Microsoft and cotton: What's the link?
- By William Jackson
- Oct 21, 2003
A report last month condemned Microsoft Corp.'s dominance in desktop software as inherently unsecure and called on government to mandate diversity in operating systems and applications.
The report from the Computer and Communications Industry Association of Washington called Microsoft's market share a 'clear and present danger that can be ignored no longer.'
'Monoculture is a bad thing,' said independent consultant Perry Metzger, one of the report's authors. 'It is bad in agriculture, and recent events have shown it is a bad thing in computers.'
The prevalence of a single software brand leaves too many systems open to the same worms, viruses and other exploits, the report concluded. Diversifying with a healthy dose of Apple Mac OS, Linux and open-source applications would have the same effect on computer security as the early 20th-century introduction of new strains of cotton had on the fight against the boll weevil, they said.
The report, CyberInsecurity: The Cost of Monopoly, has proved controversial and has apparently cost one of the authors his job. Daniel J. Geer, formerly chief technology officer of @Stake Inc. of Cambridge, Mass., no longer is associated with the company.
'Although Geer announced that his CCIA-sponsored report was an independent research study, participation in and release of the report was not sanctioned by @Stake,' the company said in a statement explaining his Sept. 23 departure. 'The values and opinions of the report are not in line with @Stake's views.'
CCIA's members include such Microsoft competitors as Sun Microsystems Inc. and Oracle Corp., but at the report's release, Geer said it had not been commissioned or paid for by CCIA.
'This is a personal initiative,' Geer said. 'It is paid for by no one. Our point is about monoculture, not whether one system is better than another.'
But the report also criticized Microsoft software for unnecessary complexity to 'illegally shut out' competitors and lock in customers. The authors said Microsoft could use security improvements to further dominate its market.
They said they were not prescribing solutions and only wanted to raise awareness, but their report did recommend government action against Microsoft.
'When governments conclude that they are unable to meaningfully modify the strategies and tactics of the already-in-place Microsoft monopoly, they must declare a market failure and take steps to enforce risk diversification,' the report said.
It stopped short of calling for breaking up Microsoft, which it said would result in two monopolies. Instead, Microsoft should be required to support its applications on a long list of platforms, it said. The report suggested that the company be prohibited from releasing applications for its own operating systems until versions were available for Linux, Mac OS and other OSes.
Government also should enforce diversity in critical infrastructures, the report said. 'A requirement that no operating system be more than 50 percent of the installed base in a critical industry or government would moot monoculture risk,' it stated.
Such a mandate would be a nightmare to enforce, however, requiring an intrusive bureaucracy and consuming government resources. Could government require, for example, that second-best software be used in a critical infrastructure if the percentage had been exceeded for the best software?
The CCIA report considered only security and ignored the advantages of monoculture: standardization.
Standardizing on a common platform can leverage buying power, simplify system and configuration management, and reduce training requirements.
Software patch management is far easier with one operating system and a common suite of applications. The authors noted that Mac users have not been troubled by recent worm outbreaks and don't have to bother installing patches on their computers. But if Mac OS had market parity with Microsoft Windows, it's a safe bet that Apple would be issuing patches as frequently as Microsoft. An administrator running both OSes might have to test and install twice as many patches.
To view the report online, go to www.gcn.com
and enter 167 in the GCN.com/search box.
William Jackson is freelance writer and the author of the CyberEye blog.