Critique of CyberInsecurity report

[futureworlds]

The CyberInsecurity essay is available at
http://www.ccianet.org/papers/cyberinsecurity.pdf.  A few comments:

Overall, this is a terrible analysis with a misguided solution which,
if adopted, would only make things worse.  It is shocking to see the
well known figures who have allowed their names to be attached to this
document.  Apparently hatred of Microsoft runs so deep that people are
unable to think critically when presented with an analysis that attacks
the company.  We saw the same thing with the absurd lies and exaggerations
about Palladium last year.

> The threats to international security posed by Windows are significant,
> and must be addressed quickly. We discuss here in turn the problem in
> principle, Microsoft and its actions in relation to those principles, and
> the social and economic implications for risk management and policy. The
> points to be made are enumerated at the outset of each section, and
> then discussed.

Let's look at these three portions.  The "problem in principle",
according to the report, is the existence of a monoculture, which should
be addressed by diversification.  There are nonsense figures in here
that claim to quantify the "power" of the net, using absurd, handwavey
formulations like Metcalfe's Law or Reed's Law.  (Reed's so-called Law is
a joke, predicting that the Internet will be 228 quadrillion times more
"powerful" in 10 years if the number of systems increases 50% per year!)
This is not logic, this is not reason, it is just rhetoric.

But the fundamental problem with the analysis here, which is what
makes the report's recommendation so misguided, is that claim that
diversification will somehow solve the problem.  In fact, diversification
will make it worse, as a moment's thought should make clear.

Let's suppose that the government stepped in, and the kind, wise
government bureaucrats we all know and love so well decided to aid
disadvantaged operating systems.  This affirmative action program is so
effective that after many years, Microsoft has only a third of the market;
Macs have another third; and Linux has most of the remaining third.
Wow, the problem is solved, right?

Wrong.  With the number of systems on the net growing rapidly, any
realistic extrapolation leaves the number of Windows systems as being
even larger than today.  Hence we face at least as much exposure as
at present, which the evidence has shown is more than enough to cause
tremendous economic damage.

And in fact, it is worse, because any flaws in the Mac or Linux OSs
will now be just as dangerous as for Windows!  What we will face is a
situation where the *weakest* of the widely used OS's will determine
the risk factor for the system as a whole.

This is not the kind of redundancy which reduces risk.  There is no
effective way that the presence of other architectures is going to
prevent a virus or worm from being able to spread just as rapidly
as today.

That error is the most fundamental in the report, but let's turn to their
analysis of Microsoft's dominance, where again they have utterly missed
the obvious truth.

The report claims that the reason for Microsoft's dominance in OS is due
to what it calls application lock-in, which is a nasty way of saying
that people prefer Windows because they want to use applications that
are only available on that architecture.  This part is obviously true.
But the report tries to link this to the claim that this is all due to
Microsoft's strategy to tightly integrate applications and the operating
system, which is absurd.

In the first place, many of the most popular applications which drive
people to choose Windows aren't even from Microsoft.  Games, business
software, web utilities, there are thousands of popular programs which
are only available on the Windows architecture.  These programs aren't
built into the OS, but instead the companies making this software have
chosen Windows because it is popular, has good development tools, and
in the early days was easier to write for (remember that up until a few
years ago, the Mac lacked preemptive multitasking, and Linux wasn't even
a blip on the radar).

In the second place, Microsoft does in fact make some of its most popular
applications available on the Mac.  Office and its predecessors, and IE
have been available for many years on that platform.  These apps are not
locked to the OS as the report claims.

And in the third place, the real reason why Microsoft preferentially
supports Windows is not due to technical integration with the OS, but
for the obvious economic reason that the Windows OS is made by the same
company as Windows apps, so it makes sense for the latter to support
the former.  This fact is so utterly obvious that it is astonishing that
the report manages to miss it.

> The natural strategy for a monopoly is user-level lock-in and Microsoft
> has adopted this strategy. Even if convenience and automaticity for the
> low-skill/no-skill user were formally evaluated to be a praiseworthy
> social benefit, there is no denying the latent costs of that social
> benefit: lock-in, complexity, and inherent risk.

