[ISN] Air Force to standardize Microsoft configurations

InfoSec News isn at c4i.org
Mon Nov 22 07:12:59 EST 2004


By Ellen Messmer
Network World Fusion

The U.S. Air Force early next year will require its 525,000 personnel
and civilian support staff to use a single and specially configured
version of Microsoft's operating system and applications, said the
military department's CIO.

At a press conference at the Pentagon Friday to announce the strategy,
Air Force CIO John Gilligan said the department wants to use a single
version of Microsoft products, configured with security in mind, on
its desktops and servers to help it reduce the problems it faces in
applying software patches whenever Microsoft announces new

As part of the initiative, the Air Force has hashed out an agreement
directly with Microsoft CEO Steve Ballmer that includes the
consolidation of 38 separate contracts and replacing them with two.  
The new contracts involve Microsoft supplying a version of its desktop
and server operating system and applications that include System
Management Server 2003, Office 2003, and Exchange.

Gilligan said the new arrangement with Microsoft would save the Air
Force about $100 million.

The Air Force will also receive automated patch updates under a
program in which Microsoft will work closely with the Air Force to
identify new vulnerabilities early on.

The laborious patch testing and distribution process would be
automated through a single center. In addition, the procedure of
separate Air Force commands buying their own Microsoft software would
be discontinued in lieu of a central purchasing decision. "We expect
significant economies of scale through this," Gilligan said.

The Microsoft products will be configured under guidelines still to be
determined but expected to be based on input from the National
Security Agency, Defense Information Systems Agency as well as the
Center for Internet Security.

The Air Force endures about one network-based attack per week that
successfully exploits new vulnerabilities, Gilligan said. "There's
some disruption and loss of capability," he pointed out, noting that
Air Force bases all over the world support the operations of the war
in Afghanistan and Iraq.

The idea of sticking with a single version of Microsoft products, and
setting up a way to centralize distribution of software updates, is
expected to alleviate the severe time delays and expense associated
with patching software in the Air Force, Gilligan said.

"We're spending more money patching and fixing than buying software,"  
said Gilligan during the press conference. It's not unusual for
patching of vulnerabilities to take months to complete, he said.

Gilligan said the problem of Air Force commands using different
versions of the Microsoft operating system and applications had not
only engendered some interoperability problems, but also produced more
work in applying patches, which is generally still done manually
within the Air Force.

"We want Microsoft focused not on selling us products but to enhance
the Air Force in our mission," said Gilligan, adding that he hoped the
new effort would lead to the kind of support Microsoft could provide
other organizations in the future.

Gilligan acknowledged that in grappling with the patch-update issue,
the Air Force had considered transitioning to open-source software but
determined the transition costs would simply be too high. Also, he
noted that all software from all vendors, as well as open source,
faces the problem of newly-discovered vulnerabilities that have to be

The Air Force operates several hospitals, and many medical devices
used in operating rooms also use commercial operating systems,
including Microsoft's Windows. Gilligan said the Air Force is mindful
that these medical devices also face patching issues and that medical
devices can also be vulnerable to attack when they are left unpatched.

Gilligan said a separate certification program under which vendors
must agree to timely patch updates is now in place to address this
problem. The Air Force has started to insist on that in contracts with
device vendors, he noted.

In addition, Gilligan added that the Food & Drug Administration, which
regulates medical devices, has issued guidelines to the Air Force that
will allow the military department to directly install software
patches as well in certain circumstances.

More information about the ISN mailing list