Last Monday, the security consultancy @Stake learned that its CTO, Dan Geer, had authored a white paper, “Cyberinsecurity: The Cost of Monopoly,” which codifies what everyone already thinks — that Microsoft’s outsized market share and business practices represent a "clear and present danger" to security.
Last Tuesday, Geer was fired, and Geer-supporters throughout the security community assailed @Stake for its failure to place principles above profit-motive. Microsoft, it turns out, is one of @Stake’s biggest clients.
Six days later, this reporter finally got someone from @Stake to answer the disparaging question: Did the company really fire Geer out of fear of reprisal from Microsoft?
Their answer: Of course.
"It was no more than the obvious," says spokeswoman Lona Therrien. "There was an obvious concern that this was a risk to our business because of the client's trust. If we did not react, what would that say to our clients? This is not an academic forum, it's a business forum. It was a bad business decision [on Geer's part], not an academic one."
Speaking of the obvious, let’s take a quick read through the report that cost Geer his job. The argument is as follows: Microsoft is a monopoly, and the company reinforces that monopoly through aggressive integration. Integration creates highly complex systems and complexity diminishes security. Microsoft's vulnerable platform, coupled with its monopoly control, can lead to cascading and/or catastrophic failure, which compromises security. Even national security.
Geer calls the problematic system a technological "monoculture," a term borrowed from agricultural vernacular. The less diversity there is in a system, he says, the more likely something will cause its total failure. Think of Ireland's potato blight, or the cotton-growing states’ economic ruin by the boll weevil.
"Nature has shown us that biodiversity has immense survivability value," says Geer. “I don't see why the analogy doesn't hold."
Neither do some other security experts. Six of them, no slouches included, added their own thoughts and signatures to the paper, and the Computer and Communications Industry Association (CCIA), a lobbying group made up of Microsoft competitors, supplied an introduction and help with distribution.
In fact, the pro-diversity thesis of Geer’s writing is not even controversial. These days, it's hard to find any security expert who doesn't think that platform diversity is a no-brainer, accepted security strategy.
Even at @Stake, Geer’s ideas are held in high regard. Chris Wysopal, the company’s research director, said after the incident that “diversity is a defense-in-depth strategy. Diversity is part of what we do and a lack of diversity negatively impacts security."
So, was Dan Geer was fired for stating the obvious? Not exactly.
Geer was fired not for what he said, but how he said it. He wrote the paper outside the purview of his employer, shopped it to an anti-Microsoft lobbying group, and then presented it, without nuance or subtlety. "The threats to international security posed by Windows are significant,” he writes, “ and must be addressed quickly."
Why? Because, Geer says, this is not the kind of problem that can wait.
"Let me explain something," he says, "I hang around with banks. I was recently at a bank. I heard a presentation about risk management. The speaker was talking about total firm exposure — things like what happens to his bank if Mexico defaults. It's something he deals with every day. It's his version of national security. He said, ‘You may ask me why does this risk management strategy work? The reason is there's zero ambiguity about who owns what risk.'
"I stopped dead," Geer says, stopping dead. "I look at the Internet sphere, and it's the polar opposite of that. No one knows who owns the risk with software."
And why should they? It's so much easier to own the market, and fire anyone who makes too much noise.
"Alarmed" is a biweekly column about security and privacy. Look for a new version every other Thursday.