On the 20th anniversary of the unleashing of the ILOVEYOU virus—which infected millions of PCs worldwide and reportedly cost companies billions of dollars as they cleaned up the damage—Fast Company is publishing Steven Sinofsky’s insider account of how Microsoft dealt with the virus as well as two predecessors, WM/Concept.A and Melissa. The piece is an excerpt from his memoir Hardcore Software: Inside the Rise and Fall of the PC Revolution, which is currently a work in progress.
Sinofsky, who was responsible for Microsoft Office at the time of the virus outbreaks and later led the development of Windows 7 and Windows 8, is currently a board partner at VC firm Andreessen Horowitz. In an email exchange, I asked him about the experience of exploring his own career—and the era when Microsoft dominated the tech industry like no single company does today.
Fast Company: A lot of us have been enjoying your tweetstorms (and subsequent Medium posts) about the industry’s past and present, and the threads that connect them together, but what led you to want to write a book?
Steven Sinofsky: Thank you for the kind words about the tweetstorms. I have enjoyed sharing stories about the culture, decision-making, and history of the teams and products I worked on. While the Twitter threads are great fun, I always thought there was more room for (and interest expressed in) context and color around specific stories but also connecting the stories in a broader narrative.
My first book was a collection of blog posts about the development of the Windows 7 team and product (One Strategy, with Harvard professor Marco Iansiti). I felt like there was interest, a need even, for a book about the growth stages of Microsoft from when it was emerging from the hobbyist era of the 1980s to create the modern PC era through the internet and then transition to an enterprise company and finally through the rise of smartphones. Surprisingly, there aren’t really any books about Microsoft from that important (for the industry and business) time and very little written from a participant’s perspective.
FC: When will the book be published?
SS: I was hoping soon, but like so many plans, mine were interrupted by the pandemic. The timing for completing the project depends on how quickly the publishing market returns to its new normal. I wrote the stories to be mostly timeless lessons, told in the context of rich details of the growing and maturing PC industry. The ILOVEYOU story happens to also be timely, and with the anniversary I thought it would be fun to get it out there and also let people know about this project I am so passionate about completing.
The age of Microsoft
FC: You talk about an era of PC dominance that really got underway with Windows 3.0, the first version that was a major hit, in 1990 and ended with the arrival of the first iPhone in 2007. You were at Microsoft for that entire period. Given how much has changed in subsequent years, what does it have to teach us?
SS: Trying to distill the lessons of 20 years and dozens of products down to a single answer while remaining useful presents some difficulties, but perhaps two themes kept recurring for me. First, “no matter what happens, someone always said it would.” What I mean by this is that in technology there’s always a relentless push to improve and define what is next, which means that at any given moment, no matter how well things are going, someone somewhere is always shouting that the next big thing is here right now and everything we know is going to change.
The challenge, of course, is not whether an idea is good or bad, but whether the time is right—in particular whether all the customer and technology pieces are really ready to make an idea work for the market.
I was intent on making sure I thought about the mistakes I made, as well as the things that went well.”
Reflecting back on what was achieved over that time, it is tempting to think of things happening because of great products or great marketing or great sales, but in reality it was always a combination of those coming together in the right way at the right time.
FC: What’s it been like revisiting such a large chunk of your past, with the benefit of hindsight? Did you have a different perspective on all the things that went right and wrong at Microsoft than when you were living them? Did you second-guess yourself?
SS: The process I used to write the book started with immersing myself in the timeline—I went through all the news of the time and public information I could find and even set up old PCs of the era from scratch with all the right software. I collected all the major magazine articles on Microsoft and a bunch of vintage computer magazines and read them in a timeline order. I even built a spreadsheet of all the major events in the industry, for the team, and for me. It was all very CSI, I suppose.
