The possibilities of cyberwarfare are real. There have been successful attacks upon our military establishments from China, and recently many government and private websites in Estonia were disabled over a three week period. No one has identified Microsoft as the vehicle of these attacks, but they should. Its Windows programs that run on 90 percent of the 330 million PCs in the world makes these attacks possible. Because of the architecture of Windows (and to a lesser extent of Vista) hackers are able to gain control of millions of computers and direct them to flood sites with so many messages that they must be shut down. Microsoft uses this architecture in order to protect its dominance. The computer industry has resisted all attempts to make any company liable for its insecure products, or to establish standards that would protect us from cyberwarfare. Here are the details:
On April 27 the website of Estonia's prime minister was attacked, followed by disabling attacks upon other government offices, newspapers, television stations, schools, and banks. The attacks went on for three weeks. Hackers had installed "bots" on computers world-wide and got them to flood the Estonian web sites with email. Estonian security officials traced the initial attacks to Russian computer servers, including domains registered to the government and the administration of President Putin. But it could not be proved that the attacks originated in Russia since the flood of e-mail traveled over a number of Internet Service Providers (ISPs) including some in the U.S. and elsewhere in the world. But the attacks coincided with Russian outrage over the removal of a monument honoring Soviet war heroes from the center of the capital, Tallinn, to a military cemetery. Protests against Estonia were held in Moscow following the attack, ethnic Russians in Tallin protested, Russian severed rail connections with Estonia, etc. The attacks resumed on May 3, and again on May 8 and 9, when Europe was commemorating the World War II victory over Nazi Germany, which marked the beginning of nearly 5 decades of Soviet occupation of Estonia.
The "denial of service" attacks overwhelmed servers which normally receive 1,000 visits a day but now got as many as four million per second. They involved "botnets." A "bot" is the term for a software robot which can autonomously run programs on the computer, including worms and other malware. A collection of computers thus compromised constitutes a botnet and the controller of the net can tell all the infected computers to send messages to a particular site. Since the first attack, instructions in Russian have circulated on the Internet telling people how to attack Estonian sites. Thus the cyberwar could continue even if the Russian government was no longer involved, if it ever was.
This is not the first instance of what is being called cyberwar. NATO received a much smaller attack in 1999 when it was fighting in Serbia. More recently small but devastating attacks on the US military establishments are thought to have come from computers in China, presumably government computers because of the sophistication of the attacks. China could be probing and testing its capability to conduct cyberwar. Attacks such as these and upon Estonia are serious; without proper firewalls and other protection cyber-attacks can shut down vital information and communication channels needed for national defense.
The villain in this piece is certainly Microsoft. Its Windows operating system allows hackers to install bots (the new Vista has somewhat better protection). There are 330 million PCs, and over 90 percent of them are running Windows or Vista, and they are all accessible to hackers. It is estimated that over half of the PCs in the U.S. are infected with bots. But no discussion of the attacks seems to have made this connection. Instead, the response has been to call upon individuals to use protective devices such as firewalls and antivirus programs, and to install patches that correct flaws in computer programs. Bill Gates, for example, once advised his customers that the security problems with Microsoft would be solved if customers kept up with the patches that Microsoft sends out to correct its security problems. But this is like telling children not to play with matches in a house with a lot of flammable material. The children are more victims than perpetrators, the real perpetrator is the presence of matches in a flammable environment. A more proper response would be to remove the matches or make the environment fire proof.
But the response of many professionals in the computer world is that Microsoft is not to blame. First, since it is the biggest target it will be hit the most. This is a true but it hardly excuses Microsoft if it markets a poor product and has a monopoly on PC operating systems. Second, there are bound to be errors when writing software and it is likely that Microsoft software engineers are no worse than others. This also may be true, though there are many computer professionals who would claim otherwise.
The real problem is with the architecture of Microsoft operating systems (OS). Rather than have an application, such as Word or Excel, run on top of the OS as a module, the application must dig into the OS to run, giving it access to the OS. An email message or a downloaded program from the web does not just run on top of the OS, but in it, and its virus can lodge itself in the OS. The virus may contain an autonomous program or bot that can be ordered to act by the hacker that put it there.
Why would Windows be structured this way, in contrast to operating systems from Linux or Apple? Because it makes it harder for people to write programs to run on Windows that might compete with those that Microsoft has written or has licensed. It was on these grounds that a Federal Court found Microsoft to be guilty of anti-competitive behavior in 1997. Keeping this architecture was a deliberate choice. It makes a competing application inoperable, unless Microsoft allows it to run. In Macintosh computers there is much less danger of this. In fact, it took a contest with a $10,000 prize to find a hole in its OS, and in those running Linux or its various children, there is no danger at all unless the user deliberately gives up administrative control.
In part the reason for this feature of Microsoft systems is a matter of history, or "legacy." It was a feature of the early operating system that presented no security liability because there was no Internet. Later on it became a competitive advantage because it meant that competitors could not write competing programs and expect them to run on Microsoft PCs. Every software program is likely to have flaws; programs are now so complicated that all the unexpected interactions, for example, cannot be anticipated and defended against. Microsoft's programmers may be as good as any, but they are writing for an architecture that allows malware to be inserted in Microsoft PCs much more easily than in other systems. Microsoft thus has made the attacks on Estonia possible and increased the probability of a much more serious cyberwarfare attack.