OS dominance paper branded 'marketing by fear'

A report claiming that Microsoft's operating system "monopoly" poses a critical security risk to users has drawn harsh criticism...

A report claiming that Microsoft's operating system "monopoly" poses a critical security risk to users has drawn harsh criticism from technology professionals.

While the group of researchers claimed intellectual and financial independence from outside parties, as well as from their own parent companies, their decision to seek publishing support and include an introduction from the Washington-based Computer and Communications Industry Association (CCIA) - an industry group composed of Microsoft competitors - raised questions about the motivations behind the study. 

"This paper can be seen as nothing less than marketing by fear to line the pockets of a handful of large companies," said Jim Prendergast, executive director of Americans for Technology Leadership, an association of technology professionals in Washington. Microsoft is a founding member of the group.

"Cybersecurity is an industrywide problem that will not be solved by malicious finger-pointing and political attacks." 

Prendergast called the CCIA's involvement in the publication of the report a "shameless effort" to forward the cause of CCIA member companies, including Sun Microsystems and Oracle. 

CCIA president and chief executive officer Edward Black was quick to defend the report. "These guys did this on their own, and they contacted us because our expertise is in the policy area and we had the infrastructure to publicise the report in Washington."

The report was made public on Wednesday through the CCIA website. 

The authors, all of whom worked for different companies in the security industry, said they were motivated only by a collective sense of responsibility to the IT community and did not receive any funding for the study. 

"The security situation is deteriorating, and that deterioration compounds when nearly all computers in the hands of end users rely on a single operating system subject to the same vulnerabilities the world over," says the report, titled, "CyberInsecurity: The cost of monopoly. How the dominance of Microsoft's products pose a risk to security". 

"Microsoft exacerbates this problem via a wide range of practices that lock users to its platform," the report states. "The impact on security of this lock-in is real and endangers society." 

The authors do not provide specific recommendations about how the private sector and the government should fix the problem of monolithic IT infrastructures. Instead, they point to a lack of government action on the policy front and the willingness of user companies to institutionalise purchasing criteria that favour flexibility, ease of use and compatibility instead of diversity. 

"We, as a country, need to encourage alternatives (to Microsoft)," said Bruce Schneier, founder and chief technology officer of Counterpane Internet Security and one of the authors of the report.

"The problem is the lock-in. Because it's compatible and because it is easy, people are buying it. The blame falls mostly on the buyers because the sellers are going to sell what the buyers want." 

Dan Geer, who was the chief technology officer at @stake until last Tuesday., and co-author of the report, agreed that Microsoft's dominance produces a level of insecurity that cannot be ignored. "If we're going to talk about the affect of insecurity on national priorities we have to talk about Microsoft," he said. 

However, Geer's former company distanced itself from the report in a statement. "@stake would like to clarify that Dan Geer is no longer associated with the company as of September 23, 2003. Although Dr. Geer announced that his CCIA-sponsored report ... was an independent research study, participation in and release of the report was not sanctioned by @stake." 

Microsoft spokesman Sean Sundwall declined to comment on any political motivations behind the report, but said Microsoft considers security to be "an absolute top priority" for all of its customers.

"We certainly recognise that there's a long way to go. But we're absolutely committed to taking a leadership role in security ...Software will never be perfect, and it's not our software alone that must take the issues of security into consideration." 

Echoing Schneier's comment, Geer said that much of the blame rests with senior corporate executives who insist that their IT managers invest in Microsoft because of its compatibility.

Not all experts agree with Geer and his co-authors. "Fighting the monoculture is really tilting at windmills," said Alan Salisbury, chairman of the Center for National Software Studies. "The real issue is poor software quality, and that's where I would focus my criticisms of Microsoft." 

While he has "tremendous respect" for all of the report's authors, Howard Schmidt, the former chairman of the President's Critical Infrastructure Protection Board and former chief security officer at Microsoft, said the issue is much more than a Microsoft issue. 

"It is a fundamental training issue for developers and a maintenance issue for IT users," said Schmidt. "There is no indication that developers at Microsoft or anywhere else are ignoring security features. It is just the errors that are being made by humans developing complex code.

"In the meantime, as long as we have criminals that are writing malicious code and governments that do not actively investigate and prosecute these criminals, the dominant players will continue to be victimised along with the rest of us."

Dan Verton writes for Computerworld

OS monopoly poses security risk, report claims >>

Read more on IT risk management