Examination of Witnesses (Questions 261
WEDNESDAY 10 JANUARY 2007
Mr Fishenden and Mr Lambert, thank you very much for coming to
join us. Welcome to members of the public who are here for this
evidence session. First I would like you to introduce yourselves
and then if you wish you can make an opening statement or we will
go straight into the questions.
Mr Fishenden: Thank you Chairman. I am Jerry
Fishenden. I am National Technology Officer for Microsoft here
in the UK.
Mr Lambert: I am Matt Lambert. I am Director
of Government Affairs for Microsoft also in the UK.
Would you like to make a statement at the beginning?
Mr Fishenden: I would like to make a few brief
opening comments if I may to reiterate some of the points we made
in our written submission in that we see successful combating
of cyber crime and criminal activity on-line as comprising three
core components, not just the technology. We look at consumer
or citizen education, making sure that people are much more aware
of the threats they face when they are on-line and how they can
mitigate those. The technology itself, of course, is constantly
changing and evolving as time goes by and a lot of tools will
be provided to users to help them visibly protect their PC when
on-line. They range from things like anti-phishing filters to
identify if you are going to a rogue website to anti-malware that
tries to prevent spyware and the like being installed on your
machine. The third part is the enforcement, which is making sure
that we are working collectively on prosecuting cyber criminals,
if you want to call them that, criminals who are making use of
the Internet and PCs and the like, so that there are deterrents
to them and people know they will be investigated and prosecuted
Do you wish to add anything, Mr Lambert?
Mr Lambert: No.
Let me start with the first question. Who do you believe should
be responsible for keeping end user machines secure?
Mr Fishenden: If we go back to the preceding
comments about the three-way relationship, I think it is a collective
responsibility. I certainly think consumers themselves need to
be aware of some of the issues that they face, if you take something
like phishing, where people are perhaps receiving fraudulent emails
claiming to be from their bank, that they understand how they
might identify those if they have managed to get through to them,
or that when they go to a website they look for any visual cues
there might be that that is not really their bank but perhaps
a site that some fraudulent people have set up who are trying
to get hold of their identity information and perpetrate some
fraud against them. You can see that making sure that users themselves
are aware is a core component. There is a lot of work in the UK
specifically with things like Get Safe Online, an initiative which
is a mixture of private and public sector initiatives. There is
a lot of context relevant information that we provide in our tools
and other companies do in theirs so that people are as aware as
we can make them of some of the risks and the types of things
they need to be thinking about themselves. The second part is
the technology itself. That continues to evolve. Every time the
bad guys, if you like, move their attacks onto new elements of
the Internet ecosystem the industry moves on as well and begins
to provide more tools to lock down and protect the PC environment
for users to try and make sure that they are as secure as they
possibly can be without taking away from the users the very benefits
that the Internet is meant to bring. Obviously, you can go to
extremes if you lock down a PC so that it is so secure that it
becomes almost unusable to the user, so there is a balance to
be struck between what the technology can do and how the user
interacts with that. On the legal side we have taken legal action.
Just under a year ago I helped launch in the UK our Global Phishing
Enforcement Initiative. We have taken a number of people to court
around the European area, prosecuting them where they have, for
example, set up a fake Microsoft site, so pretending to be a Microsoft
site, asking people to log in with their user ID details and then
misappropriating them and using them for illegal purposes. If
all three of those are being worked on collectively we see that
as the most effective way of making sure that users have the most
secure experience when they are on-line.
Does Microsoft accept ultimate liability for the security of machines
running its software, and, if not, how do you engage with retailers,
security practitioners and end users in keeping machines secure?
Mr Fishenden: We provide a range of tools, as
I have mentioned, anti-phishing and anti-malware, and a variety
of our partners do as well, and users are free to choose whether
they want to use Symantec or Norton or any of the other tools
that are out there and we make sure our platform offers that choice
to users. In terms of whether the user decides to use them, that
is obviously their choice. We always recommend that they do, that
they look to protect themselves as best they can. There are issues
that occasionally come up. If you take the example of parental
controls, which attempt to secure the on-line environment for
younger children in the household, sometimes if they are not configured
properly people find that they become so intrusive into their
Internet experience that they end up switching them off, which
obviously is not desirable but there is an interesting trade-off,
if you like, sometimes between security that people want to put
into place and the practical experience of using some of those
tools and how intrusive they can be into people's daily experience
of the Internet.
Q266 Lord O'Neill of Clackmannan:
With regard to the tools that are incorporated in the next generation
of Microsoft Windows, to what extent are those reflected in the
increased cost of the next generation of Windows? Is cost a factor?
Is it reflected in price or is it absorbed by you?
Mr Fishenden: For each generation of software
we release to market substantial research and development goes
into it. Typically each year we are spending something like seven
to eight billion dollars on R&D. Generally when we bring a
new product to market it is priced in accordance with the investment
that we have put into it. To be honest, I am not a licensing person.
I am not precisely sure what the formally announced list price
is in the UK. Generally upgrade prices are already in place on
pre-installed machines such as Dell and Compaq, and the others
are reasonably consistent from one generation of Windows to the
next. People have the choice of staying with their existing operating
system and existing Windows applications or they can decide that
there is sufficient reason why they would want to move to something
like Windows Vista. Obviously, we think there are good reasons
why you would want to move, and not just for security. There are
many other features in Vista that perhaps are not relevant to
today's inquiry, but we exist in a market place. People vote with
their feet. They can see different parts of the market. People
make different decisions. We have made available media players
for years and Apple comes along and does a very good job with
the iPod, for example, in that particular market. Consumers are
very quick to decide whether what any of us offer in the market
place is a product that they want to choose to adopt or not.
Q267 Lord O'Neill of Clackmannan:
If I were going, as I was a few weeks ago, to get a new computer
for our house and I was incorporating the latest Windows into
that, would you make available to salesmen the kind of information
that I have just asked you: how much more am I paying this time
than the last and how much of that is accounted for by additional
security? I accept that it is required but I think one is always
a wee bit curious, given your market dominance, as to the extent
to which you might be exploiting your market dominance when you
are selling additional products.
Mr Lambert: I think, Lord O'Neill, that there
is not a huge difference, if any, in the price increase between
XP and Vista. The honest answer to your question is that I do
not think the salesperson in PC World or Dixons is going to be
able to answer that question. It is not an easy question to answer,
but I think overall the answer is that the cost of these improvements
is absorbed over time and the cost does indeed, as Jerry Fishenden
has already said, reflect the huge cost in research and development
that goes on over a number of years, as he said, about seven billion
dollars a year.
Q268 Baroness Sharp of Guildford:
Can you tell us how far these tools are available as updates for
those who do not shift from one operating system to another? For
example, I updated my computer about 18 months ago and I am on
XP and would not expect to update probably for another 18 months
on my home computer. Does the updating that I download automatically
from Microsoft include these anti-phishing tools and so forth?
Mr Fishenden: Yes, it does. Windows XP is fully
capable of downloading the anti-phishing tools, anti-malware detection
and removal tools and the like. The new version of Internet Explorer
is available as well, which has anti-phishing tools in it, and
there are other facilities to help users. There are one or two
minor differences between the way those tools work in Windows
Vista and in Windows XP because of the new security features,
but you as a Windows XP user can get the vast majority of those
components freely downloadable from the Microsoft update site.
Overall would you say that Microsoft software is secure?
Mr Fishenden: It is part of a complex eco-system.
I think any piece of software is inherently a complex product
that is designed to be very configurable by the end user. They
can choose how they want to use it in many different types of
environment and situation. They can add on many different thousands
of third party hardware devices and many thousands of different
applications that people make available. We are doing the best
that we can to make sure that the core platform of tools that
we ship to users is as secure as we can possibly make it. Over
time, of course, we will continue to get feedback and information
from police and other agencies about the way people might be trying
to exploit the platform. We ourselves monitor the way that people
might be trying to attack our platform and its applications, and
we learn from that and try to make available back to our users
products that then address the issues that we have highlighted.
Some open source software, such as Red Hat Linux, is shipped with
built-in firewall protection, and that has been the case for years,
I believe. Why is Microsoft only now following this route?
Mr Fishenden: We seem to be between a rock and
a hard place with this. If we slowly extend our platform and put
more and more features in it to help our users, some of our competitors
say, "That is a core business that we were building up".
There have always been third party firewall providers for the
Windows platform and many of those companies have made very successful
businesses out of it. We took a decision as of Windows XP SP2
to build some core firewall functionality into those products
because we were aware, based on the information we get back from
the police and other people, of the types of attack being made
on this platform and we wanted to make sure that at least the
core shell, if you like, of Windows was as secure as it could
be, but we have been very cognisant of the fact that there are
third party companies making their own products that they want
to sell in the market place to Windows users and that we need
to design the platform in such a way that end users can choose
to push off those features we provide and enable their choice
of firewall or other software, such as anti-phishing software.
