Monoculture or Mass Hysteria?
A metaphor too far
Opinion From the attention the subject is attracting at the moment, one might assume that our so-called software “monoculture” is about to spawn a plague of biblical proportions, writes Stephen O'Grady of tech analyst firm RedMonk.
Gartner’s new study, discussed here, recommends that user organizations deliberately deploy other platforms in certain domains as a defense against viruses and vulnerabilities associated with Windows. The idea is that if an attack on Microsoft platforms succeeds, and “cascades” through the network, then some users running non-Windows systems will be insulated from the attack.
The Gartner report follows hot on the heels of another publication containing very similar arguments. Just a few weeks ago the Computer & Communications Industry Association (CCIA), a trade group closely associated with most of Microsoft’s major competitors, published a report entitled “CyberInsecurity: The Cost of Monopoly -- How the Dominance of Microsoft's Products Poses a Risk to Security.” That publication, which was, incidentally, possibly responsible for getting one of its authors fired, concludes that the nature of a software monoculture pre-disposes users to unacceptable levels of risk of catastrophic, system-wide failures. Further back in time, others have made the same argument, as we see from a highly entertaining article by John Quarterman here which draws parallels between the monoculture Internet and the threat of the Boll Weevil on the Cotton Crop in the early part of the last century.
What’s RedMonk’s take? We think arguments underpinning the monoculture narrative are somewhat under-baked, and rest on somewhat doughy foundations. However, the narrative engendering these arguments is extremely powerful, which makes life far harder for Microsoft. The monoculture narrative is easy to understand. It has powerful and vocal champions in an internet community that is already predisposed to anti-MS feeling. The narrative comes at a particularly bad time for Microsoft—some customers that were willing to give Microsoft the benefit of the doubt when it comes to Trustworthy Computing(TwC) feel they have had their fingers burned. The monoculture narrative is sticky, and is aimed at a receptive audience. Microsoft’s biggest problem is that the monoculture narrative essentially appeals to the gut rather than the head; it’s an appealing story, without requiring compelling facts (in the IT domain) to back it up.
A few analysts have leapt to Microsoft’s defense on the subject as well. In these politically correct times arguing against diversity is often not the best way to win friends and be popular, but Rob Enderle makes the case here that diversity is not always a good thing. While we don’t subscribe to his notion that “diverse environments are less secure,” neither do we believe that they are intrinsically more secure. Michael Gartenberg, for his part, points to the fallacy of the underlying assumption that alternate options may be more secure. We think this argument overlooks the point of Gartner’s study, which is more about the timing of the failures, but his point has its merits.
We’ve treated the underlying arguments and conclusions seriously, however, and it seems to us that both the CCIA and Gartner’s conclusions are based on some flawed assumptions. To wit:
While many point to Microsoft’s ubiquity on the desktop as the major systemic threat to cybersecurity today, does it really make sense to view the desktop as a monoculture? Sometimes it’s better to see the trees than the forest, because as it turns out not all trees are the same. Without question, Microsoft’s different operating systems share vulnerabilities, but despite the widespread impact of some very serious exploits like the Blaster disaster, experiences vary.
Widespread virus attacks are unquestionably inconvenient, and a tremendous loss of productivity to those affected – and that’s just the beginning. But those organizations, for example, that employ personal, as well as perimeter, firewalls emerged relatively unscathed by Blaster. Those organizations that had taken the time to patch their machines with the available fixes also didn’t have to worry about that vulnerability. The point here is not that Microsoft is without blame, because it is not, but to describe Microsoft systems as uniform, and so uniformly at risk, is to ignore significant differences in configuration and management.
As seductive as it is to root for David against Goliath, the fact is: Microsoft is not the only “monoculture” in the digital world. Protocols and open APIs are an example of a necessary monoculture; it would be difficult to describe the web, for example, without HTTP as a common interface. Or DNS. And so on.
