The government’s increasing reliance on Microsoft
desktop software makes federal systems “susceptible to massive, cascading failures,” according to a report issued Wednesday by the Computer & Communications Industry Association (CCIA), an industry organization that promotes open systems and networks.
The report was promptly criticized by another trade group, which includes Microsoft as one of its members, as “marketing by fear to line the pockets of a handful of large companies” that compete with Microsoft.
The CCIA paper was presented in Washington during the CCIA’s meeting of government and industry officials.
“As fast as the world’s computing infrastructure is growing, vulnerability to attack is growing faster still,” said Daniel Geer, the report’s author and chief technical officer of @Stake, a computer security consulting firm. “Microsoft’s attempts to tightly integrate myriad applications with its operating system have significantly contributed to excessive and complexity and vulnerability. The deterioration of security compounds when nearly all computers rely on a single operating system subject to the same vulnerabilities the world over.”
Microsoft’s software is pervasive throughout the government. In July, for instance, the Department of Homeland Security signed a five-year, $90 million contract with Microsoft to supply Windows operating systems for its 140,000 employees. The government also heavily depends on a number of other Microsoft products including word processors, spread sheets, Internet browsers and multi-media players.
Geer said Microsoft’s near monopoly of government business ensures that its software will continue to be the number one target of viruses, worms and other attacks.
“Ironically,” Geer said, “Microsoft’s efforts to deny interoperability of Windows with legitimate non-Microsoft applications have created an environment in which Microsoft programs interoperate efficiently only with Internet viruses.
According to the report, Microsoft’s complex integration of its programs with its operating system requires writing code that is “15 to 35 times more complex and, by extension, more vulnerable to attack” than its peers.
“Beyond a certain threshold of complexity, patches become inadequate and perhaps even counter productive,” the report states. “When complexity produces vulnerability, adding more code via patches ultimately exacerbates the problem.”
The CCIA wants the government to require Microsoft to make its code available in order for competitors to design applications that integrate better with Microsoft products. The group also says the government should require Microsoft to design its applications to work better with competitors’ programs.
In response to the white paper, Jim Prendergast, executive director of Americans for Technology Leadership (ATL), said the CCIA was attempting to exploit cyber-security issues.
“Computer security is a serious issue that affects consumers, government and the entire technology industry and it is a real shame that the issue is now being exploited by CCIA as one more element of their anti-Microsoft campaign,” Prendergast, who counts Microsoft as a member of his group, said in an statement. “Cyber-security is an industry-wide problem that will not be solved by malicious finger pointing and political attacks.”
Prendergast stressed that consumers, including government users, play a significant role in cyber-security, saying users need to install and keep virus software up to date, activate or install a firewall, delete any questionable e-mails and regularly change passwords.
“Software security is a never ending battle that the technology industry is constantly fighting. It’s critical that consumers know that by following a few simple steps, they can play a big role to insure that they do not become a victim of a cyber attack or an unwilling participant in spreading an attack to others,” Prendergast said.
Prendergast added, “The tech sector has enough challenges without worrying about the specter of more regulation and litigation.”