News

Questioning the Monoculture Argument

• By Mike Gunderloy
• January 19, 2004

In early 2002, a couple of biologists sent a letter to the online publication Emerging Infectious Diseases. Titled Contagion on the Internet, the letter draws some parallels between computer viruses and biological pathogens. Among the arguments the authors make is this one: "The electronic monoculture that improves communication also increases the risk for contagion. Predominant use of a single operating system has improved communication and sharing of electronic data but has also facilitated ready amplification of virulent programs. As with biological infection, transmission of computer infection depends on susceptibility of the population. Virus producers saw an opportunity in the popular preference worldwide for PCs with Microsoft Windows operating systems. The enormous popularity of these systems, along with their long-recognized inadequate protection against misuse, made computer users susceptible."

Recently this letter has drawn some renewed interest in the computer media, and various people have gone on to condemn the software monoculture, as exemplified by Microsoft Windows and SQL Server and IIS, as the major problem on the Internet. Advocates of competing products have seized on this notion to argue that we need a greater diversity of operating systems and server products on the Internet to protect it from quickly-spreading worms like MSBlast and SQL Slammer. Others have suggested that the answer is to encourage deliberate variations within popular products, so there might be, for example, various "strains" of IIS, only some of which would be susceptible to any given worm.

It's a seductive argument, and one that gets dressed up with learned historical references to things like the Morris worm and the Irish Potato Famine. It's also rubbish.

The problem with analogies are that they can become a comfortable way to avoid actually thinking about the subject at hand. Monocultures are bad, goes the reasoning, because the potato famine devastated the Irish population, and the blight killed all those elms. And Microsoft software is a monoculture. Therefore, something ought to be done about Microsoft. But, if you think about it a bit, you'll realize that computers are not potatoes, and software is not a passive host waiting to be infected. There are at least three places where this analogy falls down badly.

First, the monoculture argument is not sufficient to explain the devastating worms that have taken advantage of IIS and SQL Server. Apache serves more Web sites than IIS these days, and other software (such as BIND and sendmail) is much more ubiquitous on the Internet than anything Microsoft has produced. Yet we haven't seen similar worms infecting Apache, BIND, or sendmail (at least, not yet). Microsoft software is not the target of worms just because there are a lot of copies of it around. Rather, Microsoft has produced some rather shoddy software in the past - and all too many smart and malicious people just plain don't like Microsoft, so they're willing to invest extra effort to find exploitable holes.

Second, the notion of injecting diversity and variation into the computing ecosystem is far from the only strategy we can take to deal with malicious code on the Internet. In the biological world, the potatoes get a blight and that's it for the potatoes; your only hope is to eat turnips. In the computing world, SQL Slammer starts spreading and the SQL Server team starts working around the clock to release a patch. Plus, slow though they've been to execute on it, Microsoft's developers have come up with strategies for improving the security of their products. SQL Server "Yukon" will be the next result of thousands upon thousands of hours of programmer-hours devoted to thinking about and eliminating vulnerabilities. I think that's a lot more likely to produce a secure product than some process of random variation.

Finally, diversity within any particular organization is a recipe for disaster, not for security. Do you really think your IT staff could do a better job of securing eight different Web servers and five different databases than if they picked one of each and standardized on them? Security professionals are a scarce resource, as is the time and energy to keep up on new bugs and patches. By settling on their own monoculture, from whatever source, IT departments can make their networks more secure, not less.

Frankly, I doubt the sincerity of most monoculture-in-computing advocates. Oh, I'm sure they'd like to see an end to the Microsoft monoculture in the niches where Microsoft is currently dominant. But they don't want to see a thousand flowers bloom; they want their own preferred software to take over. And that's not a technical stand, but a political one, no matter how it's disguised.