Almost three years ago the naval systems arm of major UK defence contractor BAE Systems took the decision to standardise future development on Microsoft Windows. an immediate effect was to commit BAE's joint venture CMS subsidiary, AMS, who specialise in naval Combat Management Systems, to implementing a Windows 2000-based CMS system for the new Type 45 Destroyer. But this prompted strong internal opposition from some of AMS' engineers, who had a sound background in Unix and who had, despite resource starvation and a companywide policy to standardise on Windows, been investigating open source alternatives as a foundation for future combat systems.
They lost. Acting as spokesman for the concerned engineers Gerald W Wilson compiled a 50 page dossier detailing the unsuitability of Windows as a foundation for a naval command system, and arguing that BAE's Unix history and expertise made open source UN*X a logical and viable way forward. The company then made him redundant. In May of this year Wilson reiterated his concerns to the board of BAE Systems at the company's AGM, pointing out that Windows is "proprietary technology owned by a foreign corporation", has "many and continuing security flaws", and is not even warranted by Microsoft itself for safety-related use. Why then, he asked, is AMS "shunning established engineering practice" by developing the Type 45's CMS on Windows.
But in July of this year AMS announced, claiming as it did to be 'encouraging' open systems development, that Windows 2000 was "the current baseline console" for Type 45 development. AMS supports this with copious documentation on the AMS approach to open systems, which can be summarised as open, so long as it uses Windows. Earlier AMS had announced the deployment of Windows on submarine HMS Torbay, together with plans to retrofit Windows to Vanguard class and other attack submarines.
And in case you're wondering, the Vanguard class boats carry the UK's Trident thermo-nuclear intercontinental ballistic missiles. So some people think that's a heap of responsibility for Windows to carry.
As The Register has noted in previous pieces on BAE's interesting Windows plans, this is no trivial matter. Whereas most previous naval deployments of Microsoft Windows worldwide have been overhyped, and have dealt largely with non mission-critical, non-lethal installations, AMS really is committing the Royal Navy to Windows-based command, control and combat management systems. Having spoken up and lost his job for his pains, Gerald Wilson has now contacted The Register. What follows is his story, in his own words.
Gerald Wilson writes: I used to work for BAE Systems, within the division which developed Command Systems for naval warships. Four years ago, I spurred active debate about the future software foundations for these systems. As a long-time assessor of innovative technology, I advocated investigation of, and adoption of, open source UNIX foundations, such as BSD and GNU/Linux. Given that the company’s command system products had already been successfully migrated to run on proprietary UNIX, I viewed this as a natural strategic evolution, expected to be low in cost and risk. However, BAE had undergone several structural changes. One consequence was that computer resources were owned and controlled by BAE's outsourcing partner (Computer Sciences Corporation). CSC's published policy was to standardise BAE's computers to use only Microsoft's proprietary software.
Deprived of equipment, it was difficult to investigate open source UNIX as an alternative technology, despite BAE touting "Innovation and Technology" as one of the company's core business values; ultimately, the only recourse was to buy equipment from private funds. The enforced conformance to Microsoft Windows influenced Engineering. In New Year 2002, it was decided that the Combat Management System, for the new Type 45 destroyer, would run on Microsoft Windows. Many of us raised in the discipline of software engineering were alarmed, even shocked, to learn this, but lacked strong grounds for speaking against it; that is, until April. In April 2002, Bill Gates, acting as Microsoft's Chief Software Architect, gave extensive testimony under oath to the US Courts. Gates's testimony included description of the current structure of Microsoft Windows. Snubbing fifty years of progress in computer science, the current structure of Windows abandoned the accepted principles of modular design and reverted instead to the, much deprecated, entangled monolithic approach. Paragraphs 207 to 223 are particularly revealing about Microsoft's chosen approach (paragraph 216 is difficult to believe!).* Anyone with elementary knowledge of computer science can see that Microsoft Windows, as described here by Gates, is inherently insecure by design. If this is a flagship Operating System, then Dijkstra's life was in vain.
Professional responsibility now took hold. Those of us who understood the implications of trying to use Windows as a foundation for a command system saw the risk. As loyal officers of the company, we were obliged to attempt to convince management about the risk. Acting as spokesman for a phalanx of concerned engineers, I compiled a dossier to document the problem. The dossier provided a management summary, reinforced by some fifty pages of detailed analysis and rigorous argument; The dossier explained why Microsoft Windows could not form a safe and secure foundation for anaval command system; and why, given BAE’s established use of proprietary UNIX for this purpose, open source UNIX was a sound successor. The dossier was circulated within the division (now part of BAE’s joint venture AMS) in summer 2002, and more widely within BAE Systems. [For the public record: the dossier was stored under the references JSWT/MRX/379 andJSWT/MRX/471 within the standard electronic filing system used by command system developers. Hence it would be impossible for the company to “lose” these documents without calling into question its ability to manage project documents of any kind.]
