The Cost of Principle


A few security luminaries, including Bruce Schneier and Dan Geer, issued a report to Computer and Communications Industry Association that called the ubiquity of Microsoft software a hazard to the economy and to national security. The report states:

Because Microsoft's near-monopoly status itself magnifies security risk, it is essential that society become less dependent on a single operating system from a single vendor if our critical infrastructure is not to be disrupted in a single blow. The goal must be to break the monoculture.

The report goes beyond merely decrying the monoculture, however and points out the danger of Microsoft using its monopoly power and the security threat to further lock users into using Microsoft products:

Efforts by Microsoft to improve security will fail if their side effect is to increase user-level lock-in. Microsoft must not be allowed to impose new restrictions on its customers - imposed in the way only a monopoly can do - and then claim that such exercise of monopoly power is somehow a solution to the security problems inherent in its products. The prevalence of security flaw in Microsoft's products is an effect of monopoly power; it must not be allowed to become a reinforcer.

In a kind of unholy death spiral, the very security flaws that the Microsoft monoculture helped create a situation where Microsoft's monopoly is strengthened. Yikes! The report calls on government to set and example:

Governments must set an example with their own internal policies and with the regulations they impose on industries critical to their societies. They must confront the security effects of monopoly and acknowledge that competition policy is entangled with security policy from this point forward.

Imagine the impact if the feds or even some large states switched to open source on the desktop.

The bizarre part of this whole story is that Dan Geer's employer, @Stake fired him his part in the report. One of @Stake's biggest customers is Microsoft and while the company says that Microsoft put no pressure on them, I'm sure the self-administered pressure was immense. Its no secret that Microsoft plays hardball with this kind of thing and past actions are a strong enough signal to @Stake that failure to take action would have reduce shareholder value. Its a good thing principles are so valuable because they sure cost a lot.