Microsoft: A U.S. Security Threat

by Paul A. Strassmann

Computerworld

November 30, 1998
Microsoft's dominance in operating systems represents a new threat to the national security of our information-based society.The government is trying hard to contain the expanding power of Microsoft by antitrust litigation that would prove present harm to consumers. That's insufficient. The government also should address the risks from information warfare attacks on a largely homogeneous systems management environment. Inevitably, infoterrorists and criminals will take advantage of flaws in the gigantic Microsoft operating systems that are on their way to becoming the engines for running most of our information infrastructure.

Microsoft's Creeping Ambitions

Microsoft's controlling position in software packages -- the basis on which most computer networks and software applications exist -- is best illustrated by the rise of its profits relative to the total profits of all publicly traded software firms. That advantage has widened steadily from 23.7% in 1987 to 55.6% in 1997 and is likely to climb to well over 60% as Microsoft's profit gains keep accelerating. That trend is ominous because a company's profit relative to all its competitors is the best measure of its proliferative power and the competitors' precariousness.

Yet it's the future prospects of a Microsoft-dominated world that worry me most.

Bill Gates' September memorandum to Microsoft managers outlining the directions for his company heightened my apprehensions.

Gates talks about how, in the future, companies will store their data and applications on "megaservers" controlled by Microsoft software. Companies and users would dial up their Microsoft accounts to obtain the required software and download information they need from servers managed by a Microsoft operating system.

To further those ends, Microsoft assembled a Web Essentials team to explore what central services could be used daily via a Microsoft portal site. In that way, the megaserver would offer a unifying "single storage engine." Applications would keep information directly in a central store instead of their own files.

Thus, Microsoft now sets its sights not only on the control of local computing, but also on the sources from which all program code and data originate.

(Although I was unable to obtain a copy of the memo, its contents were paraphrased in detail to Computerworld by a Microsoft public relations representative.)

The Dangers Of Domination

Upgrading Microsoft software has been a logical choice for customers who wished to keep up with changes in technology. But the risks of anintegrated family of operating systems running all U.S. computers -- a declared Microsoft objective -- make selecting a Microsoft platform more than a purely technical choice. An all-encompassing operating system bares itself to hostile exploitation of paralyzing security flaws. The presence of a fatal defect is unavoidable, as the complexity of Microsoft systems expands to bizarre proportions with each new release. It's the search for such a fault that occupies the minds of some of the brightest computer experts. Finding a crack through which one could induce mayhem with only a few keystrokes would be worth a great deal of money, especially when supporting an act of terrorism.

It's only a question of time before the ubiquitous presence of Microsoft operating systems -- supported by a software-updating network -- reaches a state of interconnectivity that makes a universal systems crash feasible. All that will be required is inducement of a widespread information infrastructure collapse through a deliberately executed and preplanned act of information warfare.

No agricultural expert would suggest that only one crop, using the identical seed strain, be planted in Kansas, Ohio, Illinois and Iowa. "Monocultures," as biologists call them, are just too vulnerable to pests, disease and an unprecedented combination of ecological conditions. The Irish potato famine, for example, was caused by reliance on a single strain of potato.

The risk from a software monoculture has increased because of the shift from custom-made software to packaged applications residing on an integrated family of Microsoft operating systems. As a result, the risks from planned subversion of a software monoculture now overwhelm the benefits of Microsoft's operating systems dominance. What's at stake for society is not Microsoft profit but the enormous risk to the economic viability of all computer-dependent enterprises.

The dispute the Department of Justice has with Microsoft shouldn't be judged only by antitrust regulations. It should be influenced by the unprecedented security risks to our information-based civilization. The safety of our society, not just the fortunes of Sun, Apple or Netscape, is at stake. The Microsoft defense that the company was only maximizing profits using common competitive methods is unsupportable. Business practices that may be tolerable for a small competitor are perilous when scaled up to security-threatening proportions on a national scale.


Strassmann (paul@strassmann.com) lectures on information terrorism at the National Defense University at Fort McNair in Washington. He doesn't believe that more government inspectors can reduce software risks. Instead, purchasers of information technologies should demand insurance-backed warranties against systems vulnerabilities.