Air Force to standardize Microsoft configurations

The U.S. Air Force early next year will require its 525,000 personnel and civilian support staff to use a single and specially configured version of Microsoft’s operating system and applications, said the military department’s CIO.

At a press conference at the Pentagon Friday to announce the strategy, Air Force CIO John Gilligan said the department wants to use a single version of Microsoft products, configured with security in mind, on its desktops and servers to help it reduce the problems it faces in applying software patches whenever Microsoft announces new vulnerabilities.

As part of the initiative, the Air Force has hashed out an agreement directly with Microsoft CEO Steve Ballmer that includes the consolidation of 38 separate contracts and replacing them with two. The new contracts involve Microsoft supplying a version of its desktop and server operating system and applications that include System Management Server 2003, Office 2003, and Exchange.

Gilligan said the new arrangement with Microsoft would save the Air Force about $100 million.

The Air Force will also receive automated patch updates under a program in which Microsoft will work closely with the Air Force to identify new vulnerabilities early on.

The laborious patch testing and distribution process would be automated through a single center. In addition, the procedure of separate Air Force commands buying their own Microsoft software would be discontinued in lieu of a central purchasing decision.

“We expect significant economies of scale through this,” Gilligan said.

The Microsoft products will be configured under guidelines still to be determined but expected to be based on input from the National Security Agency, Defense Information Systems Agency as well as the Center for Internet Security.

The Air Force endures about one network-based attack per week that successfully exploits new vulnerabilities, Gilligan said. “There’s some disruption and loss of capability,” he pointed out, noting that Air Force bases all over the world support the operations of the war in Afghanistan and Iraq.

The idea of sticking with a single version of Microsoft products, and setting up a way to centralize distribution of software updates, is expected to alleviate the severe time delays and expense associated with patching software in the Air Force, Gilligan said.

 “We’re spending more money patching and fixing than buying software,” said Gilligan during the press conference. It’s not unusual for patching of vulnerabilities to take months to complete, he said.

Gilligan said the problem of Air Force commands using different versions of the Microsoft operating system and applications had not only engendered some interoperability problems, but also produced more work in applying patches, which is generally still done manually within the Air Force.

“We want Microsoft focused not on selling us products but to enhance the Air Force in our mission,” said Gilligan, adding that he hoped the new effort would lead to the kind of support Microsoft could provide other organizations in the future.

Gilligan acknowledged that in grappling with the patch-update issue, the Air Force had considered transitioning to open-source software but determined the transition costs would simply be too high. Also, he noted that all software from all vendors, as well as open source, faces the problem of newly-discovered vulnerabilities that have to be patched.

The Air Force operates several hospitals, and many medical devices used in operating rooms also use commercial operating systems, including Microsoft’s Windows. Gilligan said the Air Force is mindful that these medical devices also face patching issues and that medical devices can also be vulnerable to attack when they are left unpatched.

Gilligan said a separate certification program under which vendors must agree to timely patch updates is now in place to address this problem. The Air Force has started to insist on that in contracts with device vendors, he noted.

In addition, Gilligan added that the Food & Drug Administration, which regulates medical devices, has issued guidelines to the Air Force that will allow the military department to directly install software patches as well in certain circumstances.  

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies