US military gets its own secure version of Windows
Sick of Microsoft patches, but Ballmer prevents move to open source.
By Ellen Messmer, Network World Fusion | Network World US | Published: 10:27, 23 November 2004
The US Air Force has had enough of Microsoft's security problems. But rather than switch to an alternative, it has struck a deal with CEO Steve Ballmer for a specially configured version of Windows to be used by all its 525,000 personnel and civilian support staff.
Air Force CIO John Gilligan said the department wants to use a single version of Microsoft products, built with extra security, on its desktops and servers to help it reduce the problems it faces in applying software patches whenever Microsoft announces new vulnerabilities.
The new deal sees the consolidation of 38 separate contracts with just two. The new contracts involve Microsoft supplying a version of its desktop and server operating system and applications that include System Management Server 2003, Office 2003, and Exchange. The new arrangement will save the Air Force about $100 million, according to Gilligan.
The Air Force will receive automated patch updates under a program in which Microsoft will give the Air Force special attention to identify new vulnerabilities early on.
The laborious patch testing and distribution process would be automated through a single center. All Microsoft software purchasing will also be made centrally from now on.
The Microsoft products will be configured under guidelines still to be determined but expected to be based on input from the National Security Agency, Defense Information Systems Agency as well as the Center for Internet Security.
The Air Force endures about one network-based attack per week that successfully exploits new vulnerabilities, Gilligan said. "There's some disruption and loss of capability," he pointed out, noting that Air Force bases all over the world support the operations of the war in Afghanistan and Iraq. "We're spending more money patching and fixing than buying software," said Gilligan. It's not unusual for patching of vulnerabilities to take months to complete, he said.
Gilligan acknowledged that in grappling with the patch-update issue, the Air Force had considered transitioning to open-source software but determined the transition costs would simply be too high. Also, he noted that all software from all vendors, as well as open source, faces the problem of newly-discovered vulnerabilities that have to be patched.
The Air Force operates several hospitals, and many medical devices used in operating rooms also use commercial operating systems, including Microsoft's Windows. Gilligan said the Air Force is mindful that these medical devices also face patching issues and that medical devices can also be vulnerable to attack when they are left unpatched.
Check out how Windows compares with Linux on security. Download the Techworld report now and judge for yourself.