Guardian Unlimited © Guardian Newspapers Limited 2001

The worm that nearly toppled the tower

by Dr Simon Moores

We all fell for Microsoft. Now we risk it falling on top of us. Simon Moores on the dangers of omnipotence.

Sunday, August 05 2001 - Code Red is a title that would better suit the plot of a Tom Clancy novel than a computer virus that failed to bring about global internet meltdown.

Unlike the world of Clancy's Net Force, there was no secret organisation capable of deterring, let alone finding, the author of Code Red. Instead, the world's largest economy has once again fallen hostage to yet another simple computer programme, conceivably an adolescent prank.

Code Red, which infected nearly 300,000 computers and was named after a caffeine-based drink popular among computer programmers, was, according to the FBI and the Home Office, a grave threat to the national infrastructure the internet now represents in every developed nation.

However, last week's emergency and the many others that have preceded it have forced some observers to consider the prospect of a broader technology crisis, expressed by a dependence on internet software solutions from a single - and frequently compromised - source, Microsoft.

Code Red cleverly exploited a weakness in Microsoft's popular internet information servers (IIS) and the company worked swiftly to release a software fix. It is estimated that IIS runs on approximately 6 million servers, and by last Tuesday evening, there had been 2 million downloads of the fix. Over the past 12 months, internet-based attacks and cyber-vandalism have increased dramatically.

In a global sense, governments and business appear impotent in the face of a threat that frequently targets Microsoft products.

Reuters reports that Code Red has already cost an estimated $1.2 billion in damage, and the final bill may well reach $8.7bn. Over the past decade both public and private sectors have subscribed, almost universally, to one man's Henry Ford-style view of computing - any colour you like as long as it runs Windows.

Tomorrow, should they embrace Microsoft's .NET vision of the future, an apparently seamless integration of software and the internet, they are about to repeat the experience.This Microsoft 'monopoly' - or 'consistency', depending on your perspective - may have offered tangible advantages in the past, but for many, choosing Microsoft software today attracts an element of risk.

An absence of competition and the company's proprietary software architecture - which sees many of today's new products layered on top of yesterday's code - continue to reveal dangerous vulnerabilities when some of the most popular software is exposed to the world through the open window of the internet.

This climate of uncertainty means that only 55 per cent of business internet users in the UK believe that online transactions are secure.

Microsoft's director of marketing, Oliver Roll, insists that companies are choosing Windows because it offers lower cost, higher choice and greater skills in the marketplace. Commenting on Code Red, he said:"You can't plan for every eventuality. We have the most secure software available in the industry. Is the benefit that I'm getting from choosing this software greater than the risk that I'm taking?"

Chris Sterling, chief technology officer at software development house IT Outpost, which creates business software exclusively around Microsoft technology, says: "Microsoft's focus lies too much on developing attractive functionality - at the cost of security. The backward compatibility demands and very complexity of the Microsoft software environment are its most profound weaknesses."

DK Matai, an expert on electronic risk and managing director of internet security specialist mi2g, believes that a solution lies with open-source software and the Linux operating system now being embraced by IBM.

"Microsoft's proprietary software is being targeted by attackers because it has an Achilles' heel," he says. "Two-thirds of all web defacements are centred on Microsoft's IIS. There is little doubt, says Matai, "that the future lies in software solutions that will be able to dynamically adapt to the rising threat in real time."

Naturally, such concerns also concentrate the minds of Microsoft executives as clearly as those of their customers, be these UK or US governments or large financial institutions. But there is real reluctance among many to speak openly. The Office of the E-envoy is responsible for both selecting and directing the technology choice for tomorrow's wired society and has been criticised for its choice of Microsoft as a principal technology partner.

However, a source stressed the transparent nature of the decision-making process and the challenges, in a Microsoft-dominated world, of finding acceptable technology alternatives. Microsoft doesn't like to be thought of as a Fallen Angel. Speaking frankly, but wishing to remain anonymous, a source close to the company commented: "What should we do? Nationalise Microsoft? You can't take the technology away."

"If Microsoft hadn't have done it, another company would. It's not about Microsoft; it's about humans not deserving the technology. Personally, I believe in supporting the advancement of society and civilisation through the benefits that Microsoft can bring to the world." The source continued: "Of course there's a cost attached, but I think the benefits are stronger than those."

Others within the IT industry believe that Microsoft should accept a greater responsibility, and see little mitigation in Microsoft's argument that security is down to the quality of the software and the processes that a company or individual deploys to manage a secure environment.

Ian Meakin, director of product marketing at Sun Microsystems, believes that in following Microsoft's lead, society has arrived at a technology dead-end. 'Sun Microsystems may be Microsoft's arch rival, but not in a pure technology sense. We represent the other side of the coin and we very much believe in an open, free market, based on innovation and competitiveness.

'We certainly don't believe that comes from Microsoft, which drives innovation out of the overall software equation and introduces mediocrity instead.' What is certain is that in the wake of Code Red, the world is running low on time and answers. Microsoft may be the McDonald's of computer software, but such convenience comes at a high price.

As a source close to the company expressed it: "I can see another Babel looming. It wasn't the tower that brought people to their knees - it was the overreaching ambition of what the tower did for them."

Do not look into the abyss.

Renowned worldwide for the ATCA Briefings. Subscribe now.
Home - Profile - Values - People - Careers - Partners - Contact Us
D2 Banking - Bespoke Security Architecture - Digital Risk Management - Tools

Intelligence Briefings - Brochures - Case Studies -
SIPS Methodology FAQ (pdf)
Keynote Speeches - Articles - News Feeds - Glossary (pdf)
Terms and Conditions - Privacy Policy