IT Management

Microsoft is the world’s largest provider of PC software, and its software is the largest carrier of digital disease (i.e., viruses, worms, and other malicious software) on the planet. Microsoft has created a software world where rogue rules. Despite numerous rewrites and overhauls, Microsoft has yet to provide adequate security and error recovery frameworks within its OS code base. Consequently, digital disease thrives at the expense of millions of customers. Surveys to assess the global costs of lost productivity due to computer viruses, downtime, and security breaches are now being measured in trillions of dollars annually. And who hasn’t been impacted?

Vendors are ultimately to blame when they compromise on design and the resulting flaws in their products allow customer systems to be compromised. For many customers, the cost of compromise becomes a painful reality when figuring their TCO. A CIO once told me he believes that Bill Gates is to blame for more productivity losses than any human being in history!

Looking back on Microsoft’s 30 years of accomplishment, things didn’t have to be this way. Are you aware that the world of Wintel viruses could have been avoided had Microsoft created a security framework similar to what has existed for several decades on the mainframe? Microsoft could have done more with the hardware security features provided by Intel’s chips to prevent its system code from being compromised. IBM won’t publicize the fact mainframes are virus-free; why challenge the creators of digital disease to attempt to prove otherwise? Nonetheless, mainframe protection exists at the hardware level that notifies operating system software of program exceptions that render rogue programs DOA. An authorized program facility supplemented by layers of sophisticated access control software provides the security framework to keep mixed workloads isolated from each other. Add a mountain of recovery code and you have the formula for a bulletproof system with more than 99.999 percent availability.

Shoddy security is a design choice. Linux on Intel is younger and already has better security than the Wintel Petri dish environment. Poor system design may sometimes be attributed to inexperience, but it’s inexcusable when you’ve been at it for decades.  

In 1976, I had been in the industry for only three years when I moved from Virginia to Texas to work at MRI Systems, a database software vendor. One day I asked Jim Collins, a savvy developer, why development took so long. Jim explained: “To write commercial software to perform a task is usually pretty easy, but it’s only about 10 percent of what’s needed. Ninety percent of the effort is taking care of all the things that can go wrong.” Rushed developers are often tempted to take shortcuts that will compromise the code’s security and resiliency. Worse, some vendors simply ignore the 90 percent.

Microsoft achieved industry dominance by first embracing software developers, and later by leveraging their GUI to win over the masses. Before the PC came out in 1981, Microsoft and Bill Gates needed an operating system, so they acquired QDOS from Seattle Computing. QDOS, which stood for Quick and Dirty Operating System, primarily consisted of a set of assembly language utilities written a year earlier by an individual in only two months’ time. Microsoft hurriedly expanded it and released it as MS-DOS, and as soon as PCs were networked, they became sitting ducks for rogue programs. NT was an attempt to write a better OS ... and the rest is misery, er, uh, I mean history.

I’ve heard Microsoft culture lacks development discipline (e.g., Easter eggs, superfluity of development methods). It has been reported that at one point several years ago Microsoft halted development to interject programmer training on writing secure code. This is like a builder completing a house without any plumbing, then trying to add it later after the occupants have moved in. Even after having a couple of decades to wise up and clean up the code base, Microsoft continues to attempt patches piecemeal (just note the endless stream of Windows update patches). Recently, they announced plans to form an industry group called the Secure IT Alliance. Let’s hope they recognize the need for an integrated security architecture and use the mainframe architecture as their blueprint. Otherwise, it’s reasonable to question if they have the development expertise and/or gumption needed to ever close the gap. Grace and peace.