Saturday, January 27, 2007

Castration, Innovation... Regulation?

On Thursday, during an interview in front of an audience of Stanford students, Bill Gates chided security vendors for trying to “castrate” Vista.

Gates is being disingenuous. Vista isn’t in danger of being castrated. Microsoft customers? That’s potentially a very different story.

Many critical functions within SCADA (Supervisory Control And Data Acquisition) systems, government organizations, financial institutions, medical facilities, pharmaceutical and bio-research labs, and defense departments around the world are now performed on PCs. Huge amounts of the data manipulated in these systems are now stored on Microsoft-based servers, or in Microsoft-based databases. Virtually every government in the world now uses Microsoft as the standard operating system at the core of these critical operations.

You can remove competitive word processing innovations from these organizations, and while it can be argued that some amount of value-creation is removed as a result, the assets are not placed at risk. This is not the case when it comes to removing security options: when you remove weapons from the troops, you place assets at risk.

There isn’t a government in the world that would knowingly remove useful arms from its armory, and I suspect the more senior members of the EU’s regulatory boards understand this. They know if Microsoft manages to reduce security options by “innovating” a standard set of security applications into Vista, hackers will be able to line up against a single set of tools, and government and private assets will be made more vulnerable, not less vulnerable, for however many years/decades it takes Microsoft to solidify its defenses.

Now you might say, well it all comes down to technology performance and quality of service. Unfortunately, it doesn’t. When the IT administrator or CIO of a budget-driven organization takes a software budget upstairs for approval, the lower-cost, lesser-performance (or no cost) bundled option often wins, despite the best efforts of the person charged with asset protection and incident response. Short-term gain, long term loss of choice.

It is time for governments to look past the commercial arguments and start thinking seriously about the implications of allowing Microsoft to “go it alone” in security, as sole innovator, and sole responder. Because a wrong decision made over the course of the next 12 months could indeed result in castration - of IT consumers - in years to come.

No comments: