No More Than the Obvious

September 30, 2003 — CSO — Last Monday, the security consultancy @Stake learned that its CTO, Dan Geer, had authored a white paper, Cyberinsecurity: The Cost of Monopoly, which codifies what everyone already thinksthat Microsofts outsized market share and business practices represent a "clear and present danger" to security.

Last Tuesday, Geer was fired, and Geer-supporters throughout the security community assailed @Stake for its failure to place principles above profit-motive. Microsoft, it turns out, is one of @Stakes biggest clients.

Six days later, this reporter finally got someone from @Stake to answer the disparaging question: Did the company really fire Geer out of fear of reprisal from Microsoft?

Their answer: Of course.

"It was no more than the obvious," says spokeswoman Lona Therrien. "There was an obvious concern that this was a risk to our business because of the client's trust. If we did not react, what would that say to our clients? This is not an academic forum, it's a business forum. It was a bad business decision [on Geer's part], not an academic one."

Speaking of the obvious, lets take a quick read through the report that cost Geer his job. The argument is as follows: Microsoft is a monopoly, and the company reinforces that monopoly through aggressive integration. Integration creates highly complex systems and complexity diminishes security. Microsoft's vulnerable platform, coupled with its monopoly control, can lead to cascading and/or catastrophic failure, which compromises security. Even national security.

Geer calls the problematic system a technological "monoculture," a term borrowed from agricultural vernacular. The less diversity there is in a system, he says, the more likely something will cause its total failure. Think of Ireland's potato blight, or the cotton-growing states economic ruin by the boll weevil.

"Nature has shown us that biodiversity has immense survivability value," says Geer. I don't see why the analogy doesn't hold."

Neither do some other security experts. Six of them, no slouches included, added their own thoughts and signatures to the paper, and the Computer and Communications Industry Association (CCIA), a lobbying group made up of Microsoft competitors, supplied an introduction and help with distribution.

In fact, the pro-diversity thesis of Geers writing is not even controversial. These days, it's hard to find any security expert who doesn't think that platform diversity is a no-brainer, accepted security strategy.

Even at @Stake, Geers ideas are held in high regard. Chris Wysopal, the companys research director, said after the incident that diversity is a defense-in-depth strategy. Diversity is part of what we do and a lack of diversity negatively impacts security."