Kevin Curran

Kevin Curran is a Professor of Cyber Security, Executive Co-Director of the Legal innovation Centre and group leader of the Ambient Intelligence & Virtual Worlds Research Group at Ulster University. He is a regular technology contributor to TV, radio, trade and consumer IT magazines.

In computing, the term monoculture refers to a community of computers that all run identical software. The consequences of this is that all the computer systems in the community therefore have the same vulnerabilities, and are subject to catastrophic failure in the event of a successful attack.

The classic example used is when the first computer worm (known as the Morris worm) began to propagate from system to system – as worms do, it could only spread itself among Unix machines. Therefore, other operating systems were immune. Diversity of systems actually had inherent security properties in this case.

Interestingly, the Irish Potato Famine of 1845–1849 is a real-world monoculture-related disaster as we planted only one variety of genetically identical potato which succumbed to a rot caused by Phytophthora infestans. The rest is history.

Monoculture is topical at this time in the wake of Microsoft announcing that it is making changes to its Edge Browser by adopting the Chromium open source project. Chromium is the same web rendering engine that powers Google Chrome.  There will of course be little tears spilled over this as Edge has become a joke in that its main raison d’etre is for users to download the Chrome Browser on first use. 

Many have also debated the security of the browser. Like many aspects of product comparison, it is not black and white. For instance, at this moment in time if we visit the NIST national Vulnerable database, we will find almost 1800 vulnerabilities listed for Google’s Chrome browser and just over 500 for the Edge browser.

However, this is not a correct comparison of the insecurity of one Edge over another Chrome. It is fairer to say that Chrome has more vulnerabilities due to its much wider footprint online. Hackers to do not tend to waste time on systems and applications which have much lower user bases so attacks have been tried much more on Chrome due to the simple fact that more people use it on a daily basis.

What is fair to say however, is that Microsoft’s edge development team in the past have annoyed security researchers with slow responses to properly disclosed flaws. One example was from Googles’ project zero team which seek to identify security flaws and inform the owners. They disclosed a severe vulnerability in Microsoft Edge but Microsoft failed to meet the deadline in fixing it.

This was not the only example. We can argue that a chromium-based browser is more secure as it is built on a more established code base. Edge on the other hand was built from the ground up for Windows 10. It only had 18 months to identify problems before release. Building on a code base which has been ‘hammered on’ in general is much more secure.

There can however be some implications for security with a monoculture. The obvious example is that a browser vulnerability can now have much more impact and spread due to a common code base and its adoption on Edge and Chrome. This has been seen with the huge worms and viruses aimed at Windows systems over the years. On the other hand, if a vulnerability is identified, the one fix can be rolled out to the same systems to fix them.

It is difficult to stop a monoculture arising as first to market will often take the lions share. Yes, this may be what some call a “tragedy of the (security) commons” but we also know that common protocols are necessary in order for networked communication to succeed.

Having one less browser to test and support will be welcomed by many application developers but of course the security implications of a monoculture browser market has yet to be evaluated. The proponents of monoculture will provide endless analogies of biological monocultures (e.g. the potato) however computing systems do differ in many ways – not least that we can patch them.

Therefore, I do not subscribe to the monoculture security weakness argument. Yes, I am not naïve enough to not see how malware can spread more easily & rapidly in a monoculture but this negates the more sensible approach of evaluating systems and products by their own merits alone.

The monoculture argument about safety in lesser numbers really only carries weight if the move to less popular software/operating systems remains beneath the radar. If others follow in great numbers then nothing is really gained. I also like to be pragmatic and there is a cost involved in trying to avoid a monoculture. Some may say security is everything but it is not. Yes, every system is hackable and if security was everything, the safest decision would be avoid installing any computer system.

That is not living in the real world. No, every business has a budget and a proportion of that gets diversified off into technology and security and trying to diversify requires more expertise, planning and maintenance costs.

There is also a limited number of products and operating systems so in reality, you can only go so far. I am not saying there is not some truth in monoculture danger but I am saying that perhaps a more pragmatic approach is to invest in security training, patching systems, 24/7 network monitoring and all the other best practices in cybersecurity. There is no silver bullet for security.