While the paper makes the case for Microsoft's culpability in magnifying security risks, that's only a partial explanation of the situation we're in. Something must be said about the conduct of IT managers who have ignored rising security threats.

As microcomputers acquired mainframe power, tens of millions of amateurs got hold of the capacity to mess up systems in ways that previously were available only to professional programmers. As a result, security has now become the main inhibitor to further computerization. IT management should shoulder part of the blame for several reasons:

1. Abdication. When desktops first showed up, CIOs were pleased that they could unload the burden of satisfying rising demands to enthusiastic amateurs whose costs could then vanish into administrative expenses. Complaints about a lack of service could be unloaded to where they couldn't reflect on the CIOs' difficulties in dealing with technological innovation. For example, when the U.S. Navy and Marine Corps set out to harness uncontrolled desktops, they found over 100,000 "legacy" applications instead of the 2,000 they expected to find. Seizing control is now difficult because most of the useful work is done on local applications and not through services provided by the Navy/Marine Corps CIO.

2. Absenteeism. When computing devices started connecting to the Internet, CIOs tolerated the widespread practice of jump-starting local application services with few security safeguards. For this lack of security leadership, the CIO received accolades from computer magazines without much accountability for consequences.

Three years ago, much of the federal administrative bureaucracy became a Web-page development shop. When I got to NASA, I asked for a count of Web addresses in the organization; we stopped at 2,904 and 4.3 million individual pages. Much of the most effective work in using computers as a tool for collaboration and communication was done outside of the organizations that the CIO was supposed to guide.

3. Negligence. In the past decade, CIOs, allied with enthusiastic corporate executives, diverted their attention from managing the total costs of computing to lobbying for incremental funds for attention-grabbing technologies, such as client servers, enterprise systems or Web services. Such projects could be managed as separate tasks and were presented to corporate executive as isolated commitments. While concentrating on appealing innovations, organizations neglected to make investments in the reliability and the security of the infrastructure.

I blame the CIOs for not making the case for the necessary funding to implement networkwide security because that would have required the imposition of an enterprisewide discipline. Thus, the CIOs ended up managing only what they had a charter to manage, which was a shrinking share of the total cost of IT. With such dilution of CIO power, nobody stepped up to impose order on the desktops because that was just too hard to do, was politically unpopular and was a losing proposition from a budgeting standpoint. Increasingly decentralized computing devices were allowed to infiltrate an increasingly rickety shared infrastructure without any safeguards that might prevent the inevitable security collapses.

The time has come to pay for decades of unsafe computing. And the price will exceed the cost of meeting the Y2k threat. Executive management will now insist on the following:

• A complete accounting of the security of every computing asset and every conceivable entry point into an organization's network. This will include all portals, operating systems, routers, switches, wireless devices, firewalls and modems, as well as all data entry applications.

• Certification that there is a 100% enforcement of real-time authentication and authorization of access to files, to operating software and to applications.

• Government certification that the custody and retention of all transaction records meets worst-case contingency scenarios.

Through abdication, managerial absenteeism and negligence, we have ended up with millions of insecure mainframes on desks and laptops, and in briefcases. Microsoft profited from providing software that can be best characterized as trying to serve all, at all times. Nevertheless, the lack of adult supervision and accountability from CIOs also deserves a share of the blame for the current deplorable state of insecurity.

Paul A. Strassmann (paul@strassmann.com) is convinced that even a palm-size device with the power of a mainframe warrants data center security measures.