Information Age: News, analysis & insight for IT & business leaders

19 October 2005 Microsoft's security chief Scott Charney has warned that that telephones could soon be as insecure as PCs with the advent of next-generation IP (Internet protocol) networks.

Speaking at the RSA Security Conference in Vienna, Charney - who is charged with making sure Microsoft code is developed securely - gave a hint of the IT security threats that will face businesses and consumers in coming years.

"I don't see [the end of security vulnerabilities] happening anytime soon, even with better software development controls in place," he said. "Products will evolve and we will have to build new threat models as the environment continues to change.

"As we move away from circuit switching, where the telephone is just a dumb terminal, to next-generation IP-based telephony networks, a lot of power moves to the edge of the network, to the devices, and people will create all sorts of new applications," he added.

But while these technology developments will help drive business innovation, they also carry new threats.

As business models change and technology changes we need to be really diligent on building threat models," he said, adding that he often asked customers, "Do you want your phone as secure as your PC?" - only to receive horrified looks.

Charney called for large enterprises to set the standard by building security requirements into software procurement contracts and said Microsoft itself was investigating forms of security certification.

To protect users who expect their phones to work without the sort of maintenance Windows users have become accustomed to, he said the device must be managed by service providers. "We really have to build some of this in."

IPv6, a proposed upgrade to the infrastructure underlying the Internet, could be used to prioritise patch downloads over worms, he said, while admitting it was not quote that simple: "Who gets to announce that priority? How do we ensure the bad guy doesn't throw the [prioritisation] flag for his worm?"

But he denied that Microsoft would build in anti-virus and other security mechanisms into the next generation of Windows - Vista - for fear of further penalties from regulators. "Building [anti-virus] into the platform might raise bunch of antitrust issues. It's not just a security issue."

Instead he is investing in security training and education, admitting that even in recent products Microsoft did not think about security soon enough in the development cycle: "The security push on Windows Server 2003 happened at the beta stage, just before it was about to ship. It was good to do it and it yielded results but the time to do security is not just when the product about to ship - you have to build it in from the beginning."

Charney's comments came as a survey by identity and access management company RSA Security suggested that UK consumers spend more online every month than any other nation (231 EUROs) but that awareness of identity theft was denting confidence in ecommerce.

The survey of 603 consumers in the UK, US, France and Germany, carried out by Momentum Research Group, also found that while their spending was still increasing on average, US respondents were more worried by security threats than Europeans. But less than half of those polled had heard of "phishing", fraudulent emails designed to trick recipient