I really wanted to get my frame of reference in the time. I also intentionally waited for time to pass and for me to “de-Microsoft” myself and gain perspective. I wanted the book to reflect how I felt at the time but also to filter out the noise and to reflect on what could have gone better. In writing, I was intent on making sure I thought about the mistakes I made, as well as the things that went well. With the passage of time, I also found new ways to tell stories about what we as a team learned that really helped to convey the more universal lessons that I think the book conveys for a general reader, not just the most informed PC enthusiasts.
Security threats past and present
FC: The story of the Concept, Melissa, and ILOVEYOU viruses is sort of the end of the age of innocence when it came to security for businesses and consumers, and maybe a little bit for Microsoft, too. And yet it’s relevant today as companies wrestle with trade-offs between ease of use, power, and security, and get user pushback regardless of where they land. Given how much higher the stakes are now than they were in the 1990s, should the industry be better at anticipating threats and preventing them?
SS: I love your characterization, “the end of the age of innocence.” Up until Concept, viruses were mostly viewed as annoying but not something to be viewed as a threat. To be fair, that was probably both naive and optimistic. In fact, in 1988 the “Morris Internet Worm” was shown to be capable of material impact with intentionally malicious software. Still, the computer industry was one where everyone was a programmer and owning a “personal computer” was about being empowered compared to a mainframe, and that meant total control of the PC. With internet connectivity, all of these computers were connected, and simultaneously people using computers were less into all the details and more into just getting their jobs done. They didn’t see the PC as a hobby or passion, but as a tool.
Once trust wanes, everything you do or try to do is viewed through a lens of distrust.”
This is also the tension between being an “application” and a “platform,” where a platform is inherently about being customized and programmed—two worlds Office always straddled. The difference today is that when designing a product, you just have to assume there are going to be “bad actors” and that when faced with a trade-off you almost always have to consider that someone will exploit a product for bad actions no matter what the intentions were. Microsoft encapsulated all of this thinking in the 2002 Bill Gates memo that followed this sequence of events, Trustworthy Computing, where he said “[s]o now, when we face a choice between adding features and resolving security issues, we need to choose security.” That expression was how we had previously crystalized designing Office products after we dug ourselves out of ILOVEYOU.
FC: Do the estimates that companies spent billions dealing with ILOVEYOU feel accurate to you?
SS: The numbers really got my attention at the time. While for years we talked about hundreds of millions of customers and billions of dollars, this was lost productivity, time, and then remediation cost all in the span of a day. During 1999, the PC industry sold more than 100M units for the first time and the number of PCs in use was about to cross 500M. It wasn’t unrealistic to think that it cost $100 in time and labor for each infected PC. The direct material cost of ILOVEYOU was a part of the wake-up call.
FC: As you note, at the time Microsoft was dealing with the viruses you write about, it “was not exactly the most loved company and certainly not the most trusted, especially by those outside of technology.” We could spend hours discussing that, but as you thought back to that era, did your own take on the company’s reputation at the time and its fairness or unfairness evolve at all?
SS: By far the most important thing I learned is the importance of earning and maintaining trust of customers (and in this case customers also includes governments). Once trust wanes, everything you do or try to do is viewed through a lens of distrust. The rampant viruses on PCs were bad, but the lack of trust amplified the impact, and it also put the need for action squarely on Microsoft. If we had not lost trust with customers, I am certain that there would have been much more patience.
The lack of trust also shows in the response to our solutions—skepticism was rooted in part because of the undercurrent of distrust. Our desire to fix the problem was perceived through a cloud of distrust. Mostly, we needed to mature as a culture and company—we needed to internalize the position we held with customers. Following ILOVEYOU, after a few more viruses that attacked Windows and SQL, Microsoft really came together and a new culture of security and reliability was created. The Trustworthy Computing memo from Bill, the use of error reporting and recovery, and even the company’s seamless handling of Y2K just months earlier were all steps in Microsoft’s maturing culture—we began to internalize our place with customers and the market, a position that seemed obvious to everyone else.