Microsoft’s dominance of the desktop operating system market isn’t a threat to U.S. national security, according to a new study by a team of researchers at the George Mason University, who said a worm or other malicious attack on Windows is unlikely to produce a catastrophic failure of the Internet.
The report is based on advanced network simulations by George Mason’s Infrastructure Mapping Project. While it focuses on proprietary monopolies held by Microsoft on the desktop and Cisco in the router market, the study also suggests the growing importance of the security of open source products.
The findings contrast with those of a paper released last year by the Computer & Communications Industry Association, Cyberinsecurity: The Cost of Monopoly, which warned that “the identicality and flaw density in the Microsoft Windows monoculture present clear dangers to national security.” The paper stirred controversy when one of its authors, Dan Geer, was fired as CTO of @stake, which does business with Microsoft.
The CCIA's concerns about the security of Microsoft products are not disputed by the George Mason researchers, who instead cite the frequency of Windows-related security events as evidence that exploits of Microsoft software don't threaten the stability of the Internet.
"If catastrophic failure of the network is the threshold by which national security threats are defined, Microsoft wouldn't qualify, simply because their monoculture is not at the core of the network," says the George Mason report. "No matter how many Windows operating sytems are infected or fail, the core of the network will still run, even if there is nobody left to send traffic."
Although exploits of Microsoft software can be widely propagated, the report argues, the weaknesses reside at a less critical point on the network. Cisco's 85 percent share of the router market, while at the core of the Internet, is less vulnerable to exploits that self-propogate.
A key to the Internet's resiliency is Microsoft's smaller presence in web server software, where it holds just 21 percent of the market, compared to a 97 percent market share on the desktop. George Mason's research concludes that a technology must be found on more than 43 percent of nodes in most networks before it has the potential for an exploit to cause a massive failure.
The leading web server product is the open source Apache server, which runs on 67 percent of the Web's 50 million servers. The George Mason study didn't examine whether Apache's dominance had national security implications, but Apache has a stronger security track record than competing Microsoft products. While there have been worms that targeted Apache, they have yet to produce the impact of Windows worms such as Code-Red, Nimda and SQL Slammer.
The George Mason team includes Sean Gorman, whose research gained attention last year when the Department of Homeland Security considered classifying his dissertation, a geospatial database of America's network infrastructure. U.S officials feared the aggregated data about the phone, utility and power grids could be a roadmap for terrorists, leading some to dub Gorman's work "The World's Most Dangerous Database."