No, EU competition policy was not responsible for global IT chaos

You have to admire Microsoft’s PR people for their cynicism… they are not-so-subtly letting the media know that the REAL baddie in Friday’s global IT outage was not CrowdStrike, nor poor security design of Windows, but… the European Commission’s DG Competition!

Microsoft told the Wall Street Journal a 2009 undertaking they made on interoperability to the European Commission is to blame:

Microsoft shall ensure on an ongoing basis and in a Timely Manner that the APIs in the Windows Client PC Operating System and the Windows Server Operating System that are called on by Microsoft Security Software Products are documented and available for use by third-party security software products that run on the Windows Client PC Operating System and/or the Windows Server Operating System.

But this is, technically speaking, total 💩 There is no good reason why security-critical features in the Windows “kernel” used by Microsoft’s own security products cannot be documented and made available to competitors’ security products, with appropriate controls.

There have also been claims that the European Commission has more recently put pressure on Microsoft not to move towards a more restrictive model on third-party Operating System (OS) kernel software (more similar to Apple’s macOS.) While I don’t doubt Microsoft will use whatever excuses it can to hit back against regulators, there is again no reason why smart regulation cannot find a better path between sometimes-conflicting security and competition goals, using broad stakeholder consultation and more technically-sophisticated expertise and collaboration between regulators — as we have seen with the EC’s development of its Digital Markets Act legislation and enforcement.

I often agree with Epic’s Tim Sweeney on tech competition, but here…

Finally, there are a million different ways to brick a Windows PC which do not involve kernel mode drivers. A few regedits will do the trick. An errant game installed from Steam can brick your PC. Using one vendor’s screwup to give Microsoft carte blanche to block competitors…

— Tim Sweeney (@TimSweeneyEpic) July 22, 2024

…I wouldn’t agree Windows is so insecure that Microsoft shouldn’t tighten controls on e.g. kernel extensions either 😂 It should do that while fixing its own stable door!

For technology-dependent societies’ resilience, OS kernel-level software and equivalents on socially-critical infrastructure systems (like travel, healthcare and banking) need to be very carefully tested (and ideally run on top of a formally verified microkernel) and controlled. But OS monopolists shouldn’t be making the final decisions about precisely what those controls look like, where they have implications for competition.