[ISN] Microsoft's new deal with Uncle Sam

From: InfoSec News (isnat_private)
Date: Tue Sep 17 2002 - 05:55:19 PDT

  • Next message: InfoSec News: "[ISN] White House to unveil initiative for protection against cyberattacks"

    http://news.com.com/2010-1074-957970.html?tag=fd_nc_1
    
    By Declan McCullagh 
    September 16, 2002, 4:00 AM PT
    
    WASHINGTON -- Why does the White House refuse to tell Microsoft to get
    tough on security?
    
    On Wednesday, the Bush administration is scheduled to publish its
    proposal to increase the security of the Internet. Properly titled the
    "National Strategy to Secure Cyberspace," it's said to talk with great
    earnestness about helping home users safeguard their computers, about
    thwarting online intrusions into business systems, and about providing
    better training to federal network administrators.
    
    But, according to people familiar with the draft report, it pays scant
    attention to Microsoft, which has been responsible for more online
    security woes than any other company in history.
    
    Such an omission would be glaring. Intentional design choices and
    unintentional bugs in Microsoft Windows, Outlook, Word and Explorer
    have created vulnerabilities so numerous they've become legendary.  
    Shoddy default settings have practically begged intruders to plunder
    Windows-equipped PCs. Any serious look at Internet security has to
    start with the world's largest software company.
    
    But the Bush administration appears to have punted. During an
    invitation-only briefing last Thursday, a National Security Council
    official told about two dozen attendees from civil liberties groups
    and trade associations that the White House had no problem with the
    Internet's "monoculture" environment. Biologists warn against plant
    monoculture, which permits pathogens to spread like wildfire. The same
    principle applies to malicious code and our largely-Microsoft Internet
    environment.
    
    Computer Economics, a research firm, estimated early this year that
    the cost for four Windows-based infections--Nimda, Code Red, SirCam
    and Love Bug--was perhaps $13 billion. And Microsoft IIS servers are
    typically defaced at perhaps four times the rate of servers running
    open-source Apache software.
    
    One explanation for the draft report's marked silence is that there is
    an unusually close relationship between Microsoft and the White House.  
    Howard Schmidt, vice chairman of the White House's National Critical
    Infrastructure Protection Board, once worked at the Air Force and then
    became Microsoft's chief security officer. Schmidt's group, headed by
    "cybersecurity czar" Richard Clarke, is responsible for preparing this
    week's report. Scott Charney, Microsoft's current security officer, is
    another former federal official.
    
    Clarke's office did not return phone calls on Friday. In response to
    my phone call, a Microsoft spokeswoman said: "Microsoft senior
    leadership regularly contributes its expertise to national
    policymaking on cybersecurity and critical infrastructure protection,
    including the president's anticipated national cybersecurity plan.  
    Microsoft contributed early to the plan's development through the
    White House's established process for collecting broad industry
    input." But, Microsoft said, it could not comment on the details of
    the plan.
    
    A second explanation is raw politics. In the 2002 election cycle,
    Microsoft has been the largest donor from the computer industry,
    according to OpenSecrets.org. Redmond has handed $2.5 million to
    politicians, favoring Republicans by a 2-to-1 ratio. The same pattern
    arose during the 2000 election, but at $4.7 million, Microsoft's total
    was even higher.
    
    Don't get me wrong. I'm not an inveterate Microsoft critic. I never
    applauded the Clinton administration's attempts to thwap Redmond with
    a fat legal antitrust cudgel, and said so at the time. The entire
    exercise smacked more of well-connected rivals' efforts to drag a
    competitor through the legal mud than of substantive allegations of
    wrongdoing. There was just as much politics involved in Janet Reno's
    decision to bring the suit as John Ashcroft's decision to end it.
    
    I don't even think it's such a fabulous idea for the White House to be
    preparing these kind of grand Internet security reports. The federal
    government's tech-cluelessness is embarrassingly obvious, and it needs
    to solve its own problems first. The Internet is run by technology
    firms, which are in turn run by people smart and motivated enough to
    do the right thing without nagging by Uncle Sam. Sure, it doesn't
    always happen immediately, but market forces are better in the long
    run at figuring out the right approach than bureaucrats are.
    
    Still, though, if the White House is going to make the effort to
    prepare this kind of in-depth report, it must not ignore Microsoft.  
    First, the report could be specific about how Windows and application
    software could be improved. Second, it could advise that the federal
    government get serious about encouraging alternatives; some Cabinet
    agencies still refuse to list Linux on their list of "approved
    operating systems." Third, the report could recommend that the
    government not standardize on the Windows operating system.
    
    To be fair to Microsoft, some of the problems are disappearing.  
    Outlook now deletes harmful attachments, JavaScript is turned off by
    default, and newer versions of Word guard against macro viruses. In
    January, Bill Gates sent a memo to employees saying security would be
    a company priority, and he elaborated on it in a note to customers in
    July.
    
    "If you look at the home user class or small business class, they
    can't be expected to be security experts," says Richard Smith, a
    researcher who has unearthed about a dozen security flaws in Microsoft
    products. "The only real option is that products you buy for the home
    have to be more safe. That means Microsoft has to be more
    responsible."
    
    Smith says Microsoft is getting better. The software maker's problems
    to date have been "partially because of their market share and
    partially because they've taken more risks with their products than
    other people have," Smith says.
    
    Clarke, the White House aide who has spent years warning of a "digital
    Pearl Harbor" that would snarl computers and roil the world's economy,
    told me last December that he believed Microsoft's post-XP generation
    of operating systems "will be spectacularly better."
    
    "We can't get into a lot of specifics about what the plan is and isn't
    going to say, but this much is clear--the government is treating
    'malware' like viruses and intrusions into people's computers as
    though these were problems inherent to the Internet. They are not,"  
    says Will Rodger of the Computer and Communications Industry
    Association, who was briefed by the White House on the report.
    
    Rodger, whose employer has been critical of Microsoft during the
    antitrust case, says: "The larger question, which the government seems
    to be ignoring, is, why aren't we looking at the problems caused by a
    monoculture, a single operating system which serves as a single point
    of failure on the Internet? If there are 60,000 Windows viruses, fewer
    than 100 Mac viruses, and maybe a dozen Unix viruses, why aren't the
    problems with Windows an issue?"
    
    That's a very good question. Too bad the White House doesn't seem to
    want to answer it.
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Sep 17 2002 - 08:36:40 PDT