A report by security researchers argues that the mere
existence of an operating system monopoly constitutes a critical
security risk to governments and businesses.
The report, "CyberInsecurity - The Cost of Monopoly" was
released yesterday at a Computer & Communications Industry
Association (CCIA) gathering in Washington DC.
It calls on governments and businesses to consider the dangers
of homogenous systems, and to diversify the software mix deployed
in their organisations.
The report also urges the US. government to counterbalance
Microsoft's user lock-in tactics by forcing the company to offer
multiplatform support for its dominant applications, including
Internet Explorer and Microsoft Office.
While Microsoft is a focus of the report, the authors of the
report said it the software company is not solely responsible for
the risky situation that now exists.
"I think the blame falls mostly on the buyers. The seller is
going to sell what the buyers want," said co-author Bruce Schneier,
who is also the founder and chief technical officer of Counterpane
Internet Security.
"Because everyone is buying it, because it's compatible, because
it's easy, everyone is doing it. The point of the report is to say,
'Hey, there are security implications to your decision'."
Microsoft's pledge to improve its products' reliability will
not fix the underlying problem of the vulnerability inherent in a
system that depends on just one architecture, said co-author Perry
Metzger, a computer security consultant.
"It doesn't matter how hard Microsoft works on security. So long
as they continue to be human beings, there will continue to be
flaws - and you don't want every machine on earth to have the same
flaw revealed at the same time," he said. "It's as though every
person in the US had the exact same genes."
None of the report's authors were paid for their contributions,
and the CCIA is merely acting as the paper's publisher and had no
influence its content, according to the report's instigator, @stake
chief technical officer Dan Geer.
The report's conclusions do, however, dovetail with CCIA's push
for tighter regulatory controls on Microsoft and for greater
diversity in the US federal government's IT systems.
The report's authors said they hoped the report would aid
corporate IT workers in their efforts to convince executives at
their companies that Microsoft's software should not be deployed by
default.
"There isn't a lot of talk about monoculture and security
problems. Our hope is that we can bring this into the debate,"
Metzger said.
Beyond recommending diversification, the paper suggested steps
could be taken to reduce the effects of Microsoft's monopoly.
Two suggestions include the forced publication of application
program interfaces for Microsoft's Windows and Office software, and
requiring the company to work with other software companies on
development of future specifications through a process similar to
the Internet Society's request for comments system.
Stacy Cowley writes for IDG News Service