CCIA Report is Bad Medicine

Opinion The proposed cure for the Internet's security woes might help Microsoft competitors, but it would only make our security problems worse, writes SecurityFocus columnist Tim Mullen.

A recently published report from the Computer and Communications Industry Association (CCIA) claims that "Microsoft's monopoly of the desktop operating system market is a threat to our national security." The paper has understandably created quite a bit of fuss -- so much, in fact, that Daniel Geer, former CTO of @Stake, reportedly received the aforementioned designation of "former" as a result of his co-authoring the paper.

While I do not dispute the individual talents of Geer and the other authors of the paper (folks like Bruce Schneier and Charles Pfleeger), I do dispute some of the conclusions they arrived at -- basically, because I think they are wrong.

It is not too hard to agree with some of the economic implications of the paper -- after all, Microsoft's market share and the legal issues that stem from it are, for the most part, obvious. And it is no secret that Microsoft has used its business and legal muscle to bully competitors on more than one occasion. I certainly would not want to be on the south-end of a north-bound Microsoft Law Mule.

But economics is not network security. The boiled-down argument is that all the desktops run Microsoft software, so they all share the same vulnerabilities. The End is Neigh. The solution is to break Microsoft up into individual companies for each application like Excel or Outlook, force them to support a Linux-based version of Office, and to have government regulations in place that would "require that no operating system be more than 50% of the installed base in a critical industry or in a government."

Yes, there is indeed a security problem with having an ever-growing number of computer systems connecting to a global network. But this is not the solution.

Invisible Jet Syndrome

A bit after the creator of Wonder Woman died, DC Comics decided that Princess Diana needed a boost to solve the problem of comic sales being lost to more popular characters. Part of the solution was to outfit her with new, cool stuff, including an Invisible Jet (originally it was a prop plane, for the fans out there.) It seemed like a good idea at the time: it was cool, flashy, unique, and it gave her a way to get around.

As we all know, there are problems with an Invisible Jet. What about the fuel? Can't you see the fuel? Or does that have to be invisible too? How would you work on the thing? What if you dropped a bolt-- how would you find it? But the biggest problem was during production. When it came time for DC to implement the Invisible Jet -- to actually put it in the comic -- what did they do?

They drew little white outlines around it. So we could see it. The Invisible Jet. "Look, that must be the invisible jet."

The CCIA's proposed fixes to our security problems are like drawing outlines around an invisible jet -- the solutions defeat themselves when it comes time to implement them.

If 50% of the installed OS base in government and infrastructure was suddenly mandated to be, say, Linux, a flood of third-party applications would emerge, ready to take full advantage of the tremendous marketing opportunity to provide users with solutions "just like they had on Windows." From an economic standpoint, this might actually be good. But from a security standpoint, it would be a nightmare. Entire classes of vulnerabilities would be introduced, and managing systems, software, patches, and configurations would become a Herculean task for the already overworked and underpaid administrators who would inherit the job.

Maintaining data compatibility between heterogeneous systems would require a new level of middle-tier bloatware to be lodged in between systems, and redeveloping applications for legacy compatibility would have department heads screaming like sausage frying in a dime-store pan.

And everything will still be insecure. Why? New shiny box, new shiny software, new shiny manuals-- same old dumb user.

The same guy who insists on opening attachments in Outlook will open attachments in whatever newly-developed Just-Like-Outlook software they'll be using on Linux. The same guy who runs as Administrator will run as "root." The same guy who doesn't use IPSec won't use IPChains. And the same guy who doesn't patch now, won't patch then.

This would not reduce the vulnerability landscape by half; it would double it. In each and every example used in the paper (and you will notice that no other OS vulnerabilities were even mentioned), the vulnerabilities discussed had long since been fixed. Inaction caused the vectors to exist. Those who did not act on their Microsoft systems will not act on their Linux systems -- and the same is true for all of the exploitation being done on the other side: those who don't keep up to date with Linux patches won't do so when they are forced to roll out Windows to half the base.

Bruce said it right in his new book Beyond Fear: "The average computer user has no idea about the relative risks of giving a credit card number to a website, sending an unencrypted e-mail, leaving file sharing enabled, or doing any of the dozens of things he does ever day on the Internet."

Put a bad driver behind the wheel of a different make car, and you'll still have a bad driver. And while some cars protect the driver better than others in a wreck, that does not do you too much good if you're the pedestrian who gets hit.

And I've got to tell you-- thinking about having government mandated operating systems scares the pants off of me. Let's look at the government track record when it came to dealing with computer and security issues: The Patriot Act; The Hollings Bill; Berman and the RIAA. And of course, the DMCA. What do you think they would do in this case?

Some good points are raised in the paper. Things like user lock-in and the potential dangers of Palladium are valid concerns. But the solutions it proposes would create a security problem bigger than the one it sets out to solve.

That is what ultimately reduces the report to just another agenda piece. If the membership of the CCIA does not like the fact that user perception and successful (even if unfair) marketing has their products selling to a minority, then be honest and say that. But don't try to force-feed me a meal of sour grapes by coating it with a glaze of national security.

Copyright © 2003,

Timothy M. Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software. AnchorIS.Com also provides security consulting services for a variety of companies, including Microsoft Corporation.