Report condemns Microsoft "monopoly" as insecure
A report released today by a team of cybersecurity professionals condemns the ubiquity of Microsoft Corp. software as inherently insecure and called for government to break the software giant's dominant grip on the market.
A report released today by a team of cybersecurity professionals condemns the ubiquity of Microsoft Corp. software as inherently insecure and called for government to break the software giant's dominant grip on the market.
The report, released by the Computer & Communications Industry Association, called Microsoft's dominance a "clear and present danger that can be ignored no longer."
With Microsoft's 90 percent share of the desktop market, "the presence of this single, dominant operating system in the hands of nearly all end users is inherently dangerous," the report says. The single system leaves the majority of computer systems open to the same worms, viruses and other exploits.
The authors take an organic view of information infrastructure and suggested it should be treated as an ecosystem.
"Monoculture is a bad thing," said independent consultant Perry Metzger, one of the authors. "It is bad in agriculture, and recent events have shown it is a bad thing in computers."
The solution is market diversification, he said. Breaking the Microsoft monopoly could have the same effect on computer security as the introduction of alternative strains of cotton did on fighting the boll weevil.
The report recommends that diversification be enforced if necessary by government. "When governments conclude that they are unable to meaningfully modify the strategies and tactics of the already-in-place Microsoft monopoly, they must declare a market failure and take steps to enforce risk diversification."
The report was written by Rebecca Bace, CEO of Infidel Inc. of Scotts Valley, Calif.; Peter Gutmann, researcher at the University of Auckland's Computer Science Department; Dan Geer, chief technology officer of @Stake Inc. of Cambridge, Mass.; Perry Metzger, independent consultant; Charles P. Pfleeger, master security architect of Exodus Communications Inc. of San Francisco; John S. Quarterman, founder of Matrix NetSystems Inc. of Superior, Colo.; and Bruce Schneier, CTO of Counterpane Internet Security Inc. of San Jose, Calif.
The report is being distributed but was not commissioned by CCIA.
"This is a personal initiative of these people," Geer said. "It is paid for by no one."
Although the report focuses on one company, the authors said they are not engaging in Microsoft bashing.
"Our point is about monoculture, not whether one system is better than another," Geer said.
But the report criticizes Microsoft for creating what it calls unnecessarily complex software to "illegally shut out" competitors and lock-in customers. The complexity adds to the insecurity and creates a large installed base of software for which there is no adequate professional administration.
The report stops short of calling for a government breakup of Microsoft, which it says would result in two monopolies. "Instead, Microsoft should be required to support a long list of applications on a long list of platforms." The company could be prohibited from releasing applications for its own operating systems until versions running under Linux, Mac OS and comparable operating systems were available, the report says.
Government should enforce diversity in critical infrastructures, the report says. "A requirement that no operating system be more than 50 percent of the installed base in a critical industry or a government would moot monoculture risk."
Microsoft said in a statement that security is a top priority. "We are working to make our products more secure out of the box and on making it easier for our customers to take action," said spokeswoman Ginny Terzano.
Another industry trade organization, the Computing Technology Industry Association, called the report's focus myopic and fundamentally flawed. CompTIA released a study earlier this year that it said shows human error, not technical malfunction, is the most significant factor in computer security.
CompTIA said a focus on training and certification in the computer industry is needed to improve security. "A sole focus on changing a monoculture misses this boat," the organization said.
William Jackson writes for Government Computer News