Tech Industry

Microsoft's new deal with Uncle Sam

Why does an upcoming government plan refuse to tell Microsoft to get tough on cybersecurity? Washington watcher Declan McCullagh connects the dots.

WASHINGTON--Why does the White House refuse to tell Microsoft to get tough on security?

On Wednesday, the Bush administration is scheduled to publish its proposal to increase the security of the Internet. Properly titled the "National Strategy to Secure Cyberspace," it's said to talk with great earnestness about helping home users safeguard their computers, about thwarting online intrusions into business systems, and about providing better training to federal network administrators.

But, according to people familiar with the draft report, it pays scant attention to Microsoft, which has been responsible for more online security woes than any other company in history.

Such an omission would be glaring. Intentional design choices and unintentional bugs in Microsoft Windows, Outlook, Word and Explorer have created vulnerabilities so numerous they've become legendary. Shoddy default settings have practically begged intruders to plunder Windows-equipped PCs. Any serious look at Internet security has to start with the world's largest software company.

But the Bush administration appears to have punted. During an invitation-only briefing last Thursday, a National Security Council official told about two dozen attendees from civil liberties groups and trade associations that the White House had no problem with the Internet's "monoculture" environment. Biologists warn against plant monoculture, which permits pathogens to spread like wildfire. The same principle applies to malicious code and our largely-Microsoft Internet environment.

Computer Economics, a research firm, estimated early this year that the cost for four Windows-based infections--Nimda, Code Red, SirCam and Love Bug--was perhaps $13 billion. And Microsoft IIS servers are typically defaced at perhaps four times the rate of servers running open-source Apache software.

One explanation for the draft report's marked silence is that there is an unusually close relationship between Microsoft and the White House. Howard Schmidt, vice chairman of the White House's National Critical Infrastructure Protection Board, once worked at the Air Force and then became Microsoft's chief security officer. Schmidt's group, headed by "cybersecurity czar" Richard Clarke, is responsible for preparing this week's report. Scott Charney, Microsoft's current security officer, is another former federal official.

Clarke's office did not return phone calls on Friday. In response to my phone call, a Microsoft spokeswoman said: "Microsoft senior leadership regularly contributes its expertise to national policymaking on cybersecurity and critical infrastructure protection, including the president's anticipated national cybersecurity plan. Microsoft contributed early to the plan's development through the White House's established process for collecting broad industry input." But, Microsoft said, it could not comment on the details of the plan.

One explanation for the draft report's marked silence is that there is an unusually close relationship between Microsoft and the White House.
A second explanation is raw politics. In the 2002 election cycle, Microsoft has been the largest donor from the computer industry, according to OpenSecrets.org. Redmond has handed $2.5 million to politicians, favoring Republicans by a 2-to-1 ratio. The same pattern arose during the 2000 election, but at $4.7 million, Microsoft's total was even higher.

Don't get me wrong. I'm not an inveterate Microsoft critic. I never applauded the Clinton administration's attempts to thwap Redmond with a fat legal antitrust cudgel, and said so at the time. The entire exercise smacked more of well-connected rivals' efforts to drag a competitor through the legal mud than of substantive allegations of wrongdoing. There was just as much politics involved in Janet Reno's decision to bring the suit as John Ashcroft's decision to end it.

I don't even think it's such a fabulous idea for the White House to be preparing these kind of grand Internet security reports. The federal government's tech-cluelessness is embarrassingly obvious, and it needs to solve its own problems first. The Internet is run by technology firms, which are in turn run by people smart and motivated enough to do the right thing without nagging by Uncle Sam. Sure, it doesn't always happen immediately, but market forces are better in the long run at figuring out the right approach than bureaucrats are.

Still, though, if the White House is going to make the effort to prepare this kind of in-depth report, it must not ignore Microsoft. First, the report could be specific about how Windows and application software could be improved. Second, it could advise that the federal government get serious about encouraging alternatives; some Cabinet agencies still refuse to list Linux on their list of "approved operating systems." Third, the report could recommend that the government not standardize on the Windows operating system.

To be fair to Microsoft, some of the problems are disappearing. Outlook now deletes harmful attachments, JavaScript is turned off by default, and newer versions of Word guard against macro viruses. In January, Bill Gates sent a memo to employees saying security would be a company priority, and he elaborated on it in a note to customers in July.

If the White House is going to make the effort to prepare this kind of in-depth report, it must not ignore Microsoft.
"If you look at the home user class or small business class, they can't be expected to be security experts," says Richard Smith, a researcher who has unearthed about a dozen security flaws in Microsoft products. "The only real option is that products you buy for the home have to be more safe. That means Microsoft has to be more responsible."

Smith says Microsoft is getting better. The software maker's problems to date have been "partially because of their market share and partially because they've taken more risks with their products than other people have," Smith says.

Clarke, the White House aide who has spent years warning of a "digital Pearl Harbor" that would snarl computers and roil the world's economy, told me last December that he believed Microsoft's post-XP generation of operating systems "will be spectacularly better."

"We can't get into a lot of specifics about what the plan is and isn't going to say, but this much is clear--the government is treating 'malware' like viruses and intrusions into people's computers as though these were problems inherent to the Internet. They are not," says Will Rodger of the Computer and Communications Industry Association, who was briefed by the White House on the report.

Rodger, whose employer has been critical of Microsoft during the antitrust case, says: "The larger question, which the government seems to be ignoring, is, why aren't we looking at the problems caused by a monoculture, a single operating system which serves as a single point of failure on the Internet? If there are 60,000 Windows viruses, fewer than 100 Mac viruses, and maybe a dozen Unix viruses, why aren't the problems with Windows an issue?"

That's a very good question. Too bad the White House doesn't seem to want to answer it.