Microsoft's dominance of the global operating-systems market presents serious security risks – and customers are to blame, a key report claims.
The report was released yesterday by the Computer and Communications Industry Association (CCIA) gathering in Washington. Called CyberInsecurity – The Cost of Monopoly, it calls on governments and businesses to factor-in the dangers of "homogenous" systems when making buying decisions.
The CCIA also urged the US government to counterbalance Microsoft's user lock-in tactics by forcing the company to offer multiplatform support for its dominant applications, including Internet Explorer and Microsoft Office.
While Microsoft is a focus of the report, the company isn't solely responsible for the risky situation that now exists, the authors said.
"I think the blame falls mostly on the buyers. The seller is going to sell what the buyers want," said co-author Bruce Schneier. Schneier is the founder and chief technical officer of Counterpane Internet Security. "Because everyone is buying it, because it's compatible, because it's easy, everyone is doing it. The point of the report is to say, 'Hey, there are security implications to your decision.'"
Microsoft's pledge to improve its products' reliability won't fix the underlying problem of the vulnerability inherent in a system that depends on just one architecture, said co-author Perry Metzger, a computer security consultant.
"It doesn't matter how hard Microsoft works on security. So long as it continues to be human beings, there will continue to be flaws – and you don't want every machine on Earth to have the same flaw revealed at the same time," he said. "It's as though every person in the US had the exact same genes."
None of the report's authors were paid for their contributions, and the CCIA is merely acting as the paper's publisher and did not influence its content, according to the report's instigator, @stake Inc. Chief Technical Officer Dan Geer.
The report's conclusions match the CCIA's push for tighter regulatory controls on Microsoft and for greater diversity in US federal government's IT systems. The group plans to feature the report at this week's conference, and in its conversations with representatives of Congress and federal agencies.
The authors said they hope it will aid corporate IT workers in efforts to convince executives at their companies that Microsoft's software shouldn't be deployed by default. "There isn't a lot of talk about monoculture and security problems. Our hope is that we can bring this into the debate," Metzger said.
Beyond recommending diversification, the paper suggests steps the US government could take to mitigate the effects of Microsoft's monopoly position. Forced publication of APIs (application program interfaces) for Microsoft's Windows and Office software would help, as would requiring the company to work with other industry vendors on development of future specifications through a process similar to the Internet Society's RFC (request for comments) system, the report said.