that most cybercrimes are never solved presents an open invitation to hackers, identity thieves and spammers who are scammers.

We recognize our responsibility to ensure the security of our products, and Trustworthy Computing can be boiled down to three key goals: secure by design, secure by default and secure by deployment. The secure-by-design piece means continuing to create tools that make our code not be vulnerable to security attacks.  We are training our engineers in new methodology and we're creating new tools and we're making security everyone's number‑one priority, even when that takes more time to ship a product.

Secure-by-default refers to the idea that computer software should be secure out of the box, whether it's in a home environment or an IT department.  This means that the features that have been armed by default in the past will often be off, allowing people to configure their systems appropriately, in a secure way, for their unique environment. Secure-by-deployment means making it easy for consumers and IT staffs to always have the up-to-date software.  And so, the problems are fixed before they develop.

I want to be clear that these goals aren't just a corporate mantra.  A good example of this is that, as we've sat down with our developers and been talking about security, we've been asking people, are they personally committed to this goal. A vice president and I recently asked a large group of developers which one of them felt that security was their personal responsibility.  And I was pleased that everyone in the room stood up in response to that.  Now, they saw that now as the thing that will measure the software work we do in the future. Trustworthy Computing is an ongoing effort where we are always learning and improving.  The reaction of those employees show that that's really becoming part of the culture, part of the way that we value our work.

Now, further progress can't come just with the efforts of one company.  And so, we're working in partnership with industry and government leaders to make this Trustworthy Computing goal something that's embraced by the entire industry. We need stronger standards.  These standards can help us get out of the defense mode and get into a mode where we prevent, detect and deter and when necessary, respond by using technology as a tool against cybercrime and potential cyberterrorism.

This challenge is one of many now facing the new Department of Homeland Security.  We supported its creation and we welcome its focus on cybersecurity.  One of the first steps for the department is building a truly seamless communications network, something that will be fundamental for its mission. Information‑sharing across law enforcement organizations at every level of government may represent one of the most significant cultural and technological challenges our country faces in making the country more secure.  On the morning of September 11th, New York City police helicopter pilots reported to their officers down below that it looked like the Twin Towers were going to come down. They didn't realize that the firefighters on the inside had radios that were on a different frequency and so, they couldn't hear the warning.  So, integrated communications systems that seamlessly connect everyone can save crucial seconds and that means saving lives.

It's important to note that government organizations are making progress today by embracing technology and breaking down the barriers to sharing information.  They recognize that if we don't have the systems that talk to each other, we are not as safe and secure as we could be. This must be a high priority mission for all of us and for all levels of our government and I've been encouraged by a number of early successes achieved by using tools and technologies they already own in an innovative fashion.

One of these successes is the Regional Automated Integrated Network or RAIN.  On one level, RAIN is the use of technologies, built using our software, deployed to share information between law-enforcement agencies in a particular region. On another level, though, RAIN is evidence of this heightened spirit of cooperation and commitment among law enforcement agencies to access multiple criminal databases from a single secure web page. This system allows police officers to search for event information on specific people and vehicles, and they can choose which agencies they wish to include in their search. Access is governed through a memorandum of understanding signed by each participating agency and we see this expanding one town, city, county, and state police department at a time. It's a powerful tool for law enforcement, but unless this system is properly connected to the entire Homeland Security command structure, the potential will not be fully realized.  We're proud to be involved in the effort to connect a significant portion of the federal homeland security community into a national information‑sharing and intelligence‑analysis network.

Already, we're seeing some results of this work.  I'm confident that the different prototyping efforts going on, from a variety of different vendors and partners, will help achieve the full level of integration that's needed.  The result will produce an intelligence‑sharing capability that represents the best work of industry and government.

It's important to remember that the homeland security technology mission does not stop with just bridging the intelligence gap.  The industry also has to provide solutions to the federal government for other efforts. For example, in alerts and warnings, response and recovery from potential terrorism events, and providing command and control capabilities for every level of the national homeland security network.

We also recognize that our homeland security responsibility doesn't stop at the water's edge.  This is a global threat and it requires a global response. A virus attacking our federal government's infrastructure can be launched from Berlin as easily as from Bethesda; from South Africa as easily as from Northern Virginia.  We may have different homelands, but the nations all over the world have to mount a common defense.

