Astoundingly, many people in the industry have been positing the ethical question of whether Microsoft should be allowed to compete in the anti-malware market.
As InfoWorld security columnist Roger A. Grimes puts it, in the context of a recent column on the question:
Many analysts are asking if Microsoft, which could be blamed for creating the very insecurities that Windows malware is exploiting, should be able to reap additional profit from closing those same holes? The company’s worst critics are worried that key vulnerabilities could be left in Windows longer to benefit additional Microsoft revenue streams.
After reviewing Microsoft’s security strategy and the products that fall under its umbrella, Grimes first concludes that it’s not evident that Microsoft will “immediately crush its competition, if it competes fairly.” Looking at the company’s historical record in the space, Grimes makes the following assessment:
Microsoft doesn’t have a stellar past record of doing well in the anti-malware field. Microsoft entered and left the antivirus market back in the days of MS-DOS 6.0 because they couldn’t be competitive. They have been promising better anti-malware tools for years now, and they still don’t have mature tools on the market. What they have brought out isn’t as good as what the competitors already have.
That’s an accurate assessment of the past, no question, but I have a strong feeling the worm is turning. Microsoft has a renewed commitment and determination to secure its core products, and I think that mindset, which has evolved over the last couple years, will be reflected in the company’s security offerings henceforth.
Still, putting aside the question of whether Microsoft will succeed in the security market, let’s get back to whether it has the right to be there at all.
On that question, Grimes delivers the right answer:
Back to the moral question of whether Microsoft should be allowed to compete in the anti-malware marketplace at all. First, if you are a critic, ask yourself if you would have the same objections if it was Apple better protecting OS X, or Sun better protecting Solaris? If you’re honest with yourself, you might find your anti-Microsoft predispositions creeping into your arguments.
What harm is there in allowing Microsoft to offer free or additional adjunct software protection alternatives? As long as Microsoft is not anti-competitive — pushing its computer defense choices over other vendors’ in an illegal way — additional choices are a good thing. If any of the Microsoft-derived tools prevent a malware program from being installed that might otherwise be missed, then they are a good thing.
He’s correct on both counts. It’s self-evident to me that Microsoft has a contractual obligation to assure the integrity and provide for the security of its own products. Yes, it should have done a better job of doing so in the past, but past negligence does not disqualify it from addressing the matter properly today.
One might argue, in fact, that security never should have become the booming standalone industry into which it developed in the shadow of Microsoft’s not-so-benign neglect. It was and remains Microsoft’s commercial and moral obligation to ensure the security of its products for its customers. That it failed in that regard in the past does not mean that we should resign ourselves to the past paradigm of Microsoft’s shipping insecure products with gaping security holes that are addressed subsequently by an army of for-profit third-party vendors.
I would argue, and have argued, that security is not like other application or infrastructure markets in which Microsoft competes. Code and resulting products ought to be secure. The company that develops and commercially releases products should and must take pains to secure those products from malicious attack and material vulnerability. How can it be otherwise?
In what other industry would we tolerate such a state of affairs? Would we allow automobile manufacturers, for example.to sell cars without bumpers and air bags, compelling us to buy those components in the after-market from third-party vendors? I think not. Automobile manufacturers must provide for the safety and security of their customers, and so it should be in the software industry.
Microsoft owns the problems that are inherent to its code and its core software offerings. If it fails to address them, and others fill the void, that’s an example of how nature, and the marketplace, abhors a vacuum, but it in way absolves Microsoft of its responsibility.
Third-party anti-malware vendors, though — the ones who filled the vacuum and feathered their nests on the foundation of Microsoft’s previous inattention and dereliction — are not pleased to see Microsoft getting serious about the security of its Windows operating system and its server and client software products. They were hoping Microsoft would never come to its senses and accept its own security mandate.
Now, these vendors — led by Symantec and McAfee — are trying every trick in the book to keep their anti-malware businesses insulated from the commercial threat represented by Microsoft’s belated acknowledgment that security should be inherent to the code it develops and sells as products.
In Europe, McAfee and Symantec have begun making noises about filing a formal anti-competitive complaint with the European Commission. They haven’t done so yet, but don’t surprised if it happens.
According to the a news item from Reuters today, McAfee is making its case against Microsoft in a full-page advertisement that appears in today’s edition of the Financial Times. The issue is integrated kernel protection that Microsoft is providing for its forthcoming Vista release of Windows, which McAfee (and Symantec) claims unfairly prevents its host-based intrusion-prevention software from gaining access to the core of the operating system to defend against malware and other exploits.
This is a major issue for the anti-malware vendors, because the future of host-based security is moving away from signature-based antivirus technologies and rapidly toward pattern-based intrusion-prevention technologies and network-access control mechanisms. For McAfee and Symantec, there’s a lot of current revenue that might dry gradually if Microsoft delivers a hardened, secure Vista kernel.
So, given the high stakes, it probably isn’t surprising to see McAfee and Symantec pulling out all the stops. Appeals to consumers, business customers, and government regulators will intensify. In the text of its advertisements today, McAfee writes that Microsoft . . .
. . . seems to envision a world in which one giant company not only controls the systems that drive most computers around the world but also the security that protects those computers from viruses and other online threats.
Only one approach protecting us all: when it fails, it fails for 97 percent of the world’s desktops.
Computer users around the globe recognize that the most serious threats to security exist because of inherent weaknesses in the Microsoft operating system.
It’s true that the most serious threats to security exist because of inherent weaknesses in Microsoft’s operating system. Still, that doesn’t mean that Microsoft cannot take action today to better fortify the security of its products.
As I said before, Microsoft bears the responsibility to do so. If it fails, there still will be room for McAfee’s and Symantec’s host- and perimeter-based anti-malware offerings. If it succeeds, an unnatural state of affairs — one in which a major industry player left the integrity and security of its core products to other vendors — will have come to an end.
Either way, I don’t see how consumers or enterprise IT departments can lose. I definitely see the downside for McAfee and Symantec, and I understand why they’re increasingly desperate in their fight against a development that should have occurred a long time ago.