Daniel Geer, the now-unemployed author of a report critical of monopolistic technologies, doesn’t understand what all the hoopla is about.
The long-time network security specialist, who was trained as a
bio-statistician, explained that all he wanted to do in his recent study was alert Washington
insiders and the IT world to the risk of IT technologies as they relate to business risk.
That study, CyberInsecurity: The Cost of Monopoly —
How the Dominance of Microsoft’s Products Poses a Risk to Security, is now widely believed to be the reason Geer is no longer
associated with @stake, the Boston-based computer security firm that he
“This [work] was simply business as usual,” he told internetnews.com on Friday during a brief telephone interview.
On Wednesday Geer presented the white paper, which said the government’s increasing reliance on Microsoft desktop software makes federal systems “susceptible to massive, cascading failures.”
He presented the study to the Computer & Communications Industry Association (CCIA), a trade group that promotes open systems and networks, which has been critical of Microsoft
in the past.
@Stake later confirmed that Geer is “no longer associated” with @Stake as its chief technology officer. In a statement, @Stake said Geer’s report was not approved by the company and that the “values and opinions of the report are not in line” with the company’s views.
To quell speculation in media reports that he has left the firm because the study criticized Microsoft, a client of @Stake, Geer emphasized that he has never accepted any payment from the CCIA.
He said the trade group did not sponsor the report, nor is he a member of CCIA.
“I’ve never dealt with them at all,” he said.
Geer said he approached the CCIA about presenting the report because he recognized the
organization as the best “publicity vehicle” for his message due to its
longstanding relationships with U.S. lawmakers and other influential parties
inside the Beltway.
Indeed, @stake representatives confirmed that Geer has spoken and written
extensively about network security issues independently of the company in
the past. But while Geer acknowledges that the reaction to his latest work
has been overblown, the Harvard/MIT scholar still firmly believes that the message in
his report remains important enough to convey: reliance on “monoculture”
exposes the risk of catastrophic cascading failure.
And Geer just might have the qualifications to know what he is talking
about. Nearly two decades ago, Geer spent a good amount of his tenure at MIT
working on Project Athena, a research project funded by IBM and Digital
Equipment Corp. that has led to many developments of client/server
technology in a distributed computing world.
About a year ago, Geer began discussing the ideas that led to his latest,
and most controversial, work.
“It came to me that at the big picture level, there are only two things
that matter,” Geer said. “First, if the very nature of a network is what
makes it unique (for example, the North American power grid of the Federal
Aviation Administration’s air traffic control system), then not only do you
have to protect the network, you have to replicate it. But that replication, he
explained, is merely one of two major risks that must be fully minimized.
The other major risk is a cascade of failures.”
Returning to the example of the North American power grid that led to
this summer’s massive blackout — the largest in U.S. history — he said the very
make-up of a network may not contribute to how a systematic failure erupts
but it certainly has everything to do with how it spreads.
“It doesn’t have to be anything special that starts it. The reason my
snowball rolled down the hill had nothing to do with the kinds of snowballs
that I used to make it.”
And, he added, a cascading failure of networked computers is only aided
if all of the components of that network are alike. Unfortunately, if the
components are all the same, then no amount of replication can protect
against cascading failure, he explained.
“Nature has proven to us that a monoculture fails catastrophically,” he
But Geer contends that the motivation of his report, despite its title,
wasn’t to discredit Microsoft — a paying client of @stake.
“If the monoculture was all Linux, it would be just as bad,” Geer told
But the dangers inherent to a monoculture are only exacerbated by a policy
of trying to lock in its users into one family of products. And in this
sense, Geer admits that Microsoft does become the principle topic of
“The one place that it’s a policy issue that might be of relevance is
when security policy is entangled with competition policy,” he said.
When asked what he plans to do now, Geer noted: “Today, I’m not going to
do anything and I’ll think about it on Monday.”
A spokesperson for @stake categorically denied that Microsoft played any
role in Geer’s termination and declined to elaborate, saying that the
issues were confidential and solely between Geer and the company.
When asked whether Geer’s assessment that Microsoft wasn’t the
intended target of his study, a spokesperson responded: “I think you can look at the
paper and make your own opinion on that.”
A .pdf version of the white paper can be found here.