[LINK] Cyber War: Microsoft a weak link in national security

Kim Holburn kim at holburn.net
Thu Jun 10 22:12:05 AEST 2010 

http://arstechnica.com/security/news/2010/06/cyber-war-microsoft-a-weak-link-in-national-security.ars

> the author is former White House adviser Richard A. Clarke in his  
> new book, Cyber War: The Next Threat to National Security and What  
> to Do About It.

> Why has the national response to this problem been so slow? Lack of  
> consensus on what to do and fear of the "R-word"—government  
> regulation, Clarke contends. Then there's Reason Number Five on his  
> list, which basically boils down to "Microsoft."
>
> "Some people like things the way they are," Clarke obliquely  
> observes. "Some of those people have bought access." Microsoft, he  
> notes, is a prominent member of OpenSecrets.org's "Heavy Hitters"  
> political donor list. Most of the list's stars are trade  
> associations. "Microsoft is one of only seven companies that make  
> the cut."
>
> The software giant's largesse has shifted from Republicans back in  
> the Clinton antitrust days to Obama, he continues, but the agenda is  
> always clear: "Don't regulate security in the software industry,  
> don't let the Pentagon stop using our software no matter how many  
> security flaws it has, and don't say anything about software  
> production overseas or deals with China."
>
> Clarke tries to be fair. He notes that Microsoft didn't originally  
> intend its software for critical networks. But even his efforts at  
> fairness are unflattering. Microsoft's original goal "was to get the  
> product out the door and at a low cost of production," he explains.  
> "It did not originally see any point to investing in the kind of  
> rigorous quality assurance and quality control process that NASA  
> insisted on for the software used in human space-flight systems."
>
> But people brought in Microsoft programs for critical systems  
> anyway. "They were, after all, much cheaper than custom-built  
> applications." And when the government launched its Commercial Off- 
> the-Shelf program (COTS) to cut expenses, Microsoft software  
> migrated to military networks. These kind of cost cutting reforms  
> "brought to the Pentagon all the same bugs and vulnerabilities that  
> exist on your own computer," Clarke writes.
>
> Floating i-brick
> The former White House advisor cites the 1997 USS Yorktown incident  
> as a consequence. The Ticonderoga-class ship's whole operational  
> network was retrofitted with Windows NT. "When the Windows system  
> crashed, as Windows often does, the cruiser became a floating i- 
> brick, dead in the water."
>
> In response to this "and a legion of other failures," the government  
> began looking into the Linux operating system. The Pentagon could  
> "slice and dice" this open source software, pick and choose the  
> components it needed, and more easily eliminate bugs.
>
> Clarke says that, in response:
>
> [Microsoft] went on the warpath against Linux to slow the adoption  
> of it by government committees, including by Bill Gates.  
> Nevertheless, because there were government agencies using Linux, I  
> asked NSA to do an assessment of it. In a move that startled the  
> open-source community, NSA joined that community by publicly  
> offering fixes to the Linux operating system that would improve its  
> security. Microsoft gave me the very clear impression that if the US  
> government promoted Linux, Microsoft would stop cooperating with the  
> US government. While that did not faze me, it may have had an effect  
> on others. Microsoft's software is still being bought by most  
> federal agencies, even though Linux is free.
> The company took a similarly hard line towards the banking and  
> financial industry, Cyber War says, rebuffing access requests from  
> security specialists for Microsoft code. When banks threatened to  
> use Linux, Microsoft urged them to wait for its next operating   
> system—Vista.
>
> "Microsoft insiders have admitted to me that the company really did  
> not take security seriously, even when they were being embarrassed  
> by frequent highly publicized hacks," Clarke confides. Sure enough,  
> when Apple and Linux began to offer serious competition, Microsoft  
> upgraded quality in recent years. But what the company did first was  
> to lobby against higher government security standards.
>


> "Microsoft can buy a lot of spokesmen and lobbyists for a fraction  
> of the cost of creating more secure systems," concludes Clarke's  
> section on the software firm. "They are one of several dominant  
> companies in the cyber industry for whom life is good right now and  
> change may be bad."


-- 
Kim Holburn
IT Network & Security Consultant
T: +61 2 61402408  M: +61 404072753
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

More information about the Link mailing list