[ nominal delivery draft, 17:00 Friday 30 June 2004 ] [ Dan Geer, affirmative, v Scott Charney, negative ] A computing monoculture is a danger, a security danger, a national security danger. It is a danger on principle. It is a danger in practice. It is avoidable and mitigable, but it is neither cheap nor easy to do so if you have to begin from where we are now. In my remarks today I have endeavored to share with reasonable men and women that Nature has without question shown us that monoculture is at best a primitive state or at worst a dying gasp. We have seen that the few truly infrastructural components of life are the common property of all life, and are defended with an unmatched vigor by all life. We have seen that what we call security in computing we would call immune response in life. We have seen that immunity is never cheap but that the more advanced organisms devote a proportionally greater percentage of their life force to it, in proportion to both their size and their longevity. We have seen that juicy targets create a niche that will, without question, be filled by predators and that the variety of predators will itself expand as the supply of prey proves abundant. We have seen that an immune system is operating at two levels, that of protecting the individual and that of protecting the species. At the individual level, it facilitates your survival. At the species level, it keeps the contagion from other individuals. Coincidentally, we have seen that in the natural world an immune system must be trained as it cannot be designed in full, a priori. We have seen that insufficient or poor training engenders auto-immune disorders that are brutal in effect and challenging to quench once ignited. We have already seen examples of auto-immune pathology in the attempt of our political system to react to a rising tide of infection and infectiousness. We have seen that the more virulent the disease the more likely, for a given patient, it is to run its course. At the same time we have seen that diseases with long-delayed symptoms are those to be dreaded most just as they are the ones most likely to spread before detection. We have seen that in Nature pathogens are opportunistic just as much as predators, attackers, or thugs are. We have seen that this opportunism can be borrowed, that pathogens can accumulate mechanism over time and thus have more than one way to infect. We have seen that pathogens exposed to imperfect defenses will ultimately adapt and become resistant to those defenses. We have seen that when in close quarters the immune status of the herd is more telling than the immune status of the individual. We note that our political structures enforce herd immunity amongst school children, the armed forces, and certain workers. We have seen that the tools of epidemiology are easily adapted to our world and, reading those tools backward, we have seen what a worst case disease would look like, finding it eerily like what we deal with in our world on a daily basis. We have seen that survival of a species is to survival of an individual as reliability is to security, and we have breathed a prayer of thanks that our server rooms remain more diverse than our client farms. We have seen that mutation, regardless of its source, produces an opportunity for selection. We have seen that random mutation is less efficient while directed mutation is more, but that it is the existence of selection that drives evolution. We have seen that even single-celled animals strategically bank diversifying mutations against unforeseen and unforseeable attacks, and that they have done so for literal eons. We have seen that evolution is not smooth, and that this or that organism will flourish until such time as something on which it has a critical dependency changes. We have seen that low diversity in an ecosystem is an harbinger for trouble. We have reminded ourselves that the very word "monoculture" means common vulnerabilities rather than identicality. We have seen that when vulnerabilities cannot be identified, the threshold of monoculture can be crossed unnoticed. We have distinguished between implementation and protocol, and we have clarified that it is implementations that are or can be monocultures. We have, by the preponderance of evidence, seen that the lessons of Nature are unmistakable leaving us only the question of whether we will learn them. With humility, we have concluded that Nature is so much bigger than are we that the burden of proof falls to those who deny that Nature is our guide as we move forward in computing. We have palpated the implications of submitting ourselves to Nature's lessons. We have realized just how tired the public is of finding itself in the position of the Red Queen where it "takes all the running you can do to keep in the same place." We have understood that our computing monoculture encourages a high flux of amateur attackers and that though this flux is itself a substantial drag on our society, that flux of amateur attacks inevitably obscures the actions of professionals of whom we should be mortally afraid. We have come to understand that more diversity in our computing base would raise the skill level required to be an attacker thus depressing the numbers of them. Perhaps the pinnacle of our realizations, we have understood that we have the most to lose because we are the most interdependent. We have reluctantly concluded that unknown vulnerabilities are likely to be with us forever, and that they are surely in the hands of the professionals, professionals who are no doubt grateful for the scope of applicability for those vulnerabilities that a monoculture provides. We have even seen that virus writers try to deliver monocultures as their work product. We have remembered history and considered other brushes with monoculture -- all of them coming at the hand of man -- and in so remembering history we have the opportunity to not repeat it. We have met the enemy, and he is us. END