Microsoft's new deal with Uncle Sam

[InfoSec News <isn () c4i org>]

http://news.com.com/2010-1074-957970.html?tag=fd_nc_1

By Declan McCullagh 
September 16, 2002, 4:00 AM PT

WASHINGTON -- Why does the White House refuse to tell Microsoft to get
tough on security?

On Wednesday, the Bush administration is scheduled to publish its
proposal to increase the security of the Internet. Properly titled the
"National Strategy to Secure Cyberspace," it's said to talk with great
earnestness about helping home users safeguard their computers, about
thwarting online intrusions into business systems, and about providing
better training to federal network administrators.

But, according to people familiar with the draft report, it pays scant
attention to Microsoft, which has been responsible for more online
security woes than any other company in history.

Such an omission would be glaring. Intentional design choices and
unintentional bugs in Microsoft Windows, Outlook, Word and Explorer
have created vulnerabilities so numerous they've become legendary.  
Shoddy default settings have practically begged intruders to plunder
Windows-equipped PCs. Any serious look at Internet security has to
start with the world's largest software company.

But the Bush administration appears to have punted. During an
invitation-only briefing last Thursday, a National Security Council
official told about two dozen attendees from civil liberties groups
and trade associations that the White House had no problem with the
Internet's "monoculture" environment. Biologists warn against plant
monoculture, which permits pathogens to spread like wildfire. The same
principle applies to malicious code and our largely-Microsoft Internet
environment.

Computer Economics, a research firm, estimated early this year that
the cost for four Windows-based infections--Nimda, Code Red, SirCam
and Love Bug--was perhaps $13 billion. And Microsoft IIS servers are
typically defaced at perhaps four times the rate of servers running
open-source Apache software.

One explanation for the draft report's marked silence is that there is
an unusually close relationship between Microsoft and the White House.  
Howard Schmidt, vice chairman of the White House's National Critical
Infrastructure Protection Board, once worked at the Air Force and then
became Microsoft's chief security officer. Schmidt's group, headed by
"cybersecurity czar" Richard Clarke, is responsible for preparing this
week's report. Scott Charney, Microsoft's current security officer, is
another former federal official.

Clarke's office did not return phone calls on Friday. In response to
my phone call, a Microsoft spokeswoman said: "Microsoft senior
leadership regularly contributes its expertise to national
policymaking on cybersecurity and critical infrastructure protection,
including the president's anticipated national cybersecurity plan.  
Microsoft contributed early to the plan's development through the
White House's established process for collecting broad industry
input." But, Microsoft said, it could not comment on the details of
the plan.

A second explanation is raw politics. In the 2002 election cycle,
Microsoft has been the largest donor from the computer industry,
according to OpenSecrets.org. Redmond has handed $2.5 million to
politicians, favoring Republicans by a 2-to-1 ratio. The same pattern
arose during the 2000 election, but at $4.7 million, Microsoft's total
was even higher.

Don't get me wrong. I'm not an inveterate Microsoft critic. I never
applauded the Clinton administration's attempts to thwap Redmond with
a fat legal antitrust cudgel, and said so at the time. The entire
exercise smacked more of well-connected rivals' efforts to drag a
competitor through the legal mud than of substantive allegations of
wrongdoing. There was just as much politics involved in Janet Reno's
decision to bring the suit as John Ashcroft's decision to end it.

I don't even think it's such a fabulous idea for the White House to be
preparing these kind of grand Internet security reports. The federal
government's tech-cluelessness is embarrassingly obvious, and it needs
to solve its own problems first. The Internet is run by technology
firms, which are in turn run by people smart and motivated enough to
do the right thing without nagging by Uncle Sam. Sure, it doesn't
always happen immediately, but market forces are better in the long
run at figuring out the right approach than bureaucrats are.

Still, though, if the White House is going to make the effort to
prepare this kind of in-depth report, it must not ignore Microsoft.  
First, the report could be specific about how Windows and application
software could be improved. Second, it could advise that the federal
government get serious about encouraging alternatives; some Cabinet
agencies still refuse to list Linux on their list of "approved
operating systems." Third, the report could recommend that the
government not standardize on the Windows operating system.

To be fair to Microsoft, some of the problems are disappearing.  
Outlook now deletes harmful attachments, JavaScript is turned off by
default, and newer versions of Word guard against macro viruses. In
January, Bill Gates sent a memo to employees saying security would be
a company priority, and he elaborated on it in a note to customers in
July.

"If you look at the home user class or small business class, they
can't be expected to be security experts," says Richard Smith, a
researcher who has unearthed about a dozen security flaws in Microsoft
products. "The only real option is that products you buy for the home
have to be more safe. That means Microsoft has to be more
responsible."

Smith says Microsoft is getting better. The software maker's problems
to date have been "partially because of their market share and
partially because they've taken more risks with their products than
other people have," Smith says.

Clarke, the White House aide who has spent years warning of a "digital
Pearl Harbor" that would snarl computers and roil the world's economy,
told me last December that he believed Microsoft's post-XP generation
of operating systems "will be spectacularly better."

"We can't get into a lot of specifics about what the plan is and isn't
going to say, but this much is clear--the government is treating
'malware' like viruses and intrusions into people's computers as
though these were problems inherent to the Internet. They are not,"  
says Will Rodger of the Computer and Communications Industry
Association, who was briefed by the White House on the report.

Rodger, whose employer has been critical of Microsoft during the
antitrust case, says: "The larger question, which the government seems
to be ignoring, is, why aren't we looking at the problems caused by a
monoculture, a single operating system which serves as a single point
of failure on the Internet? If there are 60,000 Windows viruses, fewer
than 100 Mac viruses, and maybe a dozen Unix viruses, why aren't the
problems with Windows an issue?"

That's a very good question. Too bad the White House doesn't seem to
want to answer it.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.