DHS had little choice but to sign Microsoft deal, despite security flaws
Lack of money, time and flexibility may have been factors in the decision
Computerworld - The fact that the U.S. Department of Homeland Security awarded Microsoft Corp. a $90 million enterprise software deal two days after Bill Gates met with DHS Secretary Tom Ridge in Washington is more than sheer coincidence.
It's now a major security headache for a mammoth new agency that security experts say lacks the wherewithal to have considered alternative sources for its software.
On June 25, Gates met with Ridge and other leaders on Capitol Hill. And on June 27, the DHS signed a contract with the company for server and desktop software for approximately 140,000 users. The DHS described the contract as a critical step in the department's efforts to establish a common computing environment for its 22 formerly independent agencies.
But with the discovery last week of a critical security flaw affecting nearly every version of the Windows operating system -- including Windows Server 2003 (see story), the first product to be sold under Microsoft's so-called Trustworthy Computing initiative -- some security experts are warning that the DHS may have backed itself into a security quagmire.
Options Were Open
"They had a choice, but it would have been costly and time-consuming," said Roger Cressey, former chief of staff of the President's Critical Infrastructure Protection Board.
"The real alternative was to go open-source. But for 22 agencies, an overwhelming majority of which use nothing but Microsoft operating systems, to convert to another platform in an efficient and cost-effective manner would have been hard to accomplish," said Cressey. "DHS has neither the time, the money, nor the flexibility for that. Now it is held hostage to the imperfections of Microsoft code-writing."
DHS CIO Steve Cooper, who's leading the massive integration effort, didn't return Computerworld's calls seeking comment.
Microsoft spokesman Keith Hodson said no software has yet been shipped to the DHS under the recent contract, so the department will receive software with the necessary patches. Hodson also said that as recently as Friday, the DHS reaffirmed its confidence in Microsoft's ability to handle any security problems that arise.
A former senior Microsoft executive who spoke on condition of anonymity said he has "yet to find someone who's come up with a definitive, unbiased white paper on the pros and cons of relying on a single software vendor" for all or most of an organization's IT infrastructure.
Rafael Nunez, a former hacker now employed as a security expert at Scientech Inc. in Gaithersburg, Md., said that although standardizing on a single software platform makes it easier for hackers to penetrate different partsof an enterprise, the DHS would have been far less secure had it deployed open-source software.
"There's a reason the government doesn't buy open-source software," said Nunez. "They don't buy it because they know that every hacker and software cracker can study the code for exploits."
Read more about IT in Government in Computerworld's IT in Government Topic Center.



- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Virtualizing Government Infrastructure
- All server virtualization solutions are not created equal. The more-with-less agenda for government agencies is tailor-made for server virtualization, which is evolving into...
- Overcome Top 7 Admin Challenges of Active Directory
- As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable,...
- Insiders Can Ruin Your Company. Take Action.
- Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in...
- Top Solutions and Tools to Prevent Devastating Malware
- Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring...
- Streamline Compliance and Increase ROI
- Streamline, simplify, and automate compliance related activities; especially those that impact multiple business units. This white paper from NetIQ, outlines solutions that will... All IT in Government White Papers
- Optimizing Networks for the Cloud
- Join guest speaker, Rohit Mehra, IDC Director of Enterprise Communications Infrastructure, to explore current trends, discuss best practices for optimizing Data Center and...
- Apps QuickStart Series Part 2: Designing and Deploying SQL Server on VMware vSphere
- Download this webcast to learn about the design considerations for virtualizing SQL workloads, performance and scalability information and high-availability options, as well as...
- Apps QuickStart Series Part 1: Designing and Deploying Exchange 2010 on VMware vSphere
- Download this webcast to learn the virtual hardware design considerations for Exchange 2010, deployment using the building block approach, options for high-availability and...
- Customer Spotlight: How IPC The Hospitalist Company Implemented Oracle on VMware
- Have you been looking to hear about customer's experiences with the new VMware vCenter Site Recovery Manager product? View this webcast to learn...
- Virtualize Business-Critical Applications with Confidence
- Virtualizing business-critical applications has become a key focus for organizations as they move along their virtualization journey. With the launch of VMware vSphere®... All IT in Government Webcasts