Air Force Orders To Microsoft: Improve Security

As if Microsoft didn't have enough trouble with the government. Now an Air Force CIO is taking the vendor--and its competitors, too--to task, saying they need to step up their efforts to establish improved security standards.

Coding errors in commercially developed software account for roughly 80% of successful system intrusions, says Air Force CIO John Gilligan. And hacks today may be aimed at causing more than bottom-line damage. "This is no longer an economic issue. This is clearly a national security issue," Gilligan says.

The cost and energy the Air Force is expending on dealing with coding flaws that are found almost every day, and which could create opportunities for hackers, is taking its toll. It's "rising very fast--approaching the point where we're spending more money to find, patch, and fix vulnerabilities than we paid for the software," he says.

Microsoft doesn't necessarily have worse design problems than other vendors the Air Force buys products from, such as Cisco Systems and Oracle, but it's the largest IT supplier for the Air Force. So "they have the opportunity to show leadership in the industry," Gilligan says. Microsoft has helped set the right tone with Bill Gates' internal memo advocating "trustworthy computing, but the key will be, what's the follow through?"

Gilligan wants other IT industry leaders to take a proactive role, too; he says he'd rather avoid having the government get involved in security standards. The government "recognizes it's not efficient in this arena," he says. "We could develop standards, but it would take us longer and it might not match well with what's reasonable for industry."

Gilligan met last fall with Microsoft's Rick Belluzzo and Howard Schmidt (now vice chairman of the federal Critical Infrastructure Protection Board) to discuss mounting security problems. The Air Force has instituted more rapid processes for patching, but it's no easy task to manage 400,000 desktops running Microsoft software. "We're not leaving Microsoft in a week or six months," says Gilligan. But if the company doesn't improve, the Air Force, with roughly a $6 billion IT budget, will weigh other software options. "Even though Microsoft may have good functionality in products and the purchase price may be reasonable, the overall life-cycle cost and vulnerability may cause us to look at other products."