WINDOWS WON'T BE ENOUGH TO KEEP OUT TERRORISTS 

This week's onslaught of the Sasser computer worm underlined fears that digital weapons may become the latest addition to the arsenal of global terrorism. Computer networks are obvious targets for terrorists because so much of modern life depends on them. Beyond the impact on banks and businesses around the world, in Britain, the Sasser worm brought down the computerised mapping system at the Coastguard Agency and, in Australia, disrupted communications between train drivers and signal boxes, leaving 300,000 passengers stranded.

Security services everywhere have been aware of the threat of cyberterrorism for some time. Britain's Terrorism Act of 2000 refers to attempts to "disrupt an electronic system", and the website of MI5 includes a warning about electronic forms of attack. However, to judge from the ease with which worms such as Sasser continue to spread, such warnings are not being heeded.

One reason our computer networks are so vulnerable today is the weakness in the Windows family of operating systems that dominates them. Sasser infects only computers running Windows, but as Windows runs on more than 90 per cent of desktop computers, this is not much of a limitation.

Contrary to popular misconception, however, the vulnerability of Windows to digital attacks is not due solely to the fact that it is so widely used; it arises from the very design of Windows itself. Security was simply not top of the agenda when Windows was born and it cannot be easily patched in now - mainly because the software has become horrendously complex, with Windows 2000 reaching an estimated 60m lines of source code. This "code bloat" flouts a fundamental principle of computer security: keep things simple.

Source code is the text that underlies most programs that run on computers.  The code for Windows is a trade secret owned by Microsoft. This means that buying Windows is rather like buying a car from someone who refuses to let you look under the bonnet.

Some European governments and businesses are now trying to wean themselves off exclusive reliance on Microsoft. The UK government, for example, has initiated trials of Linux, a free operating system, in various test organisations.

Linux is regarded by many users as more secure than Windows - and not just because attackers prefer bigger targets. Unlike Windows, security was built into Linux from the beginning, when Linus Torvalds, a Finnish student, began assembling the code on his personal computer in 1991. For those who wanted to check the security of the system, Mr Torvalds freely gave away the source code. As a result, thousands of hackers worldwide spotted its flaws and helped iron them out. Microsoft pays hundreds of computer programmers to check its own source code for bugs, but Linux benefits from the free input of many more hackers tweaking its code, enabling it to fix security holes in hours rather than days or months.

At first, "Open Source" software such as Linux was viewed with suspicion by the business community. Giving software away seems like a crazy idea. Since then, however, a variety of innovative business models have grown up around Open Source software, providing a range of services such as training and support.

Nevertheless, many companies continue to depend exclusively on Windows while losing millions of dollars each year to viruses and other forms of cybercrime. Perhaps more importantly, emergency and defence forces in most western countries use Windows in large parts of their computer networks, despite the fact that Microsoft itself acknowledges that Windows is not suitable for safety-critical applications.

The company's acknowledgment came after the USS Yorktown, a missile cruiser, was brought to a standstill during military exercises in 1997. The ship had to be towed back to a naval base in nearby Virginia after losing all power when its computer control systems - running Windows - crashed. Luckily, the missiles were carrying only dummy warheads - otherwise, according to Risks Digest, a reputable forum on computer security, the ship might have blown itself up.

Perhaps MI5 should be more specific in its warnings about cyberterrorism. Perhaps it should warn businesses to pay particular attention to the most vulnerable targets in the house of the west - the Windows.

The writer is senior lecturer in intelligent autonomous systems at the University of the West of England and will speak on this subject at the Cheltenham Science Festival in the 'Business Breakfast' at 7.30 am on Friday 11 June 2004.