Viruses on the Internet: Monoculture breeds parasites
A contribution to the diversity of life on the Net.
The latest viruses, VBS.LoveLetter.A and its copy cats, allegedly the most damaging in the history of the Net, throw a stark light on the state of the Internet. The viruses gained their enormous impact not so much from the geniality of the programmers, or from the poor quality of Microsoft products, though the latter may have helped too. A much more important reason for the rapid spread of the viruses can be found in the increasing monoculture of software that is used on the Net. 90% of all desktop machines, where the mail clients are located, run on one variant or another of Microsoft Windows and, apparently, a significant percentage of them are using the standard Microsoft email product Outlook. The virus revealed the extent to which these programs are used. Now we know that the computer systems in the Pentagon and the British parliament are little more sophisticated than anywhere else.
Monocultures, as any farmer knows, are particularly vulnerable to parasites. Once they are attacked by parasites, there is no stopping. The parasites can replicate without limits and kill the entire plantation because the entire plantation is made up of a single crop that just happens to be the parasite's niche. On the Internet, the case is similar, most of the recent viruses could spread so fast and so deep because a few Microsoft products are used so pervasively. The viruses used a "security hole" like any other, but, thanks to the monoculture on the Internet, this one can be found on millions of computers around the globe. Depending on your point of view, the current viruses didn't even exploit a security hole but they used features that are available by default and are used pervasively for less spectacular purposes.
Tom Truden, Ford Motor Car's team leader for computer emergency responses told the New York Times that "we looked at the script [of the virus] and we thought, 'We've used this kind of stuff.'" Sections of the code turned out to be very similar to software that the company uses to distribute software updates -- including cures for security problems -- to Ford computers around the world.
Scott Culp, from the Microsoft Security Response Center was, in a sense, right when he told the same newspaper: "This is a general issue, not a Microsoft issue. You can write a virus for any platform." While this is technically correct, it is also a very strong argument why Microsoft should be broken up in as many companies as possible, not just two.
Contrary to monocultures of plants which are as likely to be attacked by parasites than more varied ecologies (although the results are much more damaging) monocultures of software actively attract malicious viruses. It's a simple question of how to maximize your own efficiency, a concept alien to physical parasites, but not to human beings. If you have the intention of releasing a virus, wouldn't you choose the niche were it has the most impact? In other words, software monocultures are not only vulnerable to viruses, they breed them. In this perspective it was not a coincidence that it was Hotmail, the world's largest web-based email service, that got hacked, and not one of the thousands smaller ones. Add to this the dynamics of the attention economy--in which getting attention is a goal in itself--and it becomes clear why it is so tempting to attack the monoculture. The authors of the latest viruses are instant global celebrities thanks to Microsoft. They would have never reached this status if their virus would have attacked, say, the BeOS. The BeOS niche is simply too small to produce much attention.
The industry's answers to the virus threat are as predictable as the threats themselves: pesticides. Leaving genetic modification aside, the huge monocultures of the agro industry can only be maintained through the extensive use of pesticides with all their negative side effects. They poison the plants and the soils, kill off all kinds of other species as well as remove bugs from the natural food chain and set off chain reactions. Birds, for example, can hardly survive in areas of crop monocultures, because all the bugs they eat have been killed by pesticides.
On the Internet, the equivalent of pesticides would be strict laws to criminalize any kind of hacking or reverse engineering, independent of its intention, and pervasive tracking technologies that make law enforcement easier. Both approaches are being pursued. While they might help to stabilize the software monoculture, their effects on "life on the Internet" could be as devastating as the effects of chemical pesticides are on the natural environment. The first casualties will be freedom of speech in areas where this freedom really matters, and innovation that comes not out of industrial R&D labs.
Of course, monocultures are not natural in any way, they are an industrial product of economies of scale. On the Internet, monocultures are the dumbest, though not the only, way to create interoperability. While computers and applications need to be interoperable, they need not to rely on the one-size-fits-all monoculture. There is no Faustian bargain between interoperability and diversity.
Breaking up Microsoft could have some positive influence on the diversity of software on the Internet, though this will take some time. Alternative operating systems / applications -- from Apple to Linux -- have to be implemented and made more interoperable, not because they are per se better, perhaps that too, but because diversity in itself is the best protection, not against viruses, but against massive damage caused by viruses. It seems that software engineers could learn a lot from farmers.