Washington Post, September 24, 2003
Viruses, worms and other cyber-attacks that are crippling computers with increasing frequency cannot be stopped as long as the software of one company -- Microsoft Corp. -- dominates computing, according to a paper prepared by corporate technology officers and researchers.
"The security situation is deteriorating," says the report, which is to be released today. With Microsoft operating systems used on more than 90 percent of the world's personal computers, the authors write, most computers are vulnerable to attack and networks are easily compromised.
The report, whose authors include prominent critics of Microsoft, comes at a sensitive time for the company. It is under intense criticism for security flaws in its software despite repeated pledges from Chairman Bill Gates and chief executive Steven A. Ballmer to make security the company's top priority.
"No other company in the world is more committed to providing its customers with more secure software than is Microsoft," said Sean Sundwall, a company spokesman. He said he could not comment further until the paper is released.
Since the recent spread of the Sobig, Blaster and Slammer worms, federal and state officials have questioned cybersecurity more critically. Many technology officers for companies and governments are reconsidering whether they should diversify the types of products on their networks.
The paper argues that governments, through their power to decide what software to buy for their systems, should force Microsoft to reveal more of its software code to allow development of better security tools, and to make its software work better with competing products.
Policymakers must "confront the security effects of monopoly and acknowledge that competition policy is entangled with security policy from this point forward," the paper says.
The technology industry generally opposes government regulation and favors allowing the marketplace and technological innovation to create solutions to problems. Under the free-market theory, if a company's products are flawed, consumers will buy others that are superior.
But Microsoft has virtually no competition for PC operating systems, and people who break into computer systems or write worms and viruses are more technologically adept than many software manufacturers.
"I don't hold to the theory that technology always beats policy," said Daniel E. Geer Jr., one of the paper's authors and chief technology officer for AtStake Inc., a business-security firm in Massachusetts.
The report is being released by the Computer and Communications Industry Association, a trade group that is involved in antitrust action against Microsoft in the United States and Europe. Other authors include Charles P. Pleeger of Exodus Communications Inc.; John S. Quarterman, founder of Matrix NetSystems Inc.; Rebecca Bace, chief executive of network security firm Infidel Inc., and Peter Gutmann, a computer science researcher at the University of Auckland in New Zealand.
Geer said the paper grew out of his ideas and discussions among security executives and academics about the increase in security threats and was not instigated by the association.
"Nature does not put up with monocultures" because they are too easy to attack, Geer said. "If everything looks just alike . . . it will promptly be punished."
Another author of the paper, Bruce Schneier, chief technology officer of Counterpane Internet Security Inc., is a longtime Microsoft antagonist who has argued that the company should be held financially liable for its security flaws.
Computer users generally agree to terms that absolve software makers of liability, which Microsoft's critics argue gives the company no incentive to be more vigilant about security.
Schneier said the problem with Microsoft is that it is so intent on being dominant that it designs its systems primarily to keep out competitors, not intruders.
"Their goal is to facilitate lock-in" of Microsoft products, he said.