Anyone thinking about cutting security spending to save money during the recession should read a copy of the new Center for Strategic and International Studies (CSIS) report titled "Securing Cyberspace for the 44th President." The report outlines a pattern of persistent attacks which are no match for our vulnerable Internet infrastructure. For those who can't or won't take the time to read this report, try listening to the recently aired cybersecurity discussion on the National Public Radio show On Point.
The message here echoes my somewhat infamous tagline: "information security is far worse than you think," and the situation continues to grow more dire. Each day we add new applications and devices to the global IP infrastructure, making the whole Internet more complex and difficult to secure. The bad guys know this all too well. While we make the infrastructure more insecure, they figure out better ways to exploit these weaknesses.
As the CSIS report indicates, a lot of work must be done quickly to address all of the problems at hand. I humbly submit an additional requirement to the security community: it is time to stop blaming Microsoft for the sorry state of cybersecurity. Now, I realize that this is a rather controversial request, but I think the time has come. Here's why:
1. It's a numbers game. Microsoft's success makes it a target--no other platform has nearly as many systems connected to the Internet. The fact is that if Linux, Macs, or UNIX systems dominated the Internet, they'd be under pervasive attack, too. Would we be better or worse off? Who knows?
2. It's unproductive. I really don't understand what anyone hopes to accomplish by blaming Microsoft. Should governments single out Microsoft for some type of special security threshold? Should Windows systems be kicked off the Internet? There is plenty of blame to go around beyond Microsoft, so singling it out accomplishes nothing.
3. Microsoft is actively addressing past security shortcomings. Think what you will about the security of Microsoft products, but few other companies have done more to improve their software security development, employee training, and testing processes than Microsoft. Microsoft is also taking its Secure Development Lifecycle to others through its SDL Pro Network partners like Security Innovation. In fact, Redmond even contributed to the CSIS report, Microsoft Corporate Vice President of Trustworthy Computing Scott Charney is one of the CSIS co-chairs.
We in the security community can debate the root cause of the problem all day and clearly the topic of Microsoft would come up often. That said, we don't really have time for intellectual banter. Let's agree to disagree on the cause of the problem and focus on channeling our energy into a collective solution--while we still can.