The Monoculture Hype

"Monoculture" - it sounds very cool, I want one!! Oh, wait, I'm told I don't - by none other than a concerned group of security industry luminaries including my long-time associates and friends Dan Geer and Bruce Schneier. As if that weren't enough, along comes Gartner group (the remora of the high-tech intelligentsia) and sticks their visionary stamp on it by apparently planning to release a research briefing that basically says "Yeah! What HE said!" This whole story would barely be news if @Stake, Dan Geer's ex-employer, hadn't done a brilliant surgical marketing strike on its left foot by firing Dan. Never mind that Microsoft is probably @Stake's biggest, or more likely only, customer... That's not what I wanted to talk about.

Let's look at this whole "monoculture" issue and see if it makes sense.

Basically, the argument goes like this: In the natural world, some organisms do not have sufficient genetic diversity and therefore share common weaknesses against certain attack vectors. Such organisms run the risk of being completely wiped out by a successful virus before they can develop an immunity. In the computing world, we are heading toward a single computing environment (Windows) and, if we do that, we risk having our entire computing world wiped out by a successful attack. I believe that's a pretty fair synopsis of their analogy.

Computers, however, are not biological entities!! They do several things very differently in ways that are relevant to this analogy:

In the biological world, we humans have developed fairly complex and slow mechanisms for sharing immunity - based on exposing eachother or our livestock to partial forms of actual pathogens. As you may know, this is dangerous. Sometimes people get sick and even die from immunological reactions to vaccines. Computers, generally, don't. Perhaps I'm an unusual case, but I've been running an antivirus product on my desktop for 6 years and have never gotten a virus. It has successfully blocked thousands of Email propagating worms and dozens of viruses, absolutely flawlessly. And, yes, I am using a popular version of Windows with a typical load-out of applications and I don't waste any time "hardening" my machine beyond what I get innately with my antivirus program, some common-sense browser settings (No ActiveX) automated updates, and a simple Linksys home network firewall. Aaaah-HAH! Do you see it?

There is no "monoculture" here. My system isn't just Windows. My security is effected (and affected) by a bewildering combination of default settings, software patch levels, default firewall rules (I just plugged it in, honest!), browser settings, and antivirus signature sets. We're not in anything like danger of becoming a "monoculture" unless every system was running the same software load-out, security policy, antivirus product, and patch level. In spite of the dearest wishes of countless system administrators, that simply isn't going to happen! So, as much as I hate to say it, Sun's marketing people may have been right, "The network is the computer" - and the network sure as hell isn't going to become a "monoculture" unless Microsoft builds all the firewalls, all the routers, all the switches, all the web accellerators, all the SQL databases and establishes everyone's security, routing, DNS, and update policies.

Let's look at some real world scenarios that have happened and try to see if the "monoculture" danger looks particularly likely. When Sobig worm broke out in the world, some organizations survived just fine while others got screwed up. Other organizations suffered damage and temporary outages. Other than getting a lot of emails that day (which my bayesian spam filter learned to trash for me!) my machine kept chugging without a single problem. For virtually everyone who had a clue about security, and who had antivirus software installed, most of the worms in the last 5 years have been non-events except for the clutter that their victims caused. If I may allow myself an analogy, for me, CodeRed, Sobig, Slammer, Slapper, and Cthulhu have been as unpleasant as the bubonic plague was to one of its 13th-century survivors: stepping over the disgusting bodies of those who were not immune was quite distressing, but - I survived and they didn't. Is the lesson here "worry about monoculture" or is the lesson "keep your immune system up to date"?

The concept of monoculture threats in biological systems also deals only with a very, very, very small subset of the things that can wipe out a species. Arguing by analogy is dangerous but since the CCIA authors started it, I'll continue in that tradition. Suppose you're planting corn. If you're worried about a viral corn-blight wiping out your monoculture genetically engineered corn, you'll plant 3 different strains. If you're worried about corn-blight wiping out your genetically engineered corn, by the way, you're pretty ignorant about farming: most of the genetically engineered crops are far tougher than their less evolved bretheren. And, since I'm assuming you're not a very good farmer, I'll assume you didn't realize that this part of Pennsylvania where I live is Deer Country. (heck, I live right off of Deer Creek Rd and they aren't kidding!) Since you forgot to fence your crops with a 10-foot storm fence the deer will cheerfully obliterate all 3 of your different strains without prejudice. This is what I meant earlier that some threats are outside of the scope of what "monoculture" affects. To carry this analogy into modern computing: it doesn't matter what mix of desktop operating systems you rely on if your dot-com goes chapter 11 because you had one system administrator per employee. Genetic lines can die out because their ecological niche went away (lived in a bad neighborhood), because of predation (they are too tasty), because the food they depended on went away (the espresso machine broke down), etc. There are so many fun and painful ways to become a statistic, in life or in internet security, that worrying about lack of species diversity is about as sensible as worrying if your necktie is going to match the front bumper of that oncoming truck.