Here the report manages to touch upon a particularly important point,
but as usual to miss its significance.  The point is that Microsoft's
security vulnerabilities are due to the fact that it is making its
software easy to use.  But that is one of the main reasons it is so
successful!  Believe it or not, people like software that is usable and
has features they need.  Doing so is difficult and makes software more
complex.  By adopting this strategy, Microsoft has inevitably acquired
security vulnerabilities over the years.

What the report misses, then, is that any other OS or company which adopts
the same strategy is going to face the same problem.  But companies are
going to be forced to make their software easier to use and more complex
in order to compete with Microsoft, even if the report's recommendations
were adopted.  This is going to add to the problem noted above, that
the other OS's are going to have security vulnerabilities as well,
once they are widely used.

What the authors appear to really want is to somehow change software
development methodology so that security takes precedence over features.
As a security professional who has worked for many years on consumer
products, I am well aware of the tension that exists within corporations
between these two competing goals.  It is perhaps understandable that
others in our field are trying to win this argument by government fiat.
The authors are in effect saying that they know better than the end users
what is important; that if customers prefer that their word processors
are functional, their wishes would be overridden in order to make the
programs more secure.

Even if we accept this argument (the morality of which is highly
questionable), forcing Microsoft to port Office to Linux isn't going to do
a single thing to accomplish it!  As noted above, the only effect is going
to be more pressure on the newly enfranchised OS's to become more like
Microsoft in order to compete, that is, to add features and complexity.
Ultimately, those are the preferences of the people buying the computers,
and no amount of pontificating by the authors of this report is going
to change those economic incentives.

Turning to the third section of the report, the authors contradict
themselves by claiming that Microsoft will not change its habits, while
at the end of the second section they just listed several important
changes.  Microsoft's trustworthy computing initiative, its introduction
of delays in product release in order to address security goals, and its
work towards a secure computing base are all changes that indicate that
Microsoft is taking a much more serious attitude towards security.

But rather than give the company a chance to see what it can do in
terms of making its products more secure, the report proposes to force
Microsoft to reorient its development efforts towards making Mac and
Linux versions of all its software, as if that will solve anything:

> Microsoft should be required to support a long list of applications
> (Microsoft Office, Internet Explorer, plus their server applications and
> development tools) on a long list of platforms. Microsoft should either
> be forbidden to release Office for any one platform, like Windows,
> until it releases Linux and Mac OS X versions of the same tools that
> are widely considered to have feature parity, compatibility, and so forth.

The arrogance of this proposal is beyond belief.  One of the most
successful companies in the world, one which even the report admits
has specialized in making software easy to use and meeting the needs
and requirements of end users, is expected to reorient its development
efforts and port its massive software base to a "long list" of platforms.

No consideration is given to the costs of this government-imposed mandate.
No concern is expressed about the impact on end users who have come to
appreciate Microsoft's increasingly functional applications.  Ironically,
no one even seems to realize that resources spent doing these ports may
well detract from Microsoft's current efforts to refocus on security
improvements!  Forcing the company to change direction like this is
likely to weaken security, not improve it.

The lack of any strong evidence that these drastic measures will
improve the security of the net as a whole demonstrates that this is an
ideological report rather than a technical one.  Hand-waving about
diversification does not answer the point.

Realistically, even if the net does become more diversified (which will
probably happen, gradually and naturally, without Draconian government
regulation), we are still going to have a relatively limited number
of architectures that are popular.  That's just the way markets work;
there is only a limited amount of public attention to go around, and in
most markets there are only a few companies which claim the majority of
the market share.

The result is that we will have a system where, as pointed out above,
not one but several architectures are each widespread enough to bring
the net to its knees when an exploit is discovered.  This network will
only be as strong as its weakest link.  Diversity, in this context, is
a risk factor, not a risk mediator.

In summary, this report is misguided and mistaken on so many
levels that it is astonishing that such well respected figures were
willing to put their names to it.  The analysis is flawed or missing.
The recommendations are harsh, extreme and premature.  And ultimately
their proposals will only serve to make the problem worse, not better.