Why would any government want to
mandate monoculture, anyway?
The long-term goal for the Air Force is to have real-time standard configuration management. Heitkamp said right now Air Force software ensures that a laptop or PC connected to the network has the standard configuration every 90 minutes. The service by 2008 hopes to have the real-time enforcement running, he said.Ease of management. What could be wrong with that?“We are fairly good now, but we will be much better next year,” Heitkamp said. “Moving to a standard desktop is about governance and policy, not technology. Our vision is real-time desktop management.”
Well, easy management is a good thing, but if the means is monoculture, the complication is greater risk.
Security people are never in charge unless an acute embarrassment has occurred. Otherwise, their advice is tempered by “economic reality,” which is to say that security is a means, not an end.Or, in the case of a government, “policy” substitutes for “economic reality”, and still trumps security or “technology”.— The Evolution of Security: What can nature tell us about how best to manage our risks?, Dan Geer, ACM Queue, April 2007
This is not to say that security should be the prime directive for all decisions; as Geer reminds us, “failure must be an option” because if there is no risk we’re spending too much on security. I’m reminded of a story about Henry Ford, who supposedly directed his company to examine wrecked cars to see which part didn’t break. It was the axle, so he ordered less steel put in axles, because no breakage meant they were over-engineered.
Geer also reminds us of GMU simulations (Gorman, S.P., Kulkarni, R., Schintler, L., Stough, R. 2004. Is Microsoft a threat to national security? The effect of technology monocultures on critical infrastructure. George Mason University, Infrastructure Mapping Project working paper) that “demonstrated that when about 40 percent of computers are alike, the risk of general collapse takes a leap upward.”
Furthermore, in an earlier study:
“Exploiting externalities unique to information systems, we show that diversification can not only reduce loss variance but also minimize expected loss.
— Software Diversity for Information Security, by Chen, Kataria and Krishnan, Fourth Workshop on the Economics of Information Security, Kennedy School of Government, Harvard University, 2 – 3 June 2005.
The Harvard paper takes into account both positive effects of less exploits and negative effects of less ease of use because of less uniformity. In other words, it takes ease of management into account, and concludes that diversity is still more beneficial than the ease of management produced by monoculture.
So you don’t want thousands of operating systems, yet only one is an unacceptable risk. Especially unacceptable for a government that is supposedly constantly heightening security.
-jsq
The problem with all these profound theories that _diversification is better_ is that the market disagrees: for pretty much all the history of computing, the market has chosen one standard operating system.
That we don’t yet understand why, is just a casual observation….
(like the observation that blogs on risk don’t understand https!)
Regardless of your history point, which is debatable, what we were discussing was *government*, not “the market”. The U.S. government is choosing monoculture in a much more single-minded way than the current U.S. market. This is bad.
-jsq