Microsoft has been quite quiet on the research front recently – well, actually, it’s been quiet on pretty much all fronts recently, as it continues to grapple with its loss of power and influence. But it has broken radio silence with the sponsorship of a new study entitled “The Link between Pirated Software and Cybersecurity Breaches - How Malware in Pirated Software Is Costing the World Billions”. Here’s the summary:
A new study released Tuesday reaffirms what we in Microsoft’s Digital Crimes Unit have seen for some time now – cybercrime is a booming business for organized crime groups all over the world. The study, conducted by IDC and the National University of Singapore (NUS), reveals that businesses worldwide will spend nearly $500 billion in 2014 to deal with the problems caused by malware on pirated software. Individual consumers, meanwhile, are expected to spend $25 billion and waste 1.2 billion hours this year because of security threats and costly computer fixes.
As you can see, the numbers involved are truly huge - $500 billion in 2014 alone – so let’s look a little more closely at what’s going on here. The full report [.pdf] gives some details:
In 2013 IDC tested pirated software from more than 550 Web and P2P sites or CDs bought in street markets to determine the prevalence of malware in pirated software. In January and February of 2014, the Department of Electrical and Computer Engineering at National University of Singapore conducted a forensic analysis of 203 PCs that were purchased from PC resellers, specialty shops, and PC markets in typical buying situations in 11 countries. Together, this research found the chances of encountering malware in a pirated copy of software is one in three. The chance of encountering malware in a PC purchased with pirated software is more than 60%.
This National University of Singapore research on malware on PCs purchased from common distribution sources — computer specialty shops, resellers, and local markets — found that 46% of the PCs came with dangerous malware.
The malware included viruses, worms, Trojan horses, rootkits, and unwanted Adware, which had pre-infected the new PCs before they could even access the Internet. There were other problems as well, such as misleading applications, corrupted executables, exploits, and system vulnerabilities, which we didn’t count as “infections” but that can contribute to the problem. Exploits, for instance, are often used to allow the pirated software to function. But these vulnerabilities can make it easier for the PCs to get infected once they do have access to the Internet.
National University of Singapore found more than 100 distinct threats, some of which were quite nasty. Here are just three of them.
Win32/Enosch.A. This is a worm that searches for all Microsoft Word documents (.doc and.docx) in the infected computer and emails them to a remote attacker.
Win32/Sality.AT. This is a virus that stops some security software and some Windows utilities from running. It also tries to download other files from a remote server, including other
Win32/Pramro.F. This is a Trojan that creates a proxy server on an infected computer. The proxy server may then be used to relay spam e-mail and web traffic as well as to hide the origin of the attackers responsible to the malicious activity.
As those make clear, we are talking here about Windows malware, found on purchased PCs, Web sites, in P2P downloads and CDs bought on the street. Moreover, it’s evident the infected software is proprietary, paid-for software. Why do we know that? Well, for the simple reason that nobody pirates open source software, because it’s always free of charge, by definition. So Microsoft’s report is about closed-source code, running on Windows.
This means that IDC/Microsoft’s disturbingly high figure of $500 billion for 2014 is not so much the projected worldwide cost for enterprises of using pirated software, as the cost of running non-free programs on Windows. Most of that $500 billion could be saved – pretty much at a stroke – simply by switching to free software.
That’s because open source software is completely free, so there is no reason to turn to pirate sources. This makes it is much, much harder for malware to be introduced (not impossible, but almost.) So companies would not only save on the licensing costs for Windows and other proprietary, they would save on all the unexpected costs of cleaning up the damage caused by Windows-based malware, as described so lovingly in Microsoft’s report.
This underlines something that is rarely mentioned: the real cost of using Windows and other proprietary code is not just the initial purchase price plus the cost of upgrades. It is the negative externalities of closed source – the hidden costs that arise from the inherent flaws of the Windows ecosystem. And it’s not just business that suffers, as Microsoft spells out:
In 2014, businesses will spend $127 billion dealing with security issues and $364 billion dealing with data breaches, and almost two-thirds of these losses, or $315 billion, will be the result of organized crime – malware launched by financially motivated criminals. As for governments, they could lose more than $50 billion dealing with the costs associated with malware on pirated software in 2014. Government officials surveyed by IDC say their greatest concern from infected software is the loss of business trade secrets or competitive information (59 percent), followed by unauthorized access to confidential government information (55 percent) and the impact of cyberattacks on critical infrastructure (55 percent).
With its latest sponsored report on the incredibly high costs of using Windows-based software, Microsoft is to be congratulated on producing some of the most compelling reasons yet for companies, governments and ordinary users to move off closed-source and on to free software. In doing so, they would not only save huge sums up front, but also avoid even larger costs – financial and reputational – in the years that follow.