"New security risks have emerged on a scale that few in our industry fully anticipated," Gates wrote in a 1,500-word e-mail distributed late Thursday to about 1 million people. He cited figures showing corporate losses to hackers and other types of electronic attacks exceeded $455 million in 2001.
Gates acknowledged that the technology industry must make significant improvements, adding that, "Microsoft has a responsibility to help its customers address these concerns, so they no longer have to choose between security and usability."
As part of the effort, Gates promised that Microsoft will improve support for "smart cards," devices that can replace or augment passwords. A single computer user may need dozens of passwords for e-mail, Web sites and connecting to office systems. Most passwords are easy to guess or difficult to remember.
In his e-mail, Gates called passwords "the weak link."
Smart cards can help authenticate a person's identity when plugged into a computer slot or swiped through an attached reader device. Some cards display random numbers that an employee must type accurately before they're given approval to log on.
Gates said Microsoft now requires all its employees use smart cards to access the company's computers from home or while traveling.
He did not note that the smart-card policy went into effect after an embarrassing break-in by hackers to Microsoft's internal computer systems in October 2000. Investigators believe hackers remotely took control over an employee's unprotected home computer, then used it to breach Microsoft's corporate systems.
Gates did not mention in his e-mail improving support in Microsoft's products for fingerprint or retinal-scan technology. "Over time we expect that most businesses will go to smart card ID systems," he wrote.
Microsoft's products, especially earlier versions of its Windows operating system and Internet server software, have been long derided by experts for problems that put consumers' information at risk from hackers and viruses.
As sensitive transactions — from banking to medical filings — increasingly take place online, there has been a new focus on such risks. The Bush administration also has raised concerns that terrorists or foreign governments could launch cyber-attacks against the private networks that operate U.S. water and power systems.
Last year, in response to rising concerns, Gates announced a "trustworthy computing" drive at Microsoft and shut down software development for 10 weeks of security training for employees.
Gates wrote in his e-mail that the training "taught program managers, architects and testers to think like attackers," and that it helped identify an unspecified number of vulnerabilities in Windows software.
Gates also pledged that an upcoming version of Microsoft's flagship server software, called Windows Server 2003, will have many advanced features turned off automatically to improve security. Such features, if used improperly, could make computers vulnerable.
Businesses use server software to operate their internal company networks and to publish Web sites.