Nick Wingfield: Microsoft no more an easy mark for hackers

Once synonymous with vulnerabilities and bugs in its products, the tech giant is cleaning up its act by ramping up security systems as well as eliminating corporate divisions that separated one security manager from the other in the company

Microsoft was once the epitome of everything wrong with security in technology. Its products were so infested with vulnerabilities that the company's co-founder, Bill Gates, once ordered all of Microsoft engineers to stop writing new code for a month and focus on fixing the bugs in software they had already built.

But in recent years, Microsoft has cleaned up its act, even impressing security specialists like Mikko Hypponen, the chief research officer for F-Secure, a Finnish security company, who used to cringe at Microsoft's practices. "They've changed themselves from worst in class to the best in class," Hypponen said. "The change is complete. They started taking security very seriously."

Still, episodes of online hacking have become even more startling, including the theft of personal data from millions of Target customers and terabytes of private emails from Sony Pictures Entertainment (and both companies use some Microsoft products). While Microsoft has not been blamed for the attacks, critics have insisted that the tech giant do even more to make digital systems resistant to breaches and snooping.

Microsoft's chief executive, Satya Nadella, says he is listening. On Tuesday, he delivered a speech to government technology workers in Washington about the importance of security in the technology business and how Microsoft has evolved to confront security threats.

Nadella, in a phone interview, said his aim was to lay out how Microsoft products make it harder for hackers to compromise PCs, and how the company had eliminated the corporate divisions that separated security managers from each other to improve how threat information is shared.

"It's kind of like going to the gym every day," said Nadella, who himself runs about three miles a day. "You can't say I'm serious about security without exercising the regimen of keeping security top of mind every second, every hour of the day."

Talking about security was long taboo in the technology industry. But in recent years, it has become a marketing tool. Silicon Valley companies like Google and Facebook have started to advertise the work they do to secure their infrastructure and customers' personal data, particularly in the aftermath of disclosures by Edward J Snowden, the former National Security Agency contractor who leaked classified information.

Nadella's speech coincides with one of his top business priorities: cloud computing. Microsoft and others in the industry are aggressively promoting cloud services, which means persuading companies to store their corporate data outside their own walls. Analysts have warned that companies that do not take security seriously risk losing corporate customers, particularly foreign customers, to cloud-based services overseas.

Microsoft estimates that it now spends more than $1 billion a year on security-related initiatives, including acquisitions. It acquired three security start-ups in the last year alone, and the number of security employees at the company increased 20 per cent during that time.

Soon after he became Microsoft's chief executive in February 2014, Nadella instituted a monthly meeting with security leaders from across the company. They meet to discuss industry trends and analyse threats.

He also altered how Microsoft watched the internet for hacker attacks, an effort that had been splintered among different product groups and other divisions within the company. Microsoft now pays hackers more when they find and turn over a security hole.

Plenty of bugs are still being discovered in Microsoft's code. But fears about the security of Microsoft's programs have gradually abated. In a couple of recent widespread attacks, hackers exploited weaknesses in Adobe and the Java programming platform, not Microsoft software.

Once an attempt on one customer is detected - say, a phishing scheme, in which hackers try to steal passwords, credit card numbers and other private data through legitimate-looking emails - Microsoft says it can quickly deploy a solution that prevents all other customers on its corporate email services from falling prey to the ruse. Microsoft carried out one such fix to its cloud customers early last year after the Syrian Electronic Army, a group of hackers who support President Bashar al-Assad of Syria, began a phishing attack on Microsoft's employees.

Still, Microsoft has been criticised for not acting fast enough. Last year, a dust-up ensued after Microsoft took more than 90 days to fix several serious bugs in its Windows software that were discovered by researchers at Google. Google went ahead and publicised the bugs before Microsoft had issued a patch, in keeping with Google's 90-day policy, angering Microsoft executives.

Microsoft is also increasingly trying to limit government access to customer information. Microsoft is challenging an attempt by United States authorities to obtain the emails of a customer whose data was stored on a server in Dublin. The company argues that a victory by the government would make it much harder for American technology companies to object when authorities from China or other countries demand data relevant to legal proceedings in their own nations.

Still, Christopher Soghoian, principal technologist of the American Civil Liberties Union, cautioned that Microsoft was not seeking to make customer data off limits to government, only to limit it to the local authorities. "Microsoft sees itself as a good corporate citizen," he said. "They don't want to deliver products that thwart the government."

There is no doubt, though, that Microsoft has made thwarting hackers a priority. Microsoft's latest version of its operating system, Windows 10, has a feature called Windows Hello that allows people to log in to a PC with a scan of their finger, iris or face instead of using a password - weak versions of which are a common cause of data breaches.

"My goal inside the company is to get rid of passwords," said Bret Arsenault, Microsoft's chief information security officer.

© 2015 The New York Times News Service