A sharply argued blog post warns that heavy reliance on Microsoft poses serious strategic risks for organizations – a viewpoint unlikely to win favor with Redmond or its millions of corporate customers.
Czech developer and pen-tester Miloslav Homer has an interesting take on reducing an organization’s exposure to security risks. In an article headlined “Microsoft dependency has risks,” he extends the now familiar arguments in favor of improving digital sovereignty, and reducing dependence on American cloud services.
The argument is quite long but closely reasoned. We recommend resisting the knee-jerk reaction of “don’t be ridiculous” and closing the tab, but reading his article and giving it serious consideration. He backs up his argument with plentiful links and references, and it’s gratifying to see several stories from The Register among them, including one from the FOSS desk.
He discusses incidents such as Microsoft allegedly blocking the email account of International Criminal Court Chief Prosecutor Karim Khan, one of several incidents that caused widespread concern. The Windows maker has denied it was responsible for Khan’s blocked account. Homer also considers the chances of US President Donald Trump getting a third term, as Franklin Roosevelt did, the lucrative US government contracts with software and services vendors, and such companies’ apparent nervousness about upsetting the volatile leader.
We like the way Homer presents his arguments, because it avoids some of the rather tired approaches of FOSS advocates. He assigns financial value to the risks, using the established measurement of Return on Security Investment [PDF]. He uses the Crowdstrike outage from last July as a comparison. For instance, what if a US administration instructed Microsoft to refuse service to everyone in certain countries or even regions?
He tries to put some numbers on this, and they are worryingly large. He looks at estimated corporate Microsoft 365 usage worldwide, and how relatively few vendors offer pre-installed Linux systems. He considers the vast market share of Android on mobile devices compared to everything else, with the interesting comparison that there are more mobile phone owners than toothbrush owners. However, every Android account is all but tied to at least one Google account – another almost unavoidable US dependency.
There is a genuine need for people to ask questions like this. And, importantly, many of the decisions are made by people who are totally tech-illiterate – as many movers and shakers are these days – so it’s also important to express the arguments in terms of numbers, and specifically, in terms of costs. Few IT directors or CEOs know what an OS is or how it matters, but they’re all either former beancounters or guided by beancounters.
Another issue we rarely see addressed is the extreme reach of Microsoft in business computing. The problem is not just bigwigs who mostly don’t know a hypervisor from an email server; the techies who advise them are also a problem. We have personally talked to senior decision-makers and company leaders who know nothing but Windows, who regard Macs as acceptable toys (because they can run MS Office and Outlook and Teams), but who have never used a Linux machine.
There’s a common position that a commodity is only worth what you pay for it, and if you don’t have to pay for it, then it’s worthless. Many people apply this to software, too. If it’s free, it must be worthless.
It’s hard to get through to someone who is totally indifferent to software on technical grounds. When choices of vendors and suppliers are based on erroneous assumptions, challenging those false beliefs is hard.
(We’ve had a few abusive comments and emails from anti-vaxxers following our coverage of Xlibre. They’re wrong, but it’s tricky to challenge the mindset of someone who doesn’t believe in the basic concepts of truth, falsehood, or evidence.)
One way to define “information” is that it is data plus context. We all need contrast and context and comparisons to understand. Any technologist who only knows one company’s technologies and offerings lacks necessary context. In fact, the more context the better. Looking around the IT world today, it would be easy to falsely conclude that Windows NT and various forms of Unix comprise everything there is to know about operating systems. That is deeply and profoundly wrong. Nothing in computing is universal, not even binary; there have been working trinary or ternary computers, and you can go and see a working decimal computer at Bletchley Park.
Lots of important decision-makers believe that Microsoft is simply a given. It is not, but telling them that is not enough. It’s like telling an anti-vaxxer that the Earth is an oblate spheroid and there are no such things as chemtrails. After all, some US legislators want to ban chemtrails, so they must be real, right?
But if you can put a price on false beliefs, and then show that changing those beliefs could reduce risk in a quantifiable way, you can maybe change the minds of IT decision-makers, without needing to tell them that they’re science deniers and the Earth isn’t flat. ®
Source: Security pro counts the cost of Microsoft dependency • The Register
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft