Would a Security Monopoly Really Be So Bad?

By Larry Seltzer  |  Posted 2006-03-31 Print this article Print

Opinion: It's just a thought experiment, but you can make a good case that competition has failed and that what the security market needs is a monopoly.

You could see it coming for years: Microsofts entry into the security business will be treacherous for other security vendors. Its been about to happen for years and now it will take a little longer. But eventually it should actually happen. And when it happens independent security vendors interests will be threatened, according to many analysts. Will Microsofts entry be their doom, as it has been in so many other businesses? The anti-virus, anti-spyware and other security markets are not the same as previous cases.

As analysts point out in Matt Hines excellent story, the enterprise security market is a totally different animal. Buyers are sophisticated and know they have plenty of credible options. Microsoft enters that market not only with no advantage but with a lot of explaining to do. And customers can reasonably ask whether it makes sense to use a vendors security products to protect systems and applications software from the same vendor.

But even in the consumer market Im not especially worried about these other vendors for a number of reasons, For one thing, theyre only vendors. Its the interests of users that should really matter. For another, the history of the software business is littered with Microsoft failures, although once it does latch on to a market, it never lets go.

Of course, thats all fantasy, since Microsoft is in no better a position to solve our endemic security problems through its security products than any other vendor. It is in a better position to fight them by changing Windows. To a degree this is in the works for Vista, but it can only go so far.

To make a system secure in the real world you could lock it down tight, a configuration that normal users wont accept since they expect to be able to install and update software, not to mention reconfigure their systems. The alternative is anti-virus, intrusion prevention and similar products that look for threats either heuristically or by signature.

Of course, a huge percentage of users dont run anti-virus software or run out-of-date versions. These users are, for all practical purposes, unprotected. One way to solve this—please be patient with me, this is a thought exercise—would be for Microsoft to bundle a high-quality anti-malware product with Windows and make updates either free or very inexpensive.

Before I go any further, this isnt going to happen for a number of reasons, the biggest being that it would put Microsoft in extremely hot water with antitrust authorities; and that producing and distributing updates costs money, and Microsoft wouldnt be keen on creating a perpetual cost center.

But the upside, unless youre one of Microsofts competitors, is huge. Thousands of threats come out every year, but very few of them are able to penetrate a system with a modern, updated security suite. Most of them depend on users being unprotected, and they dont have to infect many systems to be worth writing.

If such protection were a standard part of Windows, the threat would still take at least several years to go away because lots of people never upgrade. Theyll keep botnets in business for a long time. But standard protection would probably cause PC sales with the new Windows version to go through the roof.

One of the real dangers of such a situation would be if Microsofts product were second-rate or worse, not an unreasonable possibility. In this case Microsoft could kill off other vendors but still leave users unprotected to the extent that the product doesnt work as well as it might.

Theres also the "monoculture" problem: If everyones using Microsoft security, then any threat that can get through it is likely to affect a large percentage of users. But Im not aware of lots of threats that consistently get through one anti-virus product but not others. Generally the difference is in how long it takes for the vendor to issue a signature.

If the Microsoft product were insufficient, then other vendors would have an in to the market, especially in the corporate market. But they would have a strong factor mitigating their prices.

Like I said, this is all fantasy—its not going to happen. But its interesting that theres a case to make for it. Competition in the consumer security business has certainly failed to make protection cheap and easy.

Thats why my interpretation of this little thought exercise is that security software is too expensive. The price has been rising rapidly over the last few years to where the security industry has made the situation simple by moving to a subscription model. Where in the past you might have paid $50 for the product and $5 per year for updates, now youll pay $40 or more per year. This is another reason I dont worry about them.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. More from Larry Seltzer Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel