The Chink in OMB's Windows Mandate

When the Office of Management and Budget issued a mandate Tuesday that forces agencies to use a standard configuration of the Windows operating system, its main goal was to improve information security within government. The theory is that OMB, by way of the Department of Homeland Security, can send out mass security patches for newly found vulnerabilities that agencies then can quickly apply, securing systems en masse.

But some critics say this strategy may not significantly improve security.

The problem is the inherent insecurity of Windows operating systems. Microsoft's new operating system Vista is supposed to be more secure, but it has its security problems. That is why the market for anti-virus software, intrusion detection systems and firewalls is so huge, says Eugene Spafford, a professor and executive director of the Purdue University Center for Education and Research in Information Assurance.

Moreover, Ben Fathi, the former head of Microsoft's security group and now the chief of development in the Windows core operating system group, said at the RSA Conference 2007 in San Francisco last month that if Vista had half the security vulnerabilities that Windows XP had, he would consider Vista reaching a "great goal."

"In the first year after Windows XP debuted in October 2001, Microsoft posted 30 security bulletins pegged to the Home version of the then-new operating system," with more than one vulnerability sometimes appearing in a single bulletin, ComputerWorld reported last month.

In a discussion of security experts appearing in the same ComputerWorld article, Graham Cluley, senior technology consultant for Sophos PLC, said:

[I]n the last five years, the number of hackers and researchers who are examining Microsoft's code for vulnerabilities with ever greater intensity has increased. Furthermore, we have seen a number of legitimate security companies (including some who may have a vested interest in debunking Microsoft's status as a security player) put efforts into finding flaws in Microsoft's code.

What isn't in doubt is that there will continue to be flaws found in Microsoft Vista.

Curt Kolcun, vice president at Microsoft Federal, said that agencies are looking to migrate to VISTA due to its improved security features. Agencies are looking to move "in a planned way," Kolcun says. "They'll slipstream this into their build process."

Kolcun estimates 50 percent of the government will move to VISTA by the end of calendar year 2008.

Do you think OMB's mandate will make government IT systems measurably more secure or is Microsoft's Windows platforms too vulnerable? Click on the "Comments" link below to let us know.