FRAMINGHAM (09/25/2003) - A group of seven prominent IT security researchers Wednesday released a report harshly critical of Microsoft Corp.'s "monopoly" in the software industry, arguing that a reliance by "nearly everyone" on Microsoft products has created monolithic IT infrastructures that are less secure than enterprises relying on multiple operating systems.
While the group of researchers claimed intellectual and financial independence from outside parties, as well as from their own parent companies, their decision to seek publishing support and include an introduction from the Washington, D.C.-based Computer and Communications Industry Association (CCIA) -- an industry group composed of Microsoft competitors and accused of having a significant anti-Microsoft bias -- raised questions about the motivations behind the study.
"This paper can be seen as nothing less than marketing by fear to line the pockets of a handful of large companies," said Jim Prendergast, executive director of Americans for Technology Leadership, an association of technology professionals in Washington, D.C. Microsoft is a founding member of the group. "Cybersecurity is an industrywide problem that will not be solved by malicious finger-pointing and political attacks."
He called the CCIA's involvement in the publication of the report a "shameless effort" by it to forward the cause of CCIA member companies, including Microsoft competitors Sun Microsystems Inc. and Oracle Corp.
Edward Black, president and chief executive officer of the CCIA, shot back: "These guys did this on their own and they contacted us because our expertise is in the policy area and we had the infrastructure to publicize the report in Washington." The report was made public yesterday through the CCIA Web site.
The authors, all of whom worked for different companies in the security industry, said they were motivated only by a collective sense of responsibility to the IT community and did not receive any funding for the study.
"The security situation is deteriorating, and that deterioration compounds when nearly all computers in the hands of end users rely on a single operating system subject to the same vulnerabilities the world over," says the report, entitled, "CyberInsecurity: The Cost of Monopoly. How the Dominance of Microsoft's Products Pose a Risk to Security."
"Microsoft exacerbates this problem via a wide range of practices that lock users to its platform," the report states. "The impact on security of this lock-in is real and endangers society."
The authors do not provide specific recommendations about how the private sector and the government should fix the problem of monolithic IT infrastructures. Instead, they point to a lack of government action on the policy front and the willingness of end-user companies to institutionalize purchasing criteria that favor flexibility, ease of use and compatibility instead of diversity.
"We, as a country, need to encourage alternatives [to Microsoft]," said Bruce Schneier, founder and chief technology officer (CTO) at Cupertino, California-based Counterpane Internet Security Inc. and one of the authors of the report. "The problem is the lock-in. Because it's compatible and because it is easy, people are [buying] it. The blame falls mostly on the buyers because the sellers are going to sell what the buyers want."
Dan Geer, until Tuesday the CTO at @stake Inc. in Cambridge, Massachusetts, and co-author of the report, agreed that Microsoft's dominance produces a level of insecurity "that cannot be ignored. If we're going to talk about the affect of insecurity on national priorities we have to talk about Microsoft."
That company released a statement today distancing itself from the report, and from Geer. "@stake would like to clarify that Dan Geer is no longer associated with the company as of Sept. 23, 2003. Although Dr. Geer announced that his CCIA-sponsored report ... was an independent research study, participation in and release of the report was not sanctioned by @stake."
Sean Sundwall, a Microsoft spokesman, declined to comment on any political motivations behind the report, but said Microsoft considers security to be "an absolute top priority" for all of its customers. "We certainly recognize that there's a long way to go. But we're absolutely committed to taking a leadership role in security. ... Software will never be perfect and it's not our software alone that must take the issues of security into consideration."
Echoing Schneier's comment, Geer said yesterday that much of the blame rests with senior corporate executives who insist that their IT managers invest in Microsoft because of its compatibility. "Heroin addicts shouldn't buy [heroin]," said Greer.
Not all experts agree with Geer and his co-authors. "Fighting the monoculture is really tilting at windmills," said Alan B. Salisbury, chairman of the Center for National Software Studies in Camp Springs, Maryland. "The real issue is poor software quality and that's where I would focus my criticisms of Microsoft."
While he has "tremendous respect" for all of the report's authors, Howard Schmidt, former chairman of the President's Critical Infrastructure Protection Board and former chief security officer at Microsoft, said the issue is much more than a Microsoft issue.
"It is a fundamental training issue for developers and a maintenance issue for IT users," said Schmidt. "There is no indication that developers at Microsoft or anywhere else are ignoring security features. It is just the errors that are being made by humans developing complex code. In the meantime, as long as we have criminals that are writing malicious code and governments that do not actively investigate and prosecute these criminals, the dominant players will continue to be victimized along with the rest of us."