The great thing about this industry is that no matter how smart you are, there is always a lot yet to be learned. That is obvious for someone of mediocre intelligence like myself, but it is even true for really smart guys. Dan Geer, the former CTO of @Stake, learned an extremely painful lesson - give your biggest customer the finger, and you will probably get fired. At issue was the report co-authored by Geer called CyberInsecurity - the Cost of Monopoly, published by The Computer & Communications Industry Association. CCIA is a lobbyist comprised of leading critics of Microsoft, including Sun Microsystems, AOL, Oracle and Yahoo. The controversial report, which included other esteemed security experts such as Bruce Schneier and Rebecca Bace, has as its premise that Microsoft's dominance and de facto monopoly has created a more insecure world by aggregating risk into a single operating system. The idea is that a monoculture is more susceptible to threats, just as a homogeneous strain of crops can be more easily wiped out by a single virus. From the perspective of the authors, the timing of the report release could not have been better as we have been reeling from a succession of late summer viral attacks on Microsoft systems, such as the MSBlaster worm.
I find the concept of a monoculture to be very interesting and I think this paper is worthy of much discussion for this point. The paper in its entirety is about 20 pages and with that small of a document I can't say that the authors made their case, but they did raise some interesting questions that should be studied more rigorously and answered. The monoculture theory in this paper says that Microsoft's market share dominance in desktop operating systems and office productivity applications has created an Internet composed of a common set of machines with a common set of vulnerabilities. This monoculture is susceptible to "cascade failures" that spread from system to system at extremely high rates. Creating redundant systems does not help if they are based on the same Microsoft operating systems - the attacks will find the same vulnerabilities. According to the authors, the only solution is "risk diversification" - using more than one type of operating system in this case.
This is plainly true, and to me is the only strong point made in the paper. The authors are a little fuzzy about the solutions other than insisting that government intervention is necessary, but make one notable suggestion towards the end: "A requirement that no operating system be more than 50% of the installed base in a critical industry or in a government would moot monoculture risk." I am not sure if this is a serious suggestion, but Houston, we have a problem. I have been in the information technology business even before I was in the security business, and in all that time the drive for standardization in IT has been pursued by the industry with a religious fervor. Our economy, the Internet, the World Wide Web has been built on standards. I am sure that somewhere in the CIO's book of golden rules it says standardization increases ROI and lowers TCO. Standardization often creates business agility, which provides a key competitive advantage. Business schools are filled with case studies of companies that tried to do too much and "diversified" themselves out of existence. It is quite presumptuous to suggest a cap of 50% market share, without understanding the economic impact of that suggestion and juxtaposing this with the economic costs of the monoculture. The paper is fairly light on facts, it does quote a figure from a security consultancy called mi2g Ltd., saying that malicious software is causing up to $107 billion in economic damage this year and the SoBig virus is causing $30 billion alone. It is unfortunate that they quoted numbers from a security consultant with limited credentials (you can read more about mi2g in an article from Rick Forno). It is also unfortunate that they did not attempt to clearly monetize the cost of the monoculture as opposed to generic numbers from an unproven source. If they were able to derive rational monoculture costs, we would then need to compare them with the economic benefits and productivity gains of standardization.
The other aspect of the monoculture that would have been worthwhile in this study is to search for possible alternatives to "risk diversity" as a solution to the monoculture or at the very least some additional methods to augment risk diversification. One possibility is finding ways to compartmentalize homogeneous systems. We have Microsoft systems that are surrounded by Cisco routers and switches (another monoculture not mentioned). Are there perhaps ways to create rules and add more intelligence into our network infrastructure to govern how these homogeneous Windows PCs communicate and prevent anomalous behaviors such as cascading failures? For example, a PC that never connects to more than five machines should possibly be isolated if it suddenly attempts to connect to 50 machines.
What I don't understand is why the paper needs the ad hominem attacks on Microsoft and questions the intentions of the organization, rather than sticking to the inherent problems of a monopoly. I feel that the selection of the CCIA to publish this report was a fatal one, both to Dan Geer's @Stake career, as well as to the impact this paper could have made. As it is, defenders of Microsoft can point to the second paragraph from CCIA's introduction as proof that this paper was a contrived attack on an industry leader by its competitors, rather than a scholarly work:
"Microsoft's efforts to design its software in evermore complex ways so as to illegally shut out efforts by others to interoperate or compete with their products has succeeded."
That sentence is an invitation to be ignored, not the prologue to reason. There are several other "Microsoft is evil" statements sprinkled throughout the paper. I believe that Microsoft has done many unethical things (I could say that about many software companies), but I just have never bought into the notion that their market position is built upon evil deeds. When Microsoft gets caught breaking laws and doing specific misdeeds, they need to get the book thrown at them. However, I believe they have substantially earned their position by being responsive to the market. People forget how close Microsoft came to being shoved into the dustbin of history back in 1995. The market moved and businesses that had a huge dependency on Microsoft were moving away from them in order to embrace the Internet. Microsoft did an amazing about face, and adopted the Internet better than their competition.
Microsoft cares about security for cold hard capitalistic reasons, and I believe that the Trustworthy Computing Initiative is moving the company in the right direction. The educational programs for their developers are sound, the processes for security checkpoints are much improved and the executive level focus is terrific. The problem is that we are viewing the Microsoft security dilemma in political campaign terms, where solutions are evident in two years or the entire initiative is deemed an abysmal failure. The reality is that the painful security attacks on Microsoft operating systems are due to poor architectural decisions made over a dozen years ago, and those problems take a long time to solve. Very few people were talking about critical infrastructure 12 years ago. Essentially in the first two years of Trustworthy Computing, Microsoft has been improving the security of some products that are inadequate to today's tasks. At some point we need to build new operating systems that were designed with an underlying assumption that they are part of an interconnected critical infrastructure. Government certainly needs to be a part of the solution, but so does Microsoft, Cisco, the IETF and everyone else. What we need is to take the very worthwhile concepts of the problem of the monoculture out of this report and figure out how to balance the costs and benefits of both standardization and risk diversification. We need to figure out how to build compartmentalization into our networks and prevent cascading failures in such a way that a Microsoft or Cisco have the opportunity to benefit from the upside.
Don't get me wrong, I would like to see more corporate and consumer options for desktop operating systems. The paper makes the point that both IBM and AT&T had moments in their history where they had to face government intervention into their monopoly. My point is that in the great scheme of things the government's actions have had much less to do with the IBM and the Bells we know today as did competition from upstarts. We in the industry sometimes lose the perspective of how young computing is, but competitive threats will ultimately bring us credible new desktop operating systems. I still believe a more grown up Linux could be a strong competitor on the desktop, just as it already is in the server arena. If it isn't Linux, it just might be gaming consoles, phones or perhaps something that doesn't even exist yet. Microsoft will be overtaken some day, but it will be by David, not Goliath. In the meantime, CIOs need better reasons to dump the monoculture than those given in this paper.
CyberInsecurity - the Cost of Monopoly is available for download at:
http://www.ccianet.org/papers/cyberinsecurity.pdf
CSOinformer is edited by Jim Reavis, founder of SecurityPortal and longtime industry analyst. This monthly newsletter is targeted at people who must take a strategic, multi-year view of the information security industry, and we promise insights you will not find anywhere else.
CSOinformer is a service of Reavis Consulting Group, and is published on the second Tuesday of each month.