         

This technology can make our country more secure and prevent the nightmare vision of George Orwell at the same time.  Orwell didn't anticipate how technology can be used to protect privacy. The fact that technology can protect both security and privacy by protecting the computer systems and the information on them is a positive thing.

The work is ahead of us and one of the pieces of work is a technology we call Next Generation Secure Computing Base, or NGSCB.  We're working with a variety of hardware and software partners to provide this level of protection against future viruses, threat from hackers, or anyone seeking to acquire personal information or digital property with malicious intent.

Another new advance that's important is called rights management technology.  This enables people who send information over the Internet to place limits on what can be done with that information: whether it can be printed, who it can be forwarded to, how that information is maintained. From information on suspicious individuals, or medical records, or an advance text of, say, the next Harry Potter book, rights management can give people confidence in sharing information while limiting its spread. It can help law enforcement track down those who threaten our citizens without threatening the civil liberties by helping ensure that when law enforcement investigates, the private information it obtains can stay private, protecting both the security of the investigation and the privacy of those involved in the investigation.

And while Microsoft is mostly focused on these technology advances, we appreciate the need for policy and process advances in establishing and protecting privacy.  We follow the Fair Information Practices which commit us to a very high privacy bar for handling privacy data.  We voluntarily apply these standards and we train our employees aggressively to make sure our workforce is sensitive to the issues surrounding the collection, use, and sharing of such data.

An example of where we are exercising policy, process and technology to raise the walls of privacy is in the area of illegal spam.  More than just an annoyance, spam is a concern for parents and a significant operational expense for corporations. I may receive more spam than any other individual.  Some of it is -- perhaps the President gets more, but, you know, some of it's kind of intriguing.  You know, offers to cover all my legal costs for a few dollars a month, offers to help me get out of debt and no longer have any financial worries.

But unfortunately, the volume of spam makes it more than just a humorous situation.  It's actually reducing the value of electronic mail systems and many people not only are wasting their time digging through this spam, but they're also sometimes missing real mail messages that would be of value to them.

Microsoft is very serious about this problem and all its dimensions.  Just last week we took action against 32 spammers, filing court actions to stop the things they're doing.  We're also working with partners like AOL, Yahoo, and Earthlink to promote industry standards, guidelines, best practices that will help curb spam.  And we're basing some new technologies based on breakthrough research that help automatically identify, and therefore, eliminate spam.

Through these kind of efforts, we're moving the dial up on security and privacy, but we can't succeed if we pursue them alone.  Like so many other areas, cybersecurity and privacy require partnerships and these partnerships include reaching out to government to make sure that the policies are appropriate.

Let me take a moment to speak about a few areas where new federal policies, we think, will be important. First, there's the whole area of certifying software and the quality of the software.  Historically, the late Commerce Secretary, Malcolm Baldridge, was honored by having a quality award named after him.  Some people in the homeland security area are considering whether a similar award for enterprises that develop high quality security solutions would be appropriate. We think this is a good idea.  We're happy to support the government as it thinks this through and implements this visible incentive to drive best practices.

Another area: we think that public research and development will play a vital role in advancing the IT industry here.  And so, we support additional federal cybersecurity R&D funding.  It's important that this technology be available under permissive licenses so that industry can take the technology and further develop it and commercialize it to make all software more secure.

There are many threats to the hopes and dreams we have for the future.  Some of these can be addressed with technology and some can not.  We believe information technology can be a powerful tool to defend and secure the nations of the world which seek to guarantee basic freedoms.

At Microsoft, we are committed to doing all we can to make these tools useful and strong.  We're committed to working with governments to find hackers.  We're committed to making it easier for programmers to write secure code.  We're committed to shipping products that are more secure with every release. We're committed to pursuing international security certifications on all of our eligible products.  We're committed to working with government and industry to build a secure computing infrastructure both here and around the world.  We're committed to cracking down on illegal spam.

And finally, we're committed to doing this work in partnership, driving towards this goal of a more secure homeland.  We will continue to translate that commitment into action in the months and years ahead.  This is a very exciting priority for us and a great use of advanced software technology.  And we're pleased about the partnerships we're developing already in this area and those that we're driving forward to solve this top challenge.

Thank you.

  

© 2009 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy Statement