Industry players are hotly debating a controversial report released this week claiming that
flaws in Microsoft Corp.’s software combined with the company’s grip on the market is
causing a national security risk.
And to add more flame to the fiery debate, one of the authors was dismissed from his job
because of his involvement with the report.
”It is the combination of the two — the flaws in the software and the company’s monopoly
— that creates the magnitude of the problem described,” says Ed Black, president and CEO
of the Computer and Communication Industry Association, (CCIA) a Washington, D.C.-based
trade group often considered an “adversary” of Microsoft. ”There are several different
pieces that come together that create a perfect storm of insecurity.”
The CCIA released and backed the study, while several players in the security industry
authored the report, entitled ‘CyberInsecurity: The Cost of Monopoly’.
Daniel Geer, a
security consultant and, at the time, the chief technical officer of @Stake, a security
consulting firm, was the principal author.
A spokesperson for @Stake confirmed that Geer is no longer with the company since the
release of the report. The company released a statement saying that ”the values and
opinions of the report are not in line with @stake’s views” and that Geer is no longer
associated with the company. The spokesperson added that Microsoft did not push for or
participate in Geer’s dismissal.
”It shows that a raw nerve was hit,” says Black. ”The emperor never likes being told that
he has no clothes. Microsoft’s web of relationships is the seat of its power.”
What the report claims is that the large number of flaws in Microsoft’s popular software
combined with the fact that most companies around the world run that software is creating a
dangerous security risk.
”If you can penetrate one Windows system, you can penetrate millions of systems,” says
Black. ”We’re saying that when an entire nation, the entire industrialized world, is 96
percent dependent on a product with these flaws, there’s a serious problem… It’s a
cascading effect.”
And Black adds that the United States’ dependence on Microsoft’s software is directly
putting the country at risk.
”The infrastructure of every major industry, of the government, of our power system, are
all basically vulnerable,” he says. ”When they rely a great deal on a flawed system, they
are vulnerable.”
Chris Belthoff, a senior analyst with anti-virus company Sophos, Inc., says he agrees that
there is a risk here. Belthoff spends much of his time battling worms and viruses, like
Blaster and Sobig, that attack Microsoft Windows systems. And he says virus writers attack
those systems for two simple reasons — the flaws in the coding leave them vulnerable to
attack and Microsoft’s huge bite of market share gives them a wide and impressive target to
attack.
”Name another industry that is producing products as critical as this and there is only one
player holding on to most of the marketshare,” says Belthoff. ”And think about if those
products aren’t operating properly and so they could cripple the nation’s IT infrastructure.
”Do these people have an axe to grind?” Belthoff asks. ”Sure. Is that a legitimate axe to
be grinding? I’d say, yes it is.”
But not everyone agrees.
Dan Woolley, a long-time security player and now a vice president at Computer Associates,
which works closely with Microsoft, called the report and its charges ”bull.”
”I know what the guys are saying but it’s a little hard to swallow given that some of these
folks are into security products and are direct competitors with Microsoft,” says Woolley.
”Do they have a point? Yah. But the problem I see is if I’m a bad guy, I’m going to pick
the highest probability target I can get. That’s Microsoft. If you hit the right thing, you
can take down a lot of machines fast.”
Woolley says to claim that Microsoft is causing a national security risk is stretching
things.
”I don’t think the stuff is poorly built,” he adds. ”My contention, in general,
is that I don’t see another software manufacturer out there jumping through the hoops to try
to fix their products like Microsoft is.”
Ken Dunham of security company iDefense says he believes Microsoft is working hard on
securing its software but there’s a lot of flawed code to fix.
”Microsoft has increased usability of its software to become a software giant,” says
Dunham. ”The downside is that with all these features and functionalities added in, you get
more problems… Microsoft made this code and they need to make security a focal point. They
need to fix the code.”