Report: Microsoft dominance poses security risk

A computer industry group critical of Microsoft plans to release a report Wednesday asserting that the software giant's dominance in key technologies threatens the national infrastructure.

The report from the Computer and Communications Industry Association argues that the reliance on a single technology such as the Windows operating system for such an overwhelming majority of computer systems threatens the security of the U.S. economy and critical infrastructure, according to a draft seen by CNET News.com.

The paper, written by a handful of security experts, also warns that many security improvements planned by Microsoft are likely designed to raise the barrier that deters customers from switching to another operating system.

"Under the guise of security, (Microsoft is) achieving lock-in," said Bruce Schneier, chief technology officer for network monitoring service Counterpane Internet Security and one of the paper's three authors. "It's using security technologies to extend the monopolies."

The report will be presented Wednesday to several key lawmakers and administration officials at the CCIA's 2003 Washington Caucus, according to the event's agenda. Another of the paper's authors, Dan Geer, chief technology officer for security firm @Stake, is scheduled to lead a discussion of the issues. Several members of Congress are slated to attend the event, including Rep. Zoe Lofgren, D-Calif., Rep. Rick Boucher, D-Va., and Sen. Ron Wyden, D-Ore.

The paper is the latest salvo fired by the CCIA at Microsoft. And although the argument has been made in security circles before, this may be the first time that the position has been outlined to legislators.

The group, whose members include America Online, Oracle and Sun Microsystems, has been critical of Microsoft in the past. Last month, after the Department of Homeland Security announced that Microsoft would supply the software for the agency's 140,000 desktops, the CCIA sent an open letter asking the department to reconsider. The group also founded the Open Source and Industry Alliance to promote open-source software such as Linux and oppose restrictive laws such as the Digital Millennium Copyright Act.

Microsoft did not immediately comment on the content of the report but defended its track record in security.

"We are absolutely committed to increasing the security of technology for our customers," a Microsoft representative said in a statement issued to CNET News.com. "We recognize that CCIA represents many Microsoft competitors, but we are 100 percent committed to addressing the security concerns of customers, so we will review their white paper and address any concerns that they raise."

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

The draft of the report asserts that Microsoft's problems in securing its products and the ubiquity of those technologies result in a hazard for the U.S. economy and industry, which increasingly relies on the Internet and computers for critical functions.

"The focus on Microsoft is simply that the clear and present danger can be ignored no longer," the paper states.

The paper recommends that the U.S. government force Microsoft to publish interface specifications to major functional components of its code, better support interoperable components to allow others to compete with more secure technology, and set specifications through industry standards bodies and consortia.

The report also takes the software giant to task for using security to lock in consumers to Microsoft's technology and recommends that, if the company continues to do so, it be held liable for any damage done by security threats in the future.

The authors call on the federal government to make sure that future Microsoft technologies, such as the controversial "next-generation secure computing base" formerly known as "Palladium," don't further lock in consumers.

"The impact on security of this lock-in is real and endangers society," the paper states, adding that "there can be no more critical duty of...governments than to ensure that a spread of trusted computers does not blithely create yet more opportunities for lock-in."