The company's action was swift, but disappointing. Rather than respond to the concerns I had raised, the company terminated my employment. I was dismayed. Whatever my failings, sloppiness of thought is not one of them. I felt that I had applied my mind to this issue on behalf of my employer, but that my concerns had - echoing Mr Justice Sheen - been treated with derision. Although not (when written) protectively marked, these documents are, obviously, commercially sensitive, and remain the property of the company. Consequently I would not be able to publish them even supposing I had copies available. They can only come under public scrutiny if released by the company; although, realistically, I would expect the company to be reluctant to do that.
Since leaving the company, I have repeated my concerns to various parties: to the management ofAMS, to MoD officials, to the heads of professional bodies (the BCS and the IEE), and to the board of BAE. So far, I have been unable to convince anyone to agree with my view. As far as I can tell, BAE remains wedded to "Windows for Warships", and ignorant about open source alternatives. Despite BAE’s wishful thinking, this issue will not go away. In the two years since I compiled the dossier, numerous security problems have been discovered in Microsoft Windows and its ancillary programs. Many of these have arisen precisely because of its non-modular structure, and in particular because of the complex entanglement between Internet Explorer and the rest of Windows. These continual problems demonstrate how, in practice, Windows proves inherently insecure by design. There are many public descriptions of this issue: but a succinct summary is found here: (Does open source software enhance security? - The Register) Although partisan, Greene's analysis is accurate. Greene distinguishes how the structure of Windows (entangled, monolithic) necessarily compromises its security when compared with the structure of open source UNIX (modular, scaleable). It is simple to infer which structure is preferable for building a safe and secure foundation for an engineered system, such as a naval command system. A more recent example is this recommendation in a recent security advisory from the Computer Emergency Readiness Team, now part of the US Department of Homeland Security. (US-CERT Vulnerability Note VU#713878, 9th June 2004 Microsoft Internet Explorer does not properly validate source of redirected frame).
One solution recommended here is use a different web browser:
"There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, the graphical user interface(GUI), and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML)." (italics are mine)
CERT's analysis explains why this is a chronic problem. For the time being, CERT limits its advice to that of avoiding use of Internet Explorer, rather than avoiding Windows as a whole. However: CERT confirms that, as others have already found, IE cannot be removed from Windows, and its presence can still leave vulnerabilities in the system even if IE is never used as an application –showing again how Windows remains inherently insecure by design. In an operating system, the combination of closed source and entangled structure makes for a deadly cocktail. I am pleased that the US DHS is now recognising and warning about the risks which I and others have highlighted for more than two years. However, I shall only sleep soundly once I know that Windows has been banned from the command systems of the Royal Navy’s warships for good. ®
* We've had several requests for the location of transcripts of Gates' testimony, links from the period now being largely broken. It isn't where it used to be at microsoft.com, but is still in the company's legal archive, here. It should be somewhere on the DoJ site, but the Microsoft section of the watchdog's operations now seems a wreck of broken links (moral here somewhere), and we can't readily find it. It's Exhibit 1507, should anybody want to try to hunt it down, but there's a copy here, and a Google of Gates, testimony, 1507 and PDF may net you a couple of other hosts.
As regards the offending paragraph 216, it goes like this, and is indeed breathtaking: "In a purely theoretical world, one could imagine developing modest software programs in such a way that any module could be swapped out in favor of a similar module developed by a third party. The replacement module would need to conform identically to the interfaces expected by all of the modules with which it interacts. In the commercial world, it is hard to see what value such replace-ability would provide even if it could be achieved. For Netscape Navigator to suffice as a replacement for Internet Explorer, for example, developers at Netscape would have to devote enormous effort to matching the functions of Internet Explorer and enabling those functions to perform in precisely the same way as Internet Explorer. When they were done, they would have software that is nearly identical to Internet Explorer (a 'clone'), providing little or nothing in the way of new value." - John Lettice
Will UK's aircraft carriers run on 'Windows for warships'?
Windows-based destroyer to dominate littoral battlespace
Windows for Warfare – more info on Win2k's Navy carrier gig
US Navy carrier to adopt Win2k infrastructure