Experts Debate Whether Move Would Have a Major Impact
If Microsoft was to offer deep discounts in India for its Windows 10 operating system, as the government is proposing, would that help reduce the security risks posed by the widespread use of pirated versions?
Some security practitioners say the move likely would help, but others argue that it would have relatively little impact because so many organizations rely on core legacy systems that must run on older versions of Windows.
India is pressing Microsoft to offer a sharply discounted one-time deal to the more than 50 million Windows users in the country so that they can upgrade to the latest Windows 10 operating system in the wake of cyberattacks.
Microsoft declined to offer comment to Information Security Media Group on the proposal, while Gulshan Rai, India’s cybersecurity coordinator, did not respond to a request for comment.
In India, Windows 10 Home is priced at Rs 7,999 or $123 US, while the Professional version of the software, mainly used by large companies and institutions, costs Rs 14,999 or $232. About 95 percent of the 57 million computers in India run on Windows, while the rest use Apple and Linux, according to various online reports.
Because of price sensitivity, many Indian companies, especially smaller ones, use pirated Windows OS versions that don’t receive security patches.
Some security experts question whether discounting the operating system would have much impact.
“Though the move shows that the government is aware of the market situation in India, I am not too confident of how much effect this will have on the actual problem of cyberattacks,” says Ritesh Bhatia, a cybersecurity consultant and founder of V4Web, which creates secured web applications.
“The recent Petya attack took place in big companies who I am sure use genuine Windows. I am not sure if the government is aiming it right this time around,” he says.
Indeed, some security practitioners believe the problem isn’t so much about cost as much as it’s about using legacy systems. “The practical problem is something else. What I’ve seen in a few companies is that legacy systems are still being used, which would not work under Windows 10,” says Berjes Shroff, CEO at Berj InfoSec, a cybersecurity consulting firm. “To make matters worse, Supervisory Computers of Manufacturing Systems such as CNC Machines, also use lower versions than Windows 10, and the software in many cases does not support higher version,” he says.
Floyd DCosta, co-founder at Block Armour, adds: “It’s great to see the government take cognizance of cybersecurity, but the fact of the matter is many organizations are running core applications built for earlier versions of Windows,” DCosta says. “These will need to be updated first before the OS can be upgraded. Not sure how many SMBs in India are ready for this change.”
But Shivangi Nadkarni, co-founder and CEO at Arrka Consulting, a cybersecurity consulting and audit firm, says the government’s move to seek Windows discounts is “commendable.”
“Why look at the move only from an enterprise’s point of view?” he asks. “There are millions of end users in the country who still run Windows XP and have no relation with legacy systems and applications. For them, a lower cost will definitely be an incentive to upgrade their OS.”
How Upgrade Pirated Systems?
Even if Microsoft agrees to heavily discount Windows 10, there’s no guarantee, of course, that individuals and organizations would buy and install the upgrade.
“Also, sadly, many OS’s, especially deployed at home (including some at smaller companies), are pirated. How are these people going to upgrade their systems? They will obviously need to buy the original software, which I don’t believe is included in this discount request by the government,” Shroff says.
But the government’s move is helping to build cybersecurity awareness, Shroff acknowledges.
“Indirectly, I see more awareness of cybersecurity gaining traction from this move, which, in turn, will benefit CISOs too,” he says. “If this discount is allowed by MS, then it will also benefit CISOs who are struggling to get budgets passed.”
Repeated attacks because of vulnerabilities in Windows have put a dent on Microsoft’s brand image. So Microsoft may, indeed, offer the discounts to redeem its image and maintain or grow market share, some security experts say.
“I know of companies who are in discussion now to shift to the Linux operating system because so far it looks safer than Windows. I am sure Microsoft won’t like to see a situation affecting its almost monopoly-like situation,” a practitioner from an insurance firm says.
A data privacy consultant, who asked not to be named, says that instead of asking for a discount from Microsoft, the government should concentrate on coming up with a basic cybersecurity framework for all sectors, which should clearly mention points on piracy. None of the current cybersecurity policies and framework in India mention anything explicitly on piracy, he says. “To me, the move [by the government to request discounts from Microsoft] looks like some kind of an arrangement between the government and Microsoft,” he adds.
The government should look at the bigger picture, DCosta says. “The upgrade will only solve a part of the problem. It’s time we start looking at emerging options like software defined perimeter, or SDP, and blockchain technology to secure servers and critical infrastructure against modern cyber threats.”
Some security practitioners also point to the need to improve user awareness of the need for patching (see: Bug-Fixing Imperative: ‘Patch, Protect or Pray).
“Not all companies have an in-house expert for patch management,” says Pavan Kushwaha, founder at Kratikal Tech. “As a result, they often have to tie up with a third party for the same. However, IT budget becomes an issue and patch management becomes the least priority for an organization.”