Q271 Lord Harris of Haringey:
But until about two and a half years ago the firewall default
was switched off.
Mr Fishenden: Yes, that is true.
Q272 Lord Harris of Haringey:
Mr Fishenden: A lot of this goes back to usability.
Over time we have moved more to the default position of putting
security on, partly as people have become more educated. There
is an issue, and it is the parental controls example earlier on,
whereby when you try and lock down certain features of the platform
people do have to have a better understanding of the way the software
works. Typically I can see that when I am talking to my neighbours
about the types of issues they have, say, in setting up wireless
networks. You begin to understand some of the issues because if
people need to go and open up ports on their firewalls to get
certain things to work there are issues of user education, which
is why I made the earlier point that there is quite a careful
balance between the tools we make available and the defaults we
put on those and the consumer understanding then how they can
use that platform securely when they are trying to access the
Internet and set up a home network or maybe share files between
different PCs in their home environment.
Q273 Lord Mitchell:
Is the practice of selling software "as is", warts and
all, still an acceptable practice? Should you not be making your
software much more fit for purpose and taking legal responsibility
for the damage your security holes cause?
Mr Fishenden: I would contend that we are making
our platform as secure as we possibly can within the complex nature
of software. Our third party partners are working with us as well,
so if you take the example of Windows Vista, we have been working
for over two years now with third party anti-virus providers and
the like so that we can provide users with as secure an experience
as is humanly possible with these very complex pieces of software.
There is a broader issue. By analogy you talk about the physical
world. People do not tend to immediately look for liability towards
lock or window companies because houses are still being burgled.
The tendency is to want to blame the perpetrator rather than the
people who are the victims of those types of assault. When you
look at software, which is inherently more complex than a lot
of the physical world, I do not really see why the same example
would not apply whereby you would be after the perpetrator.
Q274 Lord Mitchell:
How do you measure security? You say things are getting better.
How do you internally measure security?
Mr Fishenden: Five years ago we adopted something
known as the Trustworthy Computing Initiative which took a lot
of people out of development, about 8,500 developers in the US,
in order to look through very specific secure coding programmes,
and the true measure of what we have achieved is in the statistics
of monitoring the number of vulnerabilities on our platform over
time and by specific product over time compared to earlier products.
There has been a dramatic reduction in the number of security
vulnerabilities on our platform which to us is a reflection of
the progress we have made under the Trustworthy Computing Initiative.
Of course, there is always progress to be made. Every time we
tackle a particular security issue or vulnerability the hackers
out there and other people are constantly moving forward and finding
new ways of attacking the platform.
Q275 Lord Mitchell:
I suspect I know how you are going to answer this question but
I will ask it all the same. Is it fair to say that Microsoft has
been more concerned with establishing market dominance by rushing
out operating systems than they are with ensuring that their security
and fitness for purpose exists?
Mr Fishenden: I guess I would almost take the
opposite view. We have been waiting five years for Windows Vista.
I certainly do not think it is true that we have been rushing
out new operating systems without due account of security. In
fact, one of the reasons it was delayed was that, when we took
all of those people out of developing new products such as Vista
and put them through a rigorous training exercise on the secure
codes, we then released a pretty major update to Windows XP, which
was mentioned before, a service pack which was deliberately designed
to put in a lot of additional security features and that included
things like the firewall being on by default. There is a lot of
debate about that in the industry, about whether it should be
on or off by default. I think we have shown due diligence, if
you like, and have not just been stampeding endlessly towards
new operating systems and getting them out of the door before
they are ready. I think we have paid a lot of attention to our
existing users, trying to make sure they are happy with the existing
gear, and that Windows Vista, when it comes out, is the most secure
operating system we have.
Q276 Lord Howie of Troon:
Microsoft has been in dispute with the European Commission for
some time on anti-competitive grounds, and last year made changes
to the Vista operating system which was alleged might have prevented
competitors' security software from running. There has to be a
balance struck between security and open competition. Where do
you think that should be?
