RealTime IT News

Geer Says He Knew What Was @Stake

Daniel Geer, the now-unemployed author of a report critical of monopolistic technologies, doesn't understand what all the hoopla is about.

The long-time network security specialist, who was trained as a bio-statistician, explained that all he wanted to do in his recent study was alert Washington insiders and the IT world to the risk of IT technologies as they relate to business risk.

That study, CyberInsecurity: The Cost of Monopoly -- How the Dominance of Microsoft's Products Poses a Risk to Security, is now widely believed to be the reason Geer is no longer associated with @stake, the Boston-based computer security firm that he co-founded.

"This [work] was simply business as usual," he told internetnews.com on Friday during a brief telephone interview.

On Wednesday Geer presented the white paper, which said the government's increasing reliance on Microsoft desktop software makes federal systems "susceptible to massive, cascading failures."

He presented the study to the Computer & Communications Industry Association (CCIA), a trade group that promotes open systems and networks, which has been critical of Microsoft in the past.

@Stake later confirmed that Geer is "no longer associated" with @Stake as its chief technology officer. In a statement, @Stake said Geer's report was not approved by the company and that the "values and opinions of the report are not in line" with the company's views.

To quell speculation in media reports that he has left the firm because the study criticized Microsoft, a client of @Stake, Geer emphasized that he has never accepted any payment from the CCIA.

He said the trade group did not sponsor the report, nor is he a member of CCIA.

"I've never dealt with them at all," he said.

Geer said he approached the CCIA about presenting the report because he recognized the organization as the best "publicity vehicle" for his message due to its longstanding relationships with U.S. lawmakers and other influential parties inside the Beltway.

Indeed, @stake representatives confirmed that Geer has spoken and written extensively about network security issues independently of the company in the past. But while Geer acknowledges that the reaction to his latest work has been overblown, the Harvard/MIT scholar still firmly believes that the message in his report remains important enough to convey: reliance on "monoculture" exposes the risk of catastrophic cascading failure.

And Geer just might have the qualifications to know what he is talking about. Nearly two decades ago, Geer spent a good amount of his tenure at MIT working on Project Athena, a research project funded by IBM and Digital Equipment Corp. that has led to many developments of client/server technology in a distributed computing world.

About a year ago, Geer began discussing the ideas that led to his latest, and most controversial, work.

"It came to me that at the big picture level, there are only two things that matter," Geer said. "First, if the very nature of a network is what makes it unique (for example, the North American power grid of the Federal Aviation Administration's air traffic control system), then not only do you have to protect the network, you have to replicate it. But that replication, he explained, is merely one of two major risks that must be fully minimized. The other major risk is a cascade of failures."

Returning to the example of the North American power grid that led to this summer's massive blackout -- the largest in U.S. history -- he said the very make-up of a network may not contribute to how a systematic failure erupts but it certainly has everything to do with how it spreads.

"It doesn't have to be anything special that starts it. The reason my snowball rolled down the hill had nothing to do with the kinds of snowballs that I used to make it."

And, he added, a cascading failure of networked computers is only aided if all of the components of that network are alike. Unfortunately, if the components are all the same, then no amount of replication can protect against cascading failure, he explained.

"Nature has proven to us that a monoculture fails catastrophically," he said.

But Geer contends that the motivation of his report, despite its title, wasn't to discredit Microsoft -- a paying client of @stake.

"If the monoculture was all Linux, it would be just as bad," Geer told internetnews.

But the dangers inherent to a monoculture are only exacerbated by a policy of trying to lock in its users into one family of products. And in this sense, Geer admits that Microsoft does become the principle topic of discussion.

"The one place that it's a policy issue that might be of relevance is when security policy is entangled with competition policy," he said.

When asked what he plans to do now, Geer noted: "Today, I'm not going to do anything and I'll think about it on Monday."

A spokesperson for @stake categorically denied that Microsoft played any role in Geer's termination and declined to elaborate, saying that the issues were confidential and solely between Geer and the company.

When asked whether Geer's assessment that Microsoft wasn't the intended target of his study, a spokesperson responded: "I think you can look at the paper and make your own opinion on that."

A .pdf version of the white paper can be found here.