Governments to see Microsoft code

In the name of security, Microsoft Corp. says it will give national governments and international organizations access to the code underlying current versions, beta releases and service packs of Windows 2000, Windows XP, Windows Server 2003 and Windows CE.

Microsoft says it has signed about 10 agreements under the new Government Security Program (GSP), including contracts with the Russian government and NATO. Approximately 60 countries are eligible to participate in the program. However, countries subject to U.S. trade embargoes, such as Cuba and Iraq, are ineligible.

Salah Dandan, the Redmond, Wash.-based manager of the worldwide government security program at Microsoft, said it is up to each individual country to announce its involvement in the program.

“We respect the privacy interests of the national governments that we’re dealing with, and we don’t disclose who is participating unless we have consent. What I can tell you is that the list is definitely growing,” he said.

A spokesperson for Public Works and Government Services Canada said he was unable to comment on the program or on any particular supplier to the Canadian government.

The push behind this program is Microsoft’s acknowledgement that governments have been and will continue to turn to Linux, said Paul DeGroot, a lead analyst in sales and support strategies at analyst group Directions on Microsoft in Kirkland, Wash.

“Last fall, the U.S. National Security Agency produced a secure version of Linux by modifying the Linux kernel. This is exactly the kind of thing that the new Microsoft program is intended to do — allow a government to do the same thing with Windows that they could with Linux. Whether or not they will is another question,” he said.

DeGroot expects that some governments and international agencies will resist the program because, while it allows them to build systems, they will not be allowed to make modifications to the code or compile the source code into the Windows programs themselves. This requires officials to actually visit the Microsoft campus in Washington.

“This doesn’t have the flexibility that downloading the latest Linux kernel off the Internet does, but possibly it wouldn’t be a huge objection for a government serious about security to send someone to Redmond to look at their code,” he said.

Dandan described this aspect of the agreement as an opportunity rather than a challenge, as it lets officials test and validate code with the same people who have written it and designed the security.

“It’s a chance to interact and explore opportunities for collaboration,” he said.

The program currently excludes all levels of government except national because the focus is on security and not on product support, Dandan said. However, he said that this doesn’t mean that Microsoft is unwilling to share with other levels of government.

According to DeGroot, Microsoft is limiting the program to national governments in order to keep better tabs on its code.

“Microsoft has to draw a line someplace. They’re letting people have access to very valuable intellectual property,” he said.

While DeGroot called this a good PR move for Microsoft, he said that there could be potential issues with the program.

For instance, each time Microsoft issues a patch, there’s a chance it could affect a government’s customized systems.

“There’s always the risk that you could screw up,” DeGroot said. “Or take a scenario where you change the code and it doesn’t work. Microsoft says they can’t help you until they see the code, which destroys the premise of the whole thing — you’ve made changes to the kernel to provide high security, and now for the purpose of support you’ve got to tell Microsoft what changes you’ve made.

“I doubt very much that you’ll see governments using it broadly,” he said.