Linux is increasingly a monoculture. Linux is seen as “the Microsoft alternative”, and as such, is almost by definition a monoculture. Apache, like Linux, is one of the core applications constituting the web’s backbone. Should we kick Linux and Apache out or reduce their exposure in favor of IBM AIX, say, and Lotus Domino, just because these are not Microsoft and not Linux? We don’t think so.
Six of One, Half a Dozen of Another
This fact shouldn’t be news to anyone, but other operating systems have vulnerabilities too. Really – it’s true. Linux – the current OS du jour – has its occasional difficulties. A recent study by the mi2g group – which was not directly commissioned by Microsoft – found that Linux was actually breached more often than Microsoft’s server product. But vulnerabilities happen to everyone. A vulnerability in OpenSSH - the secure shell underpinning Linux and some Unix communications, was identified by in September. The vulnerability, based on a good old buffer overflow attack, could potentially allow a remote machine to access a network. OpenSSH is shipped with most Linux distributions, and the Apache web server. The fact is that all software is potentially insecure; some is better, some is worse.
In that context, making your desktop environment heterogeneous may make you less susceptible to a tsunami style failure (which one would hope would be a very rare event), but as we’ve seen above there are ways to minimize your risk of those failures through patching and configuration management – although these methods are too inaccessible for most users right now. And interestingly, by diversifying, you’ve just upped the amount of vulnerabilities that your IT staff needs to monitor. Instead of just watching for Windows vulnerabilities, they now need to watch for both. This makes us more secure how, exactly?
One of the main concerns we have about the monoculture narrative is that is based on the sweeping usage of biological examples. Whether it’s Boll Weevils or communicable diseases, these metaphors can only be so relevant to IT.
RedMonk clearly believes analogies drawn from nature are an excellent way of communicating and making accessible difficult technical concepts. Many CFOs will fall asleep, drooling, half way through a conversation about protocol vulnerabilities, for example, but start talking about the economic effects of smallpox or the bubonic plague on an unprepared population and you’re pretty much guaranteed to have their attention. It’s very important to remember, however, that these concepts are analogs and metaphors, and should be treated as such.
Nature has much to teach us, but it is not a perfect mirror for the digital world. McAfee Antivirus does not equal a flu shot, a firewall does not equal a Hazmat suit, and a Boll Weevil only has so much similarity to a piece of viral code written by a 17 year old. Are there parallels to be found? Certainly. But let’s not get carried away by them, because the digital world is as different from the natural world as it is similar.
IT and the Decision Making Process
Most importantly, however, we believe that any purchasing decision should be driven by business requirements rather than abstract notions of security through diversity. While the latter may have some beneficial impact during a disaster type scenario, a lack of attention to the former is certain to have a negative impact on end-user productivity and TCO.
This is not to say, please note, that an alternative desktop equates with poor performance or an inability to meet user requirements. Products like the Java Desktop System and the SuSE Enterprise Desktop have their places, but to us the decision to use or not use those products should be based on their merits and ability to meet the established requirements. At RedMonk, for example, we could have half of our staff running on Apple and half running on Linux and thus be free from Windows based viruses, with a diversified threat base.
Doing so, however, would make it harder, not easier, to work together, while our software purchasing and maintenance resources would be stretched. CRM implementations have long been maligned for their failure to meet business requirements; often this is because IT has not adequately addressed the needs of their users, and so CRM systems go unused. Implement a “diversity” oriented solution for the dubious security advantages it might present, and the result is likely to be no different. Gartner, to their credit, recognizes when it recommends that this approach be done right, or not at all.
Ultimately we believe the monoculture narrative is itself a cultural virus. Organizations should therefore be very careful in making purchasing and strategy decisions based on it. Diversification as a concept should be examined as a strategy no more or less important than issues like resource requirements, total cost of ownership, and user needs. Security is an important concern for everyone, and we don’t want to downplay its role in the decision making process. But to make that factor the primary motivator for sales of a desktop package strikes us as the worst kind of IT driven decision making. There are a lot of good reasons to pursue alternative desktop strategies where appropriate, but we don’t believe that concerns about “monoculture” are one of them.
© Copyright 2003 RedMonk
Sponsored: Becoming a Pragmatic Security Leader