Whatever Microsoft's strengths or failings as a developer of reliable software, the mere existence of an operating system monopoly is a critical security risk, argues a new report released Wednesday at a Computer & Communications Industry Association (CCIA) gathering in Washington, D.C.
Written by seven IT security researchers, "CyberInsecurity - The Cost of Monopoly" calls on governments and businesses to consider when making buying decisions the dangers posed by homogenous systems and to diversify the software mix deployed in their organizations.
It also urges the U.S. government to counterbalance Microsoft's user lock-in tactics by forcing the company to offer multi-platform support for its dominant applications, including Internet Explorer and Microsoft Office products.
While Microsoft is the focus of the report, the company isn't solely responsible for the risky situation that now exists, the authors said.
"I think the blame falls mostly on the buyers. The seller is going to sell what the buyers want," said co-author Bruce Schneier, during a conference call with press. Schneier is the founder and chief technical officer of Counterpane Internet Security.
"Because everyone is buying it, because it's compatible, because it's easy, everyone is doing it. The point of the report is to say, 'Hey, there are security implications to your decision.'"
Microsoft's pledge to improve its products' reliability won't fix the underlying problem of the vulnerability inherent in a system that depends on just one architecture, said co-author Perry Metzger, a computer security consultant.
"It doesn't matter how hard Microsoft works on security. So long as they continue to be human beings, there will continue to be flaws - and you don't want every machine on Earth to have the same flaw revealed at the same time," he said. "It's as though every person in the U.S. had the exact same genes."
None of the report's authors were paid for their contributions, and the CCIA is merely acting as the paper's publisher and did not influence its content, according to the report's instigator, @stake Chief Technical Officer Dan Geer.
The report's conclusions do, however, dovetail with CCIA's push for tighter regulatory controls on Microsoft and for greater diversity in the U.S. federal government's IT systems. The group plans to feature the report at this week's conference and in its conversations with representatives of Congress and federal agencies.
The report's authors said they hope it will aid corporate IT workers in efforts to convince executives at their companies that Microsoft's software shouldn't be deployed by default. "There isn't a lot of talk about monoculture and security problems. Our hope is that we can bring this into the debate," Metzger said.
Beyond recommending diversification, the paper suggests steps the U.S. government could take to mitigate the effects of Microsoft's monopoly position. Forced publication of APIs for Microsoft's Windows and Office software would help, as would requiring the company to work with other industry vendors on development of future specifications through a process similar to the Internet Society's RFC system, the report said.