Calling for increased biodiversity in IT infrastructures, a group of infosecurity luminaries warns that Microsoft's dominance in the software and operating systems markets is threatening U.S. security.
Cyber insecurity: The cost of monopoly, released Wednesday at the Computer & Communications Industry Association's meeting in Washington, D.C., asserts that Microsoft's overwhelming market share has caused U.S. computer networks to be susceptible to massive, cascading failures. The authors didn't elaborate on the consequences of Microsoft security problems.
"As fast as the world's computing infrastructure is growing, vulnerability to attack is growing faster still," said @stake CTO Dan Geer. "Microsoft's attempts to tightly integrate myriad applications with its operating system have significantly contributed to excessive complexity and vulnerability. This deterioration of security compounds when nearly all computers rely on a single operating system subject to the same vulnerabilities the world over."
Geer coauthored the report with Becky Bace, CEO of consultancy Infidel; Bruce Schneier, CTO of MSSP Counterpane Internet Security; Peter Gutmann, a computer science researcher at the University of Auckland; Charles Pfleeger; master security architect at Exodus Communications; John Quarterman, founder of InternetPerils; and Perry Metzger, the managing partner at Metzger, Dowdeswell & Co.
According to the authors, Microsoft's hold on excessively complex and vulnerable software fortifies its dominance in desktop computing and ensures not only that Microsoft will continue to be the number one target of malicious viruses, worms and other attacks, but that those attacks will have far-reaching effects.
Citing Windows market share at more than 94% of consumer client software, the report calls for government to "dismantle the monopoly" by making Microsoft applications and interfaces available on non-Microsoft platforms. Other recommendations include the introduction laws to ensure the rights of end users harmed by security flaws and "rigorous, independent evaluations" of code. It also suggests government lead by example and "ensure nothing that it deems important is dependent on a monoculture of IT platforms."
The authors don't advocate breaking Microsoft into an operating systems company and an applications company, but rather say that Microsoft should be mandated to support a list of applications and development tools on a long list of platforms.
The report comes on the heels of a recent presentation Microsoft CEO Steve Ballmer gave at the Churchill Club in Santa Clara, Calif. There, he spoke of the need for "the highest levels of security" and a belief that "better security and constant innovation go hand in hand."
Admitting that Microsoft has a long road ahead of it to more secure software, Ballmer reaffirmed Microsoft's commitment to security which includes:
- Raising the bar on security for all products
- Working with law enforcement to identify and prosecute hackers
- Working with users to fully utilize security technologies
- Improving the entire patch management process
- Blocking viruses and other attacks by combining security technologies