Debunking the Microsoft Monoculture

Thursday February 26, 2004

In September 2003 the Computer and Communications Industry Association ( CCIA ) published a paper authored by a number of highly-respected members of the IT securuty community titled CyberInsecurity: The Cost of Monopoly.

What follows is an objective critique of the Cyberinsecurity paper, and here I raise some serious questions about the paper's conclusions. I won't repeat parts of the paper here, it is strongly advised that the reader reads the CCIA paper before proceeding.

A point of perspective

The authors of the CCIA paper are all security experts - some are academics, some industry leaders, some consultants and advisors. They are all highly respected in the IT security industry. But note that none of them are economists, politicians, or sociologists. Microsoft's Windows operating system is pervasive - it is estimated that 90 to 97% of all desktop computer systems run Windows. But the reasons behind this level of adoption are seldom based on the level of security that Windows offers: there are many reasons people buy Windows. Given this, it is not reasonable to raise security above all other demands and to state that users must have security at whatever the cost. The whole picture must be taken into perpective and the CCIA paper fails to do this.

Flawed metaphors

Use of the metaphor of the biological monoculture is seriously flawed. IT experts often use metaphors to describe a situation to an audience which may not understand the technicalities of the situation. But metaphors should be used to only describe the situation, and not to draw conclusions. While I can agree that the prevalance of Microsoft Windows based computers appears similar to a monocultural crop of potatoes, it would be foolhardy to conclude that the population of computers will react to attacks in the same way. This is drawing conclusions from a metaphor used to describe the situation and cannot be relied upon.

Cyberspace is not a biological system. This can be demonstrated easily : the prevalence of insecure Microsoft sytems demonstrates that Darwinian principle of survival of the fittest does not apply here. If it did, we would probably all be using Apple computers by now.

In the following paragraphs I present some similar metaphors of a monoculture which are drawn in the same way, and are very obviously flawed.

Flawed metaphors, Example #1

The local bus company where I live operates almost all of the buses in Auckland city ( population about 1 million ). All of their buses are made by Mercedes Benz. Under the paradigm of the monoculture, this is an immense risk. At any time, a fault could occur and cripple the entire fleet. Naturally, from a security specific "tunnel vision" point of view, it would make sense to have a fleet comprising of buses from different manufacturers - but in practice this is a ridculous proposition. The monocultural paradigm fails to take into account the strengths of the engineering teams to maintain a fleet of the same type of vehicle, the purchasing power of buying from a single source, and other factore. Also consider that the liklihood of such a fault simultaneously affecting large numbers of buses is too small to be significant.

Flawed metaphors, Example #2

Jet airliners such as the Boeing 747 400 have 4 engines. These engines are all made by the same manufacturer ( usually GE or Rolls Royce I believe ). Given the immense demand for aircraft safety, shouldn't planes be fitted with 4 different engines from different manufacturers just in case that certain type of engine has a systemic fault which could occur in all engines and bring down the plane?

Again, the metaphor of the biological monoculture fails to take into account the reality and practicalities of the situation.

Impracticality of Cyberspace diversity

The Cyberinsecurity paper suggests that organisations should run a number of different operating systems across thier enterprise. This is not a practical solution.

For instance, the accounting department of a company is ( arguably ) the most important department. Lets say we are looking at a large company with 10 people in their accounts team. If all of those people have the same software running on the same operating system then, by the reasing in the CCIA paper, they are a monoculture and are at risk of a catastrophic failure. So, to counter this risk, the computers must run different software. Different operating systems, different office suites, different accounting packages. Obviously this isn't feasible - the cost of intergtaing such a multitude of systems each with their problems and ideosyncrasies would be far too much work for the users and the IT department. Many IT departments have enough trouble maintaining one operating system across their enterprise, having 2 or more widely spread would be completely impractical. The costs would outweigh the benefits, and the costs certainly have to be taken into account in the big picture.

Is Microsoft really a monopoly?

The Cyberinsecurity paper states that Microsoft is a monopoly, and that this has been reinforced by user lock-in. It recommends that this is removed by opening the Microsoft Office APIs to allow competition.

This argument is simply wrong. It is a fact that Microsoft Office runs just fine under Linux with Codeweaver's CrossOver Office. Heck, they even offer commercial support for running Microsoft Office under Linux, as well as the ability to run many other "Windows" applications. This demonstrates that there is little or no user lock-in. In fact the increasing availability of compatibility products to bridge the gap between Windows and other operating systems such as Linux could have a major affect on anti-trust and anti-monopolistic cases against Microsoft.

The perceived Microsoft monopoly is simply that : perceived. IT consumers naturally choose Microsoft operating systems because that is what they have always chosen, and that is what everybody uses. They use Windows at work, so they choose Windows at home ( and vice-versa ). They want to interrelate to other computer users who use Windows, so they chose Windows. The scale of the operating-system purchasing community is far far larger than Microsoft, and they all want to run the same operating system. Microsoft is an accidental empire built from the social, economic, and polital drivers of the marketplace, not built from anything that Microsoft themselves have done.

CCIA sponsership indicating conflict of interest

The Cyberinsecurity paper smacks of an Astroturfing campaign. Briefly, this is when an organisation performs a campaign in such a way that it appears to come from the "grass roots" - the general public, or industry experts. It is notoriously easy to perform such campaigns using the Internet. This is simply my opinion here - I don't have enough details on the origins of the paper to confirm whether such a campaign was organised by the CCIA.

References