The last paragraph was an example of distorting the truth by using an analogy. Analogies are dangerous verbal tools. Basically, they treat the listener as a patsy by presenting a carefully constructed world-view that is tailored to explain and prove the analogist's point, while omitting everything that would argue against it. While the concept of "monoculture" is an attractive analogy for a security problem, it ignores the simple truth that we could just as easily talk about the actual problem in its real context without resorting to cute analogies. For example, if you take the CCIA paper and rewrite it into a pure computer security conceptual framework, I think the authors' argument might read something like: "Microsoft's products suck; they are insecure. Everyone keeps buying Microsoft's products anyhow, which makes the situation worse rather than better. There is a very real danger that if everything relied on sucky products then we'd all be vulnerable all the time and some cataclysmic software chernobyl is more likely to happen." It happens I agree with that statement. But if you avoid the analogies and pseudoscience and pose the problem in the terms I did above, then you've avoided intellectually painting yourself into a corner and you can ask the interesting questions such as: "how can we reduce the suckiness?" "are we applying the wrong market forces?" "what alternatives are better?" etc. In fact, these questions are so obvious (and profound) that asking them around most seasoned security experts will generate a tired "well, DUH!" as a response. I think, honestly, that the CCIA authors' reliance on analogy helped them catapult a "well, DUH!" anti-Microsoft whine into a major whitepaper. Professionally it's good for them, but for the industry, intellectual honesty is better in the long run.

Dan and Bruce and the other authors of the paper are great guys and I've hoisted many a beer with them in friendship. But they are barking up the wrong tree about this "monoculture" thing. Worse yet, I fear that their agenda, however well-meaning it may have been, has already been co-opted as a marketing weapon against Microsoft by organizations whose histories in security are no better than Microsoft's. Already, people are pointing to the CCIA paper and observing that it might be another argument in the anti-trust case against Microsoft. Already, CCIA (funded by disinterested Sun and disinterested Oracle) is complaining that the Department of Homeland Security is endangering national security by using Microsoft products on its 100,000+ desktops. CCIA's paper claims that "The focus on Microsoft is simply that the clear and present danger can be ignored no longer" - I'm sorry I have to disagree. The clear and present danger is that federal IT staff are woefully under-skilled and that system administration is a mess. The clear and present danger would be if the Department of Homeland Security's 100,000+ desktops aren't running antivirus software, are running ActiveX turned on in their browsers, and aren't managed by competent IT professionals. Indeed, that's a problem that would be dramatically exacerbated if, in order to avoid "monoculture", federal IT was re-hosted on a hodgepodge of operating systems.

The "monoculture" paper has certainly sparked some interesting discussion in the security field, and I think it is great that we're at least trying to look past the "apply the patch of the day" mindset and are trying to consider the big picture. From where I sit, the big picture continues to show the fundamental problems are vendor-neutral. It's 2003, why are we still getting viruses? It's 2003, why are we still shipping systems with dangerous services turned on by default? It's 2003, why are we still using plaintext passwords and writing them on post-it-notes? Any of these threats (like the deer in the cornfield) are far greater "clear and present dangers" than "monoculture." But they don't make headlines! If you present a paper at a security conference and announce that you've discovered that antivirus products pretty much work - everyone will look at you and go, "duh!" The question is, "why is it even technically possible in 2003 to run a computer that doesn't have antivirus protection built into it and enabled by default?" Indeed, a monocultural monopoly might get us there faster than a heterogenous environment. I'm not preaching "put all your eggs in one basket, and watch that basket" but I think a more useful question would be "what's keeping us from building a basket we'd be able to trust with virtually all our eggs?" I actually don't think that's a hard problem. Getting everyone to agree on the basket won't happen because, well, commercial self-interest and the fact that we have at least 4 multibillion-dollar basket-makers will derail any real progress. Charles Darwin had a theory that encompasses massive die-offs under the rubric of "sh&t happens." Personally, I'm not worrying about "monoculture" - I'm keeping my immunity levels high and automated, and I'm confident I'll be one of the ones burying the dead after the next plague. Where will you be?