Monday’s announcement of Panos Panay (the former leader of the Windows and Devices division) leaving Microsoft got me thinking: what’s next for Windows? Where will Yusuf Medhi (his replacement) lead the product?
My hoped-for answer: making a secure version of Windows!
It’s no secret that Microsoft is significantly lagging in the actual security of their software products, despite bragging about making more than $20 billion of revenue on cybersecurity solutions. Many reports put Microsoft software as more vulnerable when compared to Apple’s Mac and iPhone product lines.
When was the last time that you heard of a hack against Microsoft Windows? Pretty much daily. Now what about the iPhone? (Ironically, there was one earlier this month, but it’s far less prevalent).
It does seem strange that Microsoft would brag about the size of its cybersecurity business—particularly when you think about how big that business would be if Microsoft’s software offered the same level of security robustness as Apple’s. Would they actually make less money? To paraphrase an old comedy sketch by Monty Python: “That’s a nice copy of Windows you’ve got there. Would be a shame if anything happened to it…”.
On the flip side, Microsoft has been truly impressive regarding the speed and comprehensiveness of their adoption of Artificial Intelligence (AI) technologies across their entire product line (most recently with Windows CoPilot)! This is refreshing to see, and it does suggest that if Microsoft were willing and put the same level of focus on cybersecurity, they could single-handedly eliminate a huge portion of cybersecurity issues that plague the world today.
AI and Cybersecurity
The time for Microsoft to act is now.
Left unchecked, AI technologies are going to vastly exacerbate the cybersecurity problem—cyberattacks will increase in frequency and severity. For all of my readers, however good you think your cybersecurity is in your company now, it’s not good enough for the coming years of AI-powered cyberattacks.
The rationale is simple: just as AI has shown dramatic improvements in the productivity of software engineers, those same productivity gains can be helpful to cyber attackers. In many ways, the productivity of hackers has increased even more than the productivity of legitimate engineers. The hacker only has to be right once, the defender can’t ever be wrong. The economics greatly favor attackers.
Traditionally, one of the most expensive and time-consuming parts of constructing a cyberattack has been analyzing the victim’s software (such as Windows) to find an exploitable weakness. But what used to be complex is now simple. That analysis can be done at scale and extremely quickly by using AI engines to analyze software.
It’s stunning how good AI is at finding cybersecurity issues, and many software developer tools are rapidly adopting AI (such as the tools made by my company). When used legitimately, these tools are fantastic for improving software and making it much more robust and resilient. The problem is that the same advances in AI that enable such tools can also be abused by nefarious actors. What happens when dark web AI tools make it easier and cheaper to create exploits than ever before?
If defenses don’t improve at the same pace or faster, it’s easy to predict that cyberattacks will increase in volume and effectiveness—and indeed, we are already seeing this happen.
There's no fate but what we make
If the cybersecurity challenge is just going to become worse, what can we (or Microsoft in this case) do about it and do quickly? Are we doomed, or can this be solved? I think it can be solved!
One path would be for Microsoft to license various cybersecurity technologies from Apple. While that would make headlines, I’m not sure, culturally, that Microsoft would be willing to do this.
Fortunately, they don’t have to.
Microsoft is huge, and across the many different divisions, they already have in-house all the necessary technologies to match Apple’s level of cybersecurity!
Similarly, the technical teams at Microsoft are truly world-class. As I mentioned earlier, just look at what they are accomplishing with AI. With the right leadership and determination to make it happen, they can solve the cybersecurity problem. The raw ingredients are already there.
Could Microsoft eliminate 100% of all cybersecurity issues? Of course not. But could Microsoft bring the Windows ecosystem to the level of safety and security the iPhone ecosystem currently offers? Absolutely.
Ransomware
Cybersecurity is a big and complex topic. To simplify the discussion for this note, let’s consider one huge and pernicious type of attack: ransomware. You’ve probably seen articles like this one: https://www.politico.com/news/2022/12/28/cyberattacks-u-s-hospitals-00075638 where ransomware attacks on hospitals literally killed people due to the disruption to the hospital’s operations. Ransomware is a big business, costing an estimated $20 billion in 2021.
For those of you who don’t spend every day thinking about cybersecurity, a quick refresher:
Ransomware is malicious software that can block access to people’s computer systems and the data stored on them—typically by encrypting the files on the computer and showing a message of “pay $X thousand or million dollars to unlock your computer.” Computers can be infected through many means, but a very common one is a phishing email—those fake emails everyone gets. Sometimes those emails contain attachments and links that, when clicked, can infect the computer with ransomware malware. Once a computer is infected with ransomware, the hackers take control, deliver the ransom message, and await payment.
The Solution
If you abstract away these steps in how ransomware works, there are fundamentally three dimensions to the attack:
People: Somebody has their email faked out, and that tricks the victim into clicking on an attachment.
Software: The actual virus or malware behind the ransomware can corrupt and take over the victim’s computer.
Data: The victim’s data becomes locked and unavailable.
To truly solve the ransomware problem, we need to address all three attack vectors.
People
As mentioned above, one common delivery vector for ransomware is phishing emails. People get enormous amounts of spam emails and countless unsolicited sales emails. But some of those emails are extremely dangerous—the links or attachments in the email can actually be viruses directly or link to malevolent websites or downloads.
The basic challenge with email is that it’s very easy (and cheap!) for attackers to send fake emails. But people don’t know that. Just because you get an email from ‘alex@polyverse.com’, it does not mean that the email legitimately came from me! It’s a basic identity problem that needs a solution.
There are existing technologies today that can digitally sign and digitally encrypt emails. With a signed email, you can be confident that an email really did come from whoever signed it.
But there lies the rub with existing solutions. Just because an email is signed, with many existing solutions, you do not know who actually signed the email. Was it the ‘real’ alex@polyverse.com, or someone pretending to be alex@polyverse.com (or even alex@fakepolyverse.com)?
From a technical perspective, this is known as a “key management” problem. Digital signatures require mathematical numbers known as “keys,” and whoever controls the keys can control who can sign or encrypt a message. It’s much like a car key—if I have your car keys, I can drive your car.
However, let’s say I came up to you at a mall and gave you a random car key. You might know it’s a car key from the shape, but how would you know which car the key went to in a parking lot of thousands of cars? That problem bedevils existing attempts to sign emails. Just because an email is signed, do you know who really signed the email? It’s the car key problem—you know it’s a car key; you just don’t know which car. Similarly, just because it’s signed, you don’t know for sure who really signed it.
To solve that problem, we need a global, trusted directory of identity. If an email is signed by “alex@polyverse.com,” could you verify that the person signing it was the same person who worked at Microsoft, AOL, and Polyverse? What if each of those companies, in turn, could verify that, yes indeed, Alex did work there? By linking each of these verifications together, you can create a chain of trust, or more specifically, a web of trust, to verify digital identities. (As a side note, one of the many potential uses of Blockchain and Web3 technologies is to help with digital identities, but that’s a story for another post!)
Fortunately, this global, trusted directory of identity exists! It’s called LinkedIn, owned by none other than Microsoft.
Historically, one challenge with LinkedIn has been fake profiles. However, LinkedIn has recently launched profile verification, which allows for profiles to be validated by employers and via government IDs. With this verification feature, we now have a trusted source of identity (or at least reasonably well-trusted!).
Now suppose Microsoft integrated key management between LinkedIn and Outlook. Now for every email in your inbox, you could know with confidence exactly who sent it—you could see their LinkedIn profile and see that their employers (and governments) vouched for them.
No more fake emails.
Well, we will still probably get a lot of sales and marketing emails, but importantly, those emails could now be tracked back to a verified and authentic human. This would make a huge improvement in the email experience, let alone the positive impact it would have on reducing cyberattacks!
Software
Simply improving email, however, is not enough. There are other vectors for ransomware to be delivered through (e.g., websites), and we’ll still need a way to handle legacy emails that have not been sent through this new, secure Outlook/LinkedIn solution. So now, while we’ve made part of the cyberattack more difficult, we need to turn our attention to the next dimension: software.
What if we could make software extremely resistant to cyberattacks? As Apple has shown, this is entirely possible. But even more can be done.
Galen Hunt, a Microsoft Distinguished Engineer, wrote a fabulous whitepaper on how to create a secure operating system: https://www.microsoft.com/en-us/research/publication/seven-properties-2nd-edition/. The original paper was published in 2017—over six years ago now! I highly encourage my technical audience to read this whitepaper; it lays out a clear set of principles and technologies needed to produce truly secure software.
(excerpt from Galen Hunt’s security paper)
This paper demonstrates that Microsoft knows how to build a secure operating system, so why haven’t they?
One big challenge is balancing security with compatibility. The issue: “Sure, it would be nice to have a secure operating system, but we also want that operating system to run all of the games, enterprise apps, and devices that we already have. We don’t want to upgrade Windows and have everything break!”
