The Cyber Monoculture Risk

Paul Rosenzweig
Friday, October 1, 2021, 8:01 AM

Monoculture risk is manageable for most systems, but that isn’t the case for government systems. For these systems, monoculture vulnerability is a national security risk.

The U.S. Capitol building at dusk. (Barnyz, https://flic.kr/p/2i15xPp; CC BY-NC-ND 2.0, https://creativecommons.org/licenses/by-nc-nd/2.0/)

Published by The Lawfare Institute
in Cooperation With
Brookings

Nature, they say, abhors a vacuum. It also abhors a monoculture. That’s because monocultures are a formula for catastrophic failure. Yet the U.S. federal government seems to love them. Indeed, as a consulting firm’s study recently confirms, when it comes to communications and collaboration software, U.S. agencies embrace the monoculture fallacy and in doing so, they create a national security risk.

The idea of monoculture risk comes from biology. It’s the concept that an entire population (say, of animals, like cows, or crops, like corn) can be biologically identical in a way that makes all the members of the population, or herd, vulnerable to a specific type of risk or disease. In other words, it is almost exactly the opposite of the idea of herd immunity, with which the public has become so familiar in the days of the coronavirus pandemic. Monoculture risk is, if you will, a case of herd vulnerability to a particular disease, often combined with an inability to adapt quickly to biological change.

Of course, monocultures are not often seen in nature. The reason is obvious—when they occur naturally, the herd usually dies out. Sooner or later, the disease to which the entire population is vulnerable appears and, in a biological instant, the population is gone. In 1970, for example, more than 70 percent of American farmers grew the same variety of high-yield corn. The crops were a near monoculture uniquely vulnerable to a particular type of corn blight, and that year the blight destroyed more than 15 percent of the corn in North America. The 1970 blight epidemic wasn’t a complete catastrophe, but it illustrates why the lack of diversity is risky biological business.

In the cyber world, by contrast, enterprises love monocultures. Every company in America (or almost every one) is a nearly pure information technology (IT) monoculture. They use only one operating system, only one email server, only one suite of client management software and so on. The reasons usually boil down to a single word: cost.

It’s cheaper to provision and maintain a single operating system. It’s cheaper to train staff to a single standard. Interoperability and system integration is easier; so is transitioning to newer upgrades of the same system. And so, in any organization, procurement of IT equipment tends quickly to create a near-uniform operating environment. The enterprise uses a suite of Microsoft products, say, or Amazon cloud services, or Google or Apple operating systems.

And in the cyber domain, the monoculture risk stems from an exploitable vulnerability. No system is guaranteed to be 100 percent safe from malicious intrusion. Indeed, the most able of U.S. tech companies, like Google, Apple, and Microsoft, and the core of the federal systems have all experienced significant breaches in recent years.

For most systems that sort of monoculture risk is manageable—indeed for many systems the benefits of operational ease will outweigh the potential costs of exploitation. But that isn’t the case for government systems that form the backbone of national defense. For those systems, monoculture vulnerability is a national security risk.

Consider, for example, the current state of communications and collaboration software used by the federal government. Recently, Omdia (an independent analyst and consulting firm) released a study of the U.S. government market for software services. The results were rather surprising. Some 85 percent of the office productivity market, that is, products such as Google Workspace or Office 365, was concentrated in a single supplier—Microsoft. Likewise, Microsoft had 60 percent of the email and calendaring market. By contrast, the file storage market was rather evenly split among three vendors: Google, Microsoft and Dropbox (with Box coming a distant fourth).

To be sure, this market concentration may be attributable, in part, to the quality of the products being offered and the ease of their use by the enterprise. But it seems equally clear that, as the Omdia study puts it, it is also the product of inertia in procurement that tends to favor incumbent operating systems.

Whatever the cause, the facts on the ground are pretty clear—at least in the area of office collaboration and productivity (and to a lesser extent in the area of communications through email and calendaring), government systems are effectively a monoculture. One need only think of the recent Hafnium intrusion into the Microsoft Exchange server system to understand why that might be troubling.

It says nothing about the quality of Microsoft products (or of any other vendor, for that matter) to say that such overreliance is potentially problematic. It would seem to me that one thing is indisputable—at a minimum, government agencies (and more particularly those, like the Department of Defense, with national security missions) should purchase more than a single collaboration and communications system from more than one provider. To be sure, that will come with some efficiency challenges, but the costs of a single-point-of-failure monoculture seem to be a greater risk.

Disclosure: Red Branch Consulting has present and former clients with interests in cybersecurity issues and the economics of IT systems adoption. The opinions expressed are exclusively those of the author.


Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company and a Senior Advisor to The Chertoff Group. Mr. Rosenzweig formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is a Professorial Lecturer in Law at George Washington University, a Senior Fellow in the Tech, Law & Security program at American University, and a Board Member of the Journal of National Security Law and Policy.

Subscribe to Lawfare