Report: Microsoft Monoculture is a National Security Risk

   A damning report sponsored by Microsoft's competitors concludes that dependence on the software giant's Windows "monoculture" is a national security risk. Security experts released the report this week in Washington, DC, at the annual Washington Caucus of the Computer & Communications Industry Association (CCIA), which Sun Microsystems and Oracle back. Regardless of the association's supporters, the report comes at a sensitive time for Microsoft, which has come under fire recently in the wake of widespread security problems with its software. Last month, the MSBlaster worm and SoBig.F virus caused billions of dollars in damages to Windows-based systems. Both attacks took advantage of weaknesses for which Microsoft had already provided fixes, but because Windows is so widely used, the attacks devastated corporations worldwide.
   In the 24-page report, "CyberInsecurity: The Cost of Monopoly," seven security experts recommend that national and local governments consider open-source alternatives to Microsoft programs such as Windows and Microsoft Office. They also recommend that Microsoft port its popular Office software to other platforms, including Linux. Otherwise, they say, bugs in Microsoft's complex, closed, and dominant software could compromise US national security. "When the government uses a product whose monopoly position undermines its security, antitrust becomes a national security issue," Daniel Geer, lead author of the report, said.
   "Microsoft's operating systems are notable for their incredible complexity," the report notes, "and complexity is the first enemy of security." The report also touches on Microsoft's recently touted integration strategy, explaining that the company is simply solidifying its dominance by making Microsoft software work better with its monopoly Windows and Office products. Furthermore, the report raises an interesting question about whether Microsoft is using the recent spate of security problems to force customers to upgrade to new software versions so that they can get better security features. "Under the guise of security, [Microsoft is] achieving lock-in," said Bruce Schneier, a coauthor of the report. "It's using security technologies to extend the monopolies."
   From Microsoft's perspective, the report is just the most recent attack from the CCIA, which is also suing the company for its antitrust abuses and has spent much of the past few years lobbying the federal government to stop using Microsoft software. In some ways, the report's timing is also suspect: Is the CCIA taking advantage of the recent security hacks to, in effect, kick Microsoft when the company is down? And if so, isn't the CCIA's tactic no better than the integration strategy of which it accuses Microsoft in its report? Microsoft officials made few comments in the wake of the report, but one representative did say that the company is reviewing the document. "We recognize that the CCIA represents many Microsoft competitors, but we are 100 percent committed to addressing the security concerns of customers, so we will review their white paper and address any concerns that they raise," the representative said.