John Udell, Simon Phipps, and a host of other technorati have pointed to this report, “Cyber InSecurity: the Cost of Monopoly” published by the Computers and Communications Industry Association. It makes a very simple case, based on research by the authors–that having a “monoculture” of operating systems on the Internet creates an inordinate risk.

Monocultures have spelled trouble throughout history. My ancestors who brought the Gallagher name to the US came here in the wake of the failure of a monoculture–potatoes, which supplied an inordinate percentage of the food supply, were susceptible to a fungus “blight”. The failure of potato crops had a disasterous effect that Ireland, it could be argued, only really recovered from at the end of the 20th century.

The EPA has a history of the Potato Famine on its website, which includes this passage:

Besides the horror, what unites the famines today with one over a century ago are the reasons behind them. Ireland's famine and those of the 20th century have similar, complex causes: economic and political factors, environmental conditions, and questionable agricultural practices.

Substitute “vulnerable code” for “environmental conditions”, and “business” for “agricultural”. and you've got a description of the current state of the Internet.

Windows is the potato of the Internet age. That's basically what the researchers, including analyst Daniel Geer of @Stake, were saying when they wrote, in the executive summary:

“Most of the world's computers run Microsoft's operating systems, thus most of the
world's computers are vulnerable to the same viruses and worms at the same time. The
only way to stop this is to avoid monoculture in computer operating systems, and for
reasons just as reasonable and obvious as avoiding monoculture in farming. Microsoft
exacerbates this problem via a wide range of practices that lock users to its platform.
The impact on security of this lock-in is real and endangers society.

“Because Microsoft's near-monopoly status itself magnifies security risk, it is essential
that society become less dependent on a single operating system from a single vendor if
our critical infrastructure is not to be disrupted in a single blow.”

After this report was published, Geer was fired by @Stake, which is a Microsoft contractor. The fact that Geer was apparently fired for mentioning the elephant in the room with him is telling. Considering the world-wide press Microsoft is making to prevent alternative operating systems like Linux from taking root, it's obvious that some folks think maintaining the dependence of the masses on the next release of Potatoes Server and Potatoes XP is essential to continuing their standard of living.

As someone who once earned his bread by installing and administering Windows NT networks, I can't help but agree with the CCIA assessment. While I use multiple computers, I now do all of my daily work (including e-mail) on one of my two Apple computers–mostly because I haven't had to worry about an e-mail worm or script attack since I started doing so. My 12-year old son uses a Windows XP computer, which I'm constantly applying patches to. And as I mentioned in Server Not Found, constant reboots from applying patches actually killed my last Windows 2000 server in my inventory. It sits in the corner of my office, awaiting resurrection with a new mother board or cannibalization of its parts.

The best defense against any assault is defense in depth–relying on one thing for defense is what led to the Maginot Line, and, well, we know how that turned out. Having loosely coupled, heterogeneous systems means that you can more easily ride out an assault (or a fatal bug) in any part of your infrastructure.

The main problem is increased cost of ownership–you need to have people with multiple skill sets to maintain multiple operating systems, Well, maybe. Some alternative OSs may actually reduce cost of ownership for some classes of users. If you build your applications on top of a cross-platform architecture, switching from a MS SQL server backend over to a MySQL backend won't be that big a deal. If you stick to common file formats, the cost of maintaining different office productivity apps isn't that significant (I use Office, AppleWorks, and OpenOffice within my office, on the same files, interchangeably, every day–sometimes even at the same time).

A point made by the study is that any technology monoculture is a potentially bad thing. If we had a Linux monoculture (perish the thought), we'd all be dealing with the latest Linux virus…right?

Hmm. Probably not. Because, you see, there's a big difference in that scenario–anyone can look at Linux's source code. And because of all of the different potential configurations, distributions, and revs to Linux (hell, some application binaries don't work from one version of Linux to another on the same processor platform), a “Linux monoculture” would be an oxymoron.

But here's another example–what if, say, there was another flaw like the floating point “flaw” that Intel had with the Pentium processor, or the, ahem, cache problems that Sun had with the UltraSPARC, and a vast preponderance of systems running the Internet depended on that CPU? What if everybody used the same Ethernet chip for their network interface, and it was found to have a bug that caused it to go into permissive mode? What if someone could, say, exploit a hole in Passport, and use it to launch a DOS on every system running MSN Messenger?

What. indeed. Potatoes may be cheap and easy to cook, but if they're what you live on, their cost of ownership can get extremely high very fast. Just ask any Gallagher you run into.