The solution here is another Microsoft technology invented in 2011, known (earlier) as Drawbridge. Drawbridge is essentially a lightweight virtualization scheme that can run one operating system on top of another. This was used very successfully in bringing Microsoft’s SQL Server database product to Linux—that Linux version essentially has a copy of Windows and the Windows-based SQL Server product all combined into one system running on top of Linux.
This same approach could be used to achieve both compatibility and security in a future version of Windows, let’s call it Windows 12. The ‘aha’ is to treat all older versions of Windows like a virus!
Fixing the existing Windows and preserving compatibility would be an extraordinary challenge. So don’t!
Instead, literally, take the entire operating system and compartmentalize it using a drawbridge-like approach. The real, underlying operating system would be built using the principles in Galen Hunt’s paper (the Azure Sphere product could very well be the starting point for this effort).
These aren’t new ideas—they have been around and maturing for over a decade within Microsoft—just in different divisions than the Windows division.
Data
Last but not least is the issue of protecting the data itself. Even with a super secure version of Windows and a high-integrity email system, it could still be possible for malware to cause havoc. Thus, to provide enough defense in depth, we need to also protect the data in the computer—the documents, emails, and other information that we all use daily.
There are two key approaches: isolation and versioning.
Isolation - One of the strengths of the iPhone architecture is the isolation between apps. Indeed, this isolation philosophy was so strong that early versions of the iPhone even lacked copy/paste functionality between applications! While we have copy/paste on the iPhone today, apps on the phone are strongly partitioned from one another. The software execution is partitioned, and the data is partitioned.
With software, the partitioning works much like the approach for compartmentalizing software execution I outlined above for Windows 12. For data, each application should have its own partitioned area for data storage. The video game you download does not have access to the banking data from your Bank of America app (and vice versa!). This isolation is a crucial layer in a secure system. In Windows today, there is very little isolation. A video game I download from the Internet can have full access to my Quickbooks data. That full access is what enables ransomware to cause havoc at hospitals and elsewhere. Ransomware hiding in an otherwise “harmless” video game goes through and encrypts and locks up all of the data on your computer. If the video game only had access to video game files and not everything else, this would be much harder to do.
Versioning - Last but not least, let’s assume that an attacker can get through all of the defenses we’ve outlined thus far. The final defense is the “go-back” button. What if you could hit this button and instantly rewind your computer to where it was a day ago, a week ago, or whatever? Not only would this be useful to undo those “oops” moments, but it could also let you undo the introduction of ransomware. Simply rewind your system to where it was before things started going badly. To be sure, you might lose a few days' worth of work, but that’s far better than losing everything.
Apple has long had this capability—the “Time Machine” feature in MacOS. But Microsoft has something similar in their GitHub division.
The core offering of GitHub is a version-controlled system for maintaining and building software code. Versioning is an invaluable part of the day-to-day life of a software developer—as we build new code, sometimes we make mistakes. With version control, we can go back and unwind those mistakes. Microsoft should integrate this GitHub versioning technology into the core Windows filesystem, essentially creating a “go back” or rewind button. Not only would this be a useful feature for users in general, but it would create a final safety net to defend against the nefarious deeds of hackers.
The future is bright!
Hopefully, the comments above paint a clear path for how Microsoft could dramatically improve its software and significantly reduce the number of cyberattacks in the world. And, as the core technologies needed are already mature and already owned by Microsoft, it’s entirely possible to do so.
With that said, I do want to be clear that I’m not saying this would be an easy task, far from it! As a former Microsoft employee (and former engineer in the Windows team), I am acutely aware of the challenges and difficulties in building extremely large and complex software like Microsoft Windows.
At the same time, Microsoft is demonstrating remarkable agility and speed with AI advances that have surprised and delighted the world. It really is quite astonishing, and I am proud of my friends and colleagues there for the work that they are doing in this space.
There is so much more that can be done here in integrating AI technologies deeply into the operating system. Doing so would fundamentally transform and reinvigorate the core operating system space. We are rapidly closing in on the “Jarvis” scenario from the Iron Man movies, where the computer becomes much more an extension of our brain and imagination versus a tool that we often struggle with!
All of that progress will be for naught though if Windows keeps getting hacked! Thus, the immediate challenge now to the new Windows leadership team is to take that same level of agility and innovation done for AI and apply it to solving cybersecurity.
The world will thank you for it!