Mr Lambert: I think there has to be essentially
a balance there and, as Mr Fishenden has already said, we believe
that Windows Vista is the most secure version of our operating
systems that we have ever produced, but within that you have to
accept that consumers have to be given an absolute choice to load
whatever other security software they want to put onto their system
and that manufacturers of PCs and hardware can also ship PCs loaded
with Vista with other people's security software pre-loaded on
it when the consumer buys the PC for the first time. That is a
critical principle that we have accepted all the way along and
have always tried to build into our operating systems. One of
the things about Windows is that we work with manufacturers and
all sorts of other software applications to try and give them
as much information in advance as we can so that they can build
good applications ready for when, for example, Vista launches
to the public market in a few days' time so that they are ready
to go with some of those software applications that are sold with
new PCs as they go out of the door after the launch at the end
of January. That was the approach that we took and when we were
sitting down with the Commission, as you rightly say, we were
discussing a number of these issues and we have been in dispute
with DG Competition at the European Commission for a number of
years in a case that will be resolved when the Court of First
Instance gives us a judgment some time later this year, we think,
to our appeal against the ruling from the European Commission.
When we look at a new system what we want to do is move beyond
that. We do not want to spend more of our time arguing with competitors
and competition authorities. We try to work with them as closely
as we can and listen to what they are saying, and we try to respond
to that within the grounds of producing products which our consumers
find in this case safe and secure. What we did there was that
we sat down with the Commission and said, "What is the nature
of these complaints?", and there were a couple of areas that
came up, some of which were nothing to do with security, but on
security we listened to what they said and we produced a number
of what we call APIs, application programme interfaces, which
we shared with any of our competitors so that they can work with
our system and produce their security products effectively with
Vista and satisfy their concerns. We are very happy to do that.
What we are trying to do is move into an area where it is more
a matter of discussion and agreement rather than sitting before
judges in Luxembourg trying to debate the ins and outs of our
different efforts to comply with the law. That is where we stand.
I think some what the consumer is getting is the best of both
worlds. They are getting Windows Vista with the most secure operating
system that has ever been available, plus they are absolutely
free to choose anybody else's security software which will work,
we hope, very well with Windows. It is designed to work well with
Windows, and we work with them to make sure that it does. For
example, one of the areas which was a matter for debate was the
Windows Security Center. The Windows Security Center, as I say,
is essentially a dashboard at which you can check which security
software is running on your operating system on your PC. Some
of our competitors were concerned about whether that would potentially
favour some of our security software. In fact it does not; it
is absolutely neutral, and what the Security Center does is just
tell you if there is a problem with somebody else's software security
or with ours, so you can see immediately if there is any issue
there and resolve it. That is essentially what we are trying to
do, that is, all the time build a neutral operating system which
others can work with very easily and consumers can get a good
deal on in terms of the Microsoft software that they are using
and other people's software on our system.
Q277 Lord Howie of Troon:
That was a very full reply. Do you feel that you have met the
Mr Lambert: We believe that we have. The Commission
always has a right to make its own view known on that and come
to its own conclusions and, if it does not feel that we have done
that then it will, I am sure, tell us. What we are trying to do,
as I said earlier, with the Commission is work with them on a
basis of co-operation so that, rather than going back before the
courts, we would ask them, "If you do have concerns about
this, what we have done, or other things that you might want us
to do, come and tell us". We are in a process of constant
dialogue with the Commission anyway. If they tell us we will listen
and if the objections or requests are reasonable we will do our
best to comply with them.
Q278 Lord Howie of Troon:
Why has the dispute gone on so long?
Mr Lambert: You are probably aware that the
legal process in Europe, when you are going before the Court of
First Instance, just takes a very long time. These are very complex
issues, so when you are discussing them with the Commission experts
are poring over them, sometimes other competitors or interested
parties are raising issues. These are all complex matters. There
have to be public hearings sometimes. It does take a long time.
There is some frustration on our part. We have been before the
legal process in Europe for eight years now. It is a distraction
and one would hope that in an ideal world it could be settled
out of court much more quickly than that.
Q279 Lord Howie of Troon:
So none of the delay was your fault?
Mr Lambert: I contend that we have tried to
comply with everything that was asked of us in terms of supplying
information as quickly as possible, but it is a fact that if you
take an appeal to the Court of First Instance it takes a long
time. We gave evidence at a hearing back in April. We are still
waiting for the judgment from the Court of First Instance. These
are complex matters. The judges have to look into them very carefully
and it takes a long time.