Diversity Not the Answer to Monoculture Computing

A recently published white paper, which argued that the federal government’s
increasing reliance on Microsoft software makes federal systems
“susceptible to massive, cascading failures,” continues to spark controversy since it first aired
in September.

The report — presented at a meeting of the Computer & Communications
Industry Association (CCIA), a trade group which has been critical of
Microsoft in the past — suggested that reliance on only Microsoft
operating systems and applications, which it calls ‘monoculture computing,’ increases the risk associated with security vulnerabilities and computer
viruses.

But one analyst is arguing that enterprises should not
conclude from the report or the ensuing debate that diversifying their software is the answer. Diverse operating systems will still have security issues, as well as increased costs, noted Michael Gartenberg, research director with Jupiter Research (owned by the same company as this Web site).


“A few weeks ago, the CCIA published a report that says a monoculture
computing environment is a bad idea, citing the security issues on the rise as a result of Windows popularity on the desktop,” Gartenberg said in a research note.

“Some analysts agree and suggest diversifying desktop operating
systems is a good idea for lowering security costs and issues. The problem is that the causal relationship is almost never true, and diversity is not
the answer.”

Gartenberg argued that diversity will not lower security costs or risk.
Instead, he said, businesses that follow advice that suggest they utilize
multiple operating environments in their infrastructure will have to bear
the security costs and issues associated with all the operating systems
they use, instead of one. That’s on top of other costs they’ll bear for
supporting multiple operating systems and associated software.


“The fallacy is that diverse operating systems will not have security
issues or holes,” he said, pointing to the fact that 16 of the 29 security
advisories issued by the Computer Emergency Response Team (CERT) last year
involved Linux or open source products.

“Any popular OS will draw the attention of virus writers and hackers, and
today’s interconnected systems are the real weak link,” Gartenberg said.
“If alternative systems grow in popularity, it is likely they will become
the target of attack as well. Monoculture has nothing to do with it. When
Apple commanded double-digit market share in the early 90s, Macintosh users
were regularly plagued by virus issues.”

That conclusion, at least, is born out by the stance of Daniel Geer,
primary author of the controversial report, CyberInsecurity:
The Cost of Monopoly — How the Dominance of Microsoft’s Products Poses a
Risk to Security
.

In an interview with
internetnews.com after the report was released, Geer said, “If the
monoculture was all Linux, it would be just as bad.”

Geer’s argument is that a cascading failure of networked computers is only
aided if all of the components of the network are alike. Replication and
redundancy can mitigate the effects of failures, but Geer said that if the
components are all the same, then no amount of replication can protect
against a failure.

“Nature has proven to us that a monoculture fails catastrophically,” Geer
told internetnews.com.

In the report, Geer suggested three remedies that he said would go a long
way toward containing such an eventuality. The remedies were specific to
Microsoft, but he said they would apply to any other entity able to
dominate its market, as both IBM and AT&T have done in the past. Geer said
Microsoft should:

  • Publish interface specifications to major functional components of its
    code, both Windows and Office

  • Foster development of alternative sources of functionality through an
    approach comparable to the ‘plug and play’ technology for hardware
    components

  • Work with consortia of hardware and software vendors to define
    specifications and interfaces for future developments, in a way similar to
    the Internet Society’s RFC process to define new protocols for the
    Internet.

But Gartenberg said that the best tack enterprises can take to protect
themselves is to focus on proactive measures and taking responsibility for
their systems. He said businesses should make sure they deploy patches in a
timely manner and use technology like personal firewalls, rather than
seeking potential savings through diversity.

“If there is no functional ROI, diversity just raises operational costs and
reduces productivity,” he said. “The last thing IT shops need to deal with
is affirmative action for minority operating systems.”

However, he noted that diversity does make sense when there is a
return-on-investment benefit associated with supporting multiple operating
environments.

“Diversity does make sense when there is an ROI associated with
functionality,” he said. “For example, an organization that deploys Mac OS
to meet certain business needs and as such the ROI benefit almost certainly
cancels out any TCO overhead.”

Geer himself, formerly the CTO of Boston-based computer security firm
@Stake, found himself out of a job the
day after the release of the report.

The firm, which does business with Microsoft, said Geer’s report was not
approved by the company and that the “values and opinions of the report are
not in line” with the company’s views.

News Around the Web