Monoculture on the Potomac

Monoculture on the Potomac

My next column, which appears online tonight and in print next week, quotes from a speech given last year by now-former @Stake CTO Dan Geer. (I also referred to that speech last August in this weblog). Today my RSS feed is full of news about Geer, who was principal author of a paper that was presented on Wednesday at the 30th annual Washington Caucus sponsored by the Computer and Communication Industry Assocation (CCIA). Most reports suggest Geer was fired for his role in the report, though some some suggest he resigned.

I hadn't known about the CCIA or its annual event, but the caucus agenda gave me some sense of the event:

3:30 p.m. Discussion: Software Security -- Facing the Problem
Following the unveiling of CCIA's paper on Software Security, prepared by industry's leading experts on encryption and cybersecurity, a panel will discuss the report which will include representatives from Congress, the media, and authors of the report, including Dan Geer.

6:00 p.m. Yacht Cruise, Reception and Dinner
Mingle with distinguished guests at one of Washington's premier venues. The USS Sequoia served as the official Presidential yacht from President Herbert Hoover until President Jimmy Carter. Enjoy the beautiful scenery of Washington and Old Town Alexandria as we cruise the Potomac River.
Location: The USS Sequoia Presidential Yacht, 600 Water Street, S.W.
An odd juxtaposition, but hey, why not? Microsoft was, after all, forced to become a Washington influence-peddler. As Michael Kinsley, in a column for Slate, said this week:
Refusing to wallow like a reptile in the influence-trading swamp is almost a violation of a big company's fiduciary duty to its shareholders. [Slate]
So we should expect no less of Microsoft's critics. On Thursday,'s Robert Lemos pointed out:

The paper is the latest salvo fired by the CCIA at Microsoft. And although the argument has been made in security circles before, this may be the first time that the position has been outlined to legislators. []

That position is, in a nutshell, that the Microsoft software monoculture is a national (indeed global) security risk. I agree. Yet I found both the paper itself, and the reporting that surrounded it, strangely unsatisfactory.

Entitled CyberInsecurity: The Cost of Monopoly and subtitled How the Dominance of Microsoft's Products Poses a Risk to Security, the paper was written by a security dream team:

Daniel Geer, Sc.D - Chief Technical Officer, @Stake
Charles P. Pfleeger, Ph.D - Master Security Architect, Exodus Communications, Inc.
Bruce Schneier - Founder, Chief Technical Officer, Counterpane Internet Security
John S. Quarterman - Founder, InternetPerils, Matrix NetSystems, Inc.
Perry Metzger - Independent Consultant
Rebecca Bace - CEO, Infidel
Peter Gutmann - Researcher, Department of Computer Science, University of Auckland

Here are the conventional news sources I collected this morning: on the report, on the firing, TechWeb, Forbes, InfoWorld, Washington Post on the report, Washington Post on the firing.

Reading through these, I was amazed not to find a single link to the report -- whose URL, by the way, is The only hint that it was even available online came in the second Washington Post story, which reports that CIO Magazine declined to rent its subscriber mailing list to CCIA, which had wanted to notify CIO's readers of the report. The Post's story reads:

At the same time, the editor for the magazine's Web site posted a poll asking readers what they thought of the report, which he linked to through the CCIA Web site. [Washington Post]

How odd that I had to use Google to find the CCIA website, and then scan it for the link to the report at the center of all this hullabaloo! I was sure that the blogsphere would handle this very differently, and of course it did. I ran a Feedster search for "geer schneier ccia". The first result didn't link to the report, but the second one did, as did the fourth.

I find this generally true nowadays. Folks who consume news by way of blogs are likelier to be exposed to primary sources than folks who rely on conventional news sources. Of course everyone's time is finite, so I'm sure those primary sources often go unread, but at least they're available. When conventional news websites don't bother, they make themselves much less valuable.

In any case, I finally tracked down and read the report. And I found myself agreeing with The Register's skeptical view of its central assertion:

From the security perspective monoculture is not of necessity bad; the problems (as indeed the document argues) lie in the flawed nature of the design of the base product, magnified many times by the ubiquity of that product, and again by the complexities introduced under the banner of integration and automation. So in theory at least, it seems to us, you could have a monoculture whose fundamental design premise was not fatally flawed, and whose security issues would therefore not be magnified by "cascade failure" across the network. Sure you could still argue it was lining the pockets of a bunch of greedheads who were stifling diversity, but that's a different argument. [The Register]

I agree. The argument I put forward in my controversial Security Blame Games column, and in the posting that aired some follow-on email discussion, is that we now have an intense and healthy competition between two different approaches to the construction of secure software: the open source way, and the new methodologies in effect in Redmond now that Microsoft has belatedly gotten religion.

With governments and major corporations now cozying up to Linux, some suggest that significant erosion of the monoculture has already begun. In fact, I think that's a stretch, and so does Karsten Self:

I _strongly_ suspect that many of these announcements are part of the current round of license (re)negotiation with Microsoft, rather than sincere efforts to deploy alternatives. The pattern has been for $MAJOR_FIRM or $COUNTRY to make a similar declaration, and a delegation from Microsoft to visit, followed by denials of any special deals. [Linux-elitists mailing list]

He adds, though:

The announcements aren't credible unless the threat is credible, and I do feel that a GNU/Linux-based desktop _is_ credible at this point.

Absolutely. From the perspective of national and global security, what's needed in my view is not simply software diversity, but competition among different ways of producing software. The vitality of OSS is, in many ways, a competitive reaction to Microsoft. I argue the reverse is also now becoming true. Microsoft is reinventing itself again because it faces a real competitive threat. These two software-producing cultures are forcing one another to raise the level of their games.

The Cyberinsecurity report concludes:

While appropriate remedies require significant debate, these three alone would engender substantial, lasting improvement if Microsoft were vigorously forced to:

Sounds great! But how do we get there? The forces currently in play may well produce the right results. In the case of XML and Web services, I'd argue they already have. The growing viability of OSS will advance the report's agenda more effectively, I suspect, than any legislation can.

Former URL: