Worms Spur Call for Diversity

Microsoft sites vulnerable.

The recent rash of worm attacks targeting Microsoft Corp. products has industry experts questioning the wisdom of a five-year, $90 million deal that made the Redmond, Wash., company the primary provider of desktop and server software for the Department of Homeland Security.

The late-August Blaster and SoBig.F attacks caused network interruptions at the Maryland Department of Motor Vehicles, Air Canada, CSX Corp. and the Navy Marine Corps Intranet.

Still, DHS remains committed to getting every workstation and server in the agency to run Microsoft technology, according to DHS spokeswoman Rachel Sunbarger, in Washington. One advantage of standardizing on Microsoft, DHS officials said in July, is that it will provide the agency with a standard desktop environment and e-mail system, allowing employees to operate as a single enterprise would.

However, one disadvantage of such harmonization is that the entire enterprise can be affected by one attack. The Computer & Communications Industry Association, which represents companies as diverse as Oracle Corp., America Online Inc., Sun Microsystems Inc., Verizon Communications Inc. and Nortel Networks Ltd., wrote to DHS Secretary Tom Ridge in the wake of the Blaster and SoBig.F attacks, urging him to rethink the all-Microsoft approach and incorporate a diversity of technologies.

Divisions in the department that are not using Microsoft server technology should not be forced to migrate to Microsoft if their systems are operating securely and effectively, said Ed Black, president and CEO of CCIA, in Washington. "They should define requirements not by choosing a supplier but by identifying needs and objective technological parameters and requiring interoperability," Black said. "If they want to change the decision [to go entirely with Microsoft], they can change it."

DHS spokesman Jim Shepard, in Washington, said the agency has spent the past few months taking an inventory of the systems used in the 22 agencies that were brought together to form the new department. The inventory was scheduled for completion at the end of last month, but no details were yet available. CCIA is researching the state of cyber-security and examining vulnerabilities in Windows products, Black said, adding that the results are slated for release in about a month.

Microsoft did not respond to requests for comment.