Revisiting the Software Monoculture
September 21, 2006
Three years ago, Dan Geer led a team of security experts in authoring a paper about the threat of a software monoculture. The paper, entitled "CyberInsecurity: The Cost of Monopoly" received a tremendous amount of attention, praise, and criticism for its detailed description of the threat posed by the ubiquity of Microsoft's Windows operating system.
In addition to garnering all this attention, the paper resulted in Geer being fired from his position. Wired News covered the story well:
"No matter where I look I seem to be stumbling over the phrase `monoculture' or some analog of it," Geer, 53, said in a recent interview in his Cambridge home.
In biology, species with little genetic variation -- or "monocultures" -- are the most vulnerable to catastrophic epidemics. Species that share a single fatal flaw could be wiped out by a virus that can exploit that flaw. Genetic diversity increases the chances that at least some of the species will survive every attack.
"When in doubt, I think of, `how does nature work?'" said Geer, a talkative man with mutton chop sideburns and a doctorate in biostatistics from Harvard University.
"Which leads you -- when you think about shared risk -- to think about monoculture, which leads you to think about epidemic," he said. "Because the idea of an epidemic is not radically different from what we're talking about with the Internet."
Because the paper was so provocative, influential, and insightful, I was glad to see Geer's ideas, and the threat of technological monoculture revisited with great effect recently by eWeek's Ryan Naraine, in "Microsoft Monoculture Myopia". (The piece is also pleasing because it has a sort of b-movie horror flick title to it.)
I found this article to be among the more exceptional bits of journalism that eWeek has done, so I emailed Ryan to ask him some questions about how the article came to be. I was also curious what inspired the magazine to revisit a topic that was initially raised three years ago but has been, to some degree, forgotten by a lot of the trade press.
Q: What inspired you to revisit the Geer report now? Was this an editorial assignment delivered to you, or something you wanted to follow up on yourself?
RN: I covered the fallout from the original report three years ago and have always been very interested in this topic. Late last year, in an essay published at Login, Geer did his own follow-up and I got the idea to wait for September and do an anniversary-type piece. I pitched it to my editors and they liked it enough to put on the eWEEK cover.
Q: This is a pretty controversial topic -- partisans on both sides of the debate can get pretty strident about the conversation. Is that a positive or a negative trait for a story?
RN: Even in the research stage, I'm hoping to find people to disagree and get into a debate so I can fully understand all sides. From that standpoint, it's a positive trait. Most times, it becomes a bitter "he-said, she-said" and people get entrenched and stops listening to each other. That can be aggravating and can sometimes leak into the reporting. My favorite interview for this piece was the Continental Airlines guy (Andre Gold) who was able to explain the risks of both sides without being a 'fence sitter'.
Q: Both Geer's paper and your article make explicit comparisons to biological monocultures, and the parallels between a software virus and a literal virus. Have you thought about the parallels to a sociological monoculture?
RN: One of the guys I interviewed (report co-author John S. Quarterman) raised this fleetingly but it wasn't something we spent much time discussing. John talked about the societal downsides of everyone listening/wearing/watching/doing the exact same thing. He also pointed me to the devastating effects of the Boll Weevil in the early 20th century that was caused entirely by monoculture.
Q: Are there any other similar monocultures in technology that you'd want to write about in the future?
RN: Yeah, the blog echo-chamber. :) Not really, I haven't given much thought to it. I write entirely about security so my focus these days is very narrow.
Thanks to Ryan for taking the time to comment on the article. I found the entire discussion to be a very useful way of re-engaging in the topics raised by the original Cyberinsecurity paper. The one line that lingers with me is Geer's comment from the Wired News story: "Genetic diversity increases the chances that at least some of the species will survive every attack."