Monday, September 29, 2003

What Microsoft worries about: US Govt purchasing decisions mandating reliability and security.

To Fix Software Flaws, Microsoft Invites Attack
....By and large, vendors build what people are willing to pay for,' said Edward Lazowska, a professor of computer science at the University of Washington. 'People have historically been willing to pay for features -- not reliability or security.'

There is evidence, though, that corporations and the federal government are placing a greater emphasis on obtaining secure software. Within the last two years, the government has pushed security initiatives in its technology policy, especially in the aftermath of the Sept. 11 terrorist attacks.

Recent moves by the government include placing greater emphasis during the purchasing process on software design and reliability standards like the Common Criteria and the National Security Telecommunications and Information Systems Security Policy No. 11, a Pentagon directive that went into effect 14 months ago.
Such standards now apply mainly to the Department of Defense and national security agencies, but Congress is looking to extend similar standards to other federal agencies. The federal government is the world's largest buyer of information technology, spending nearly $60 billion a year.

'If the government made a serious commitment to buying better software, it would change the industry,' said Mary Ann Davidson, chief security officer of Oracle, the big database software company.

Two weeks ago, the House Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, which is under the Committee on Government Reform, held a hearing on the impact of the Pentagon's programs to link procurement to tighter security standards for software.

Representative Adam H. Putnam, the Florida Republican who is chairman of the subcommittee, said he saw great promise for adopting similar standards.

Buyers have traditionally not valued security or reliability, and vendors have met buyer's requests. I think this is a fundamental problem related to the inability of humans to make the "right" decisions in a world of fantastic complexity -- we need a wetware upgrade.

The changes in US Federal s/w purchase plans has been in the works for a while. "Change the industry" is a code-phrase for "displace Microsoft".

I suspect Microsoft was given early warning of this even before 9/11. Microsoft worries about only a few things:

1. European anti-trust legislation. Not so bad ... EU legislators can be bought.

2. Linux, in particular China or India mandating use of Linux solutions. A tough problem, but Microsoft may yet find a way to destroy Linux. (Consider their support of the SCO suit merely a minor skirmish.) Given Microsoft's cash reserves, they can buy a lot of key developers at $1-10 million apiece. OTOH, there are a lot of people in the world.

3. The US Federal government mandating security and reliability standards for government used software.

This last, I think, Microsoft's biggest fear. It's driving most of their current focus on security and their pending elimination of Symantec and the antivirus industry. I think they've already paid big money to US politicians to buy breathing time, but the price of a further delay may be getting a bit steep. Can they get their .NET/Palladium/Passport/Hailstorm solution set in place? What choice do the Feds have anyway?

No comments: