By Robert Lemos
Staff Writer, CNET News.com
January 15, 2004 4:00AM PT
Their idea was inspired by parallels that scientists are drawing between the proliferation of computer viruses and the spread of agricultural catastrophes such as Dutch Elm Disease, which has devastated a small variety of American elms since crossing the Atlantic decades ago. Like Dutch Elm, MSBlast was a single foreign entity that infected extremely susceptible hosts of an entire population--in this case, of Windows computers.
"People have brought over species that we didn't expect here, just like people have created viruses that Microsoft didn't expect to deal with," said Jeff Dukes, professor of biology at the University of Massachusetts at Boston, who studies diversity and growth in ecological systems. "These introduced species have had a major impact on our forest and have knocked out entire species."
Despite the obvious differences between the two fields, some overarching principles in agriculture can be applied to technology in surprisingly apt ways. Just as biologists advise farmers to diversify their plantings, computer researchers believe that developers should be given tools to vary characteristics of the same program so that not all would be hobbled by a virus written for a specific version.
"You only get epidemics when your target populations are alike enough that they can all get the same disease," said Dan Geer, chief scientist at information security firm Verdasys and co-author of a report on the technological lessons of monocultures.
Even scientists outside technology have expressed concern about the issue. In a letter to a publication called "Emerging Infectious Diseases," a journal of the federal Center for Disease Control, two microbiologists cited specific similarities in the nature of biological and computer viruses.
"Biological viruses can mutate rapidly, create novel pathogenic and transmission routes, and develop antigenic variation to evade host immunity. In the computer world, worms exhibit similar behavior," wrote microbiologists Trudy M. Wassenaar and Martin J. Blaser.
The weakest links
Security experts have begun working to identify those parts of the Internet that are the most vulnerable because of their commonality. In November, the National Science Foundation granted three university researchers $750,000 to find the location and number of such weak links within the information infrastructure.
"The project is really about identifying points of attack, such as memory layout. Computers are pretty much the same to a first approximation, which means they can be attacked in the same way," Mike Reiter, a computer engineering professor at Carnegie Mellon University and a participant in the project, said in an interview. Reiter and other researchers from Carnegie Mellon and the University of New Mexico will use the monoculture theory not only to find problems, but also to propose solutions.
If nature is any indication, diversity will be at the top of that list. Perhaps the best-known case of a monoculture's catastrophic failure is the Irish Potato Famine. At the beginning of the 19th century, most of the Irish poor raised oats, barley and rye, along with more than a dozen variety of potatoes. But because of its nutritional value and ability to grow easily in North European soil, one particular species of potato called "the lumper" became the dominant harvest for the country by 1840, making up the only significant source of food for about 3 million people.
In 1845, a fungus blighted the crops, and more than 1 million people died of malnutrition or starvation within two years. The catastrophe led to the diversification of Irish crops, according to historians, and the number of acres devoted to lumper potatoes dropped from 2 million to 300,000 in the two years following the famine.
Nevertheless, lack of diversity continued to take a dire toll on ecosystems in other parts of the world for years. In the United States, for example, cotton crops in the South were laid bare by the infestation of the boll weevil in the early 1900s.
Even today, the most common species of banana, which has been bred for the trait of seedlessness to the point of sterility, suffers 40 percent to 50 percent casualties from pests every year. And 85 percent of the orange trees in Brazil, the world's leading producer of the fruit, are susceptible to a mysterious blight known as "sudden death."
Such blights can race quickly through a single species of crops, another lesson that agricultural monocultures have taught the security world. MSBlast spread throughout the Internet in a matter of days, but was a tortoise compared with Microsoft SQL Slammer, a worm that researchers believe infected 90 percent of the vulnerable servers on the Internet in 10 minutes.
The promotion of diversity among ecologists and environmentalists has led many computer security experts to do the same for technology. Diversification as a means to security is even more important now that computers have become so critical to the U.S. economy, they say.
"The more we rely on the Internet world, the more we need to be sure that things are secure," Geer said.
"Almost all of the recent attacks on the Internet have been attacks on monoculture applications, namely Outlook and IIS (Microsoft's Internet Information Server), both provided by a single vendor," wrote John Quarterman, another author of the study, who is also president and founder of Internet risk management company InternetPerils.
As a result, the report maintains that today's software ecosystem would be more diverse and therefore more secure if it included non-Windows products made by competing companies. "This fundamental principle assures that, like farmers who grow more than one crop, those of us who depend on computers will not see them all fail when the next blight hits," the study stated.
Microsoft, for its part, argues that the analogy with nature is limited. "There is a difference between biodiversity and computer diversity," said Scott Charney, chief security strategist for the company.
Charney noted that operating systems are not the only technology vulnerable to viruses. Last year, the Slammer worm shut down the ATM systems of Bank of America, Washington Mutual and many other banks because they used the same network connection--not the same software.
Moreover, unlike adding farm crops, increasing diversity in technology almost always means making systems more complex, which can actually reduce security instead of strengthen it, he said.
"Is it much more difficult to manage a different strain of potato over a single species? Not really," Charney said. "Is it more difficult to manage a different computer system over having just one? Definitely."
Geer acknowledges that point but said better planning--as well as forcing Microsoft to allow competitors to interoperate with key operating system components--could mitigate both issues.
"Of course my network goes to hell because of Slammer--it doesn't matter if I am using Microsoft or not," he said. "But avoiding that is about good planning, and good planning is about defense in depth. You cannot have defense in depth by having the same machines everywhere."
Routing more than Microsoft
While Microsoft is a common target for security complaints, an even larger example of a monoculture in technology may be the reliance of much of the Internet's routing infrastructure on the Simple Network Management Protocol (SNMP).
Two years ago, a flaw found in the protocol by a university research group in Finland prompted wide concern among telecommunications giants and Internet service providers. A potential disaster was averted when the companies managed to get a head start on underground programmers who might have tried to exploit the hole.
Indeed, the human factor may well be the most significant difference in the health of ecosystems from the worlds of technology and biology. Being the top species in the information chain means more attention from the malicious coders. Aside from the human quest to control pests, nature doesn't have to deal with that problem.
"The lessons from nature tend to be that more diversity is generally better for stability," said Dukes of the University of Massachusetts. "That's one of the reasons that I stick with a Mac."