Experts: Reliance On Microsoft A Danger To National Security

The group, which debuted its report at the first day of a two-day conference hosted by the Computer and Communications Industry Association (CCIA), was headed by Dan Geer, the chief technology officer of @Stake, a security consulting firm.

"As fast as the world's computing infrastructure is growing, vulnerability to attack is growing faster still," said Geer.

"Microsoft's attempts to tightly integrate myriad applications with its operating system have significantly contributed to excessive complexity and vulnerability. This deterioration of security compounds when nearly all computers rely on a single operating system subject to the same vulnerabilities the world over," Geer added.

Ed Black, the CEO and president of CCIA, whose members include Microsoft competitors such as Sun and Oracle, was even more blunt.

"Microsoft's monopoly threatens consumers in a number of ways, it it's clear it is now also a threat to our security, our safety, and even our national security."

According to the report and its seven authors--security consultants and leaders of several security firms--the biggest problem is the over-reliance by corporations and governments worldwide on Microsoft's products.

"The problem is that of monoculture," said Bruce Schneier, one of the paper's authors and a co-founder of security firm Counterpane. "As long as all computers are running the same OS, they're all vulnerable."

In response to the report, Microsoft spokesman Sean Sundwall said, "There's nothing inherently wrong with having a prime vendor [of operating system and other software], but being the leader, we have the responsibility of providing as secure an environment as possible.

"We always consider security to be our absolute top priority," he said.

In fact, Sundwall agreed with the first sentence of the report, which reads: "No software is perfect."

"We recognize that. Our job is to make our software as close as possible to perfect to eliminate threats for our customers," he said. "We've made some strides, and admittedly, we have a lot of work ahead to do."

Using several agricultural analogies of the danger of relying on a single crop--from attacks of boll weevils on cotton to the Irish potato famine--the authors stressed that reliance on Microsoft dooms IT to a continued plague of vulnerabilities.

"We need operating system diversity," said John Quarterman, another of the report's authors and the founder of InternetPerils, an Internet risk-management company. "If there's one thing to take away from this report, it's that a single attack can take out all the computers running a single operating system."

The monopoly that Microsoft enjoys--its Windows is, by far, the world's most popular operating system--ensures that attackers will focus their efforts on its software. More importantly, these attacks will have rapid and broad effects.

"Ironically, Microsoft's efforts to deny interoperability of Windows with legitimate non-Microsoft applications have created an environment in which Microsoft's program interoperate efficiently only with Internet viruses," said Geer.

The complexity of Microsoft's software--the report claims that integrating applications with Windows results in code 15 to 35 times more complex--results in a similar increase in vulnerabilities. And simply patching the vulnerability--as Microsoft has increasingly had to do on the fly as vulnerabilities are disclosed--only exacerbates the problem.

"I don't think that Microsoft can ever fix this," said Geer.

Enterprises, organizations, and government agencies must wake up to the fact that there are ramifications to their decisions to buy Microsoft, added Schneier. "Because everyone's buying it, there are security implications to your decision to buy what everyone else is buying. You need to take that into consideration."

Among its other recommendations, the report, "CyberInsecurity: The Cost of Monopoly," urged the federal government to diversify the software it uses, demand that Microsoft design its wares to work well with other companies' software, and require Microsoft to open its source code to other developers.

Some of its advice is likely to become controversial, for it hinges on government stepping in, perhaps on an anti-trust basis, to make specific demands of Microsoft. Among these recommendations: Microsoft should not be allowed to release Office for any one platform, such as Windows, until it releases comparable Linux and Mac OS versions.

While the report's authors note the seriousness of their recommendations, they stood by them. "When the government uses a product whose monopoly position undermines its security, anti-trust becomes a national security issue," said Geer.

This story courtesy of TechWeb.