The U.S. Air Force Friday plans to announce an enterprisewide Microsoft Corp. software initiative that some analysts are calling a prime example of how users can leverage their spending power to force vendors to deliver more secure products.
Air Force CIO John Gilligan is expected to announce the "One Air Force, One Network" initiative, which will consolidate 38 previously decentralized software contracts for Microsoft products and nine support contracts into two mandatory enterprisewide agreements. The program is expected to save the service more than US$100 million over six years.
The consolidation will force standard configurations for all Microsoft desktop and server software across the global Air Force user base. In addition, standard configurations will enforce rigorous security profiles and can be updated online with security patches and software updates. Microsoft will also design security performance and software feature settings specifically for Air Force operations.
"This will be the first day of the rest of our lives in cybersecurity," said Alan Paller, director of research at the Bethesda, Md.-based SANS Institute. "For the first time on a large scale, the buyers have agreed with the sellers of flawed technology that the vendor will take responsibility for delivering it safely configured and keeping it that way. Over time, it will lead to safer systems for everyone, including home users who will never be security experts."
Clint Kreitner, president and CEO of the Center for Internet Security in Hershey, Pa., called the move by the Air Force "a terrific example" of how large user organizations can leverage buying power to require vendors to deliver properly configured and less vulnerable systems.
"It is vastly better than the prevailing practice of vendors delivering unconfigured, vulnerable systems," said Kreitner. "When delivering configured systems becomes routine vendor practice as a result of large buyers doing this, the smaller users without the technical know-how to configure their systems will greatly benefit by receiving safer systems."
But some analysts and observers are less optimistic about the overall impact of the Air Force program on vendors.
"It will force the Air Force to have more secure configurations of Microsoft software by limiting how many versions they use, and having configuration guidelines. But it sounds like they are building in a lot of patch management functions and that doesn"t force the vendor to deliver software with fewer patches," said John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc.
Likewise, having more configuration guidelines doesn"t force vendors to deliver products configured securely out of the box, said Pescatore. And since the Air Force is standardizing on Microsoft software, "that doesn"t (provide) competition or an incentive for Microsoft to get more secure."
Alan Salisbury, chairman of the Center for National Software Studies in Upper Marlboro, Md., agreed and said the Air Force initiative is likely only "a small step" toward changing vendor behavior.
However, Salisbury said standardization and consolidation are almost always about reducing costs. "The name of the game continues to be total cost of operations, which is dominated by maintenance and support," said Salisbury. "Fewer configurations equals lower costs."