Global IT Outages and Monoculture: The “potato famine theory” of information system insecurity

Painting: An Irish Peasant Family Discovering the Blight of their Store, by Daniel MacDonald

The following article explains the problem of monoculture in IT systems, one of the root causes of the Global IT Outage of July 19, 2024. The article was originally published in August of 2003. Back then, Chey Cobb and I were writing a weekly cybersecurity column for the digital publication Newsscan (now defunct). 

In a column titled "Of Potatoes and Worms" we used the classic example of monoculture—the Irish Potato Famine—to explain why relying on one company or one operating system for all your IT needs creates a potentially catastrophic level of vulnerability to software-specific threats, such as as computer worms, viruses, supply chains attacks, and of course, bugs in software updates (c.f. Crowdstrike). We hope you find it helpful.

Of Potatoes and Worms

by Chey Cobb, CISSP
and Stephen Cobb, CISSP

August, 2003

During the last two weeks, the world has witnessed hundreds of thousands of computer systems falling prey to worms. As we write this, the Sobig-F worm is reaching epidemic proportions, threatening to rival the 2000 Love Bug outbreak in terms of disruption wrought. We give you just one example, a good friend of ours who headed to France this week for a vacation: after the flight from LA to Paris he turned on his handheld computer to check email and found 500 infected messages waiting.

A lot has been written on this topic, but we haven’t seen many references lately to the “potato famine theory” of information system insecurity. This theory is a favorite of ours and it holds that a lack of diversity in software can be a dangerous thing, at either the enterprise or the national level. This might ring some bells right now if you are a CIO responsible for tens of thousands of Microsoft Windows or Outlook users.

The theory gets its name from a tragic chain of events that struck the island of Ireland in 1845, killing—by some estimates—more than a million people. At that time, potatoes were the primary source of food for most people living there, due to the fact that potatoes produce more calories per acre than another other crop you can grow in that climate (back then, most people did not have a lot of land to work with because land use was controlled by English landlords, many of whom were, to say the very least, selfish). 

In fact, almost all the potatoes grown in Ireland at that time were of one particular strain, a strain that had been found to produce the most calories per acre. So when a potato fungus arrived in Ireland—possibly from somewhere in the Americas—its impact on the crop was exacerbated by the lack of diversity among potato strains. While some potato strains are more resistant to the fungus than others, the dominant strain in Ireland at that time was not one of them. [See: Great Famine: https://en.wikipedia.org/wiki/Great_Famine_(Ireland)]

The information system security analogy is this: reliance by an information system on one application or operating system, to the exclusion of others, [a monoculture] reduces the ability of that system to survive a vulnerability in that operating system or application.

Consider an organization that is using nothing but Microsoft products versus one that uses a mix of applications and operating systems. The Microsoft-only shop is more likely to have experienced widespread negative effects due to last week’s Blaster worm (which exploited a security hole in the Windows operating system) and this week’s Sobig-F worm (which exploits a Microsoft Outlook vulnerability)

We’re not sure how many people today are familiar with the Irish potato famine, so “fossil fuel dependence theory” might be a better term. The implications are the same: dependence on a single source of energy, or software, has inherent risks. What we particularly like about both analogies is that they encompass economics and politics as well as strategy and logistics. 

The Irish were not growing that single dominant strain of potato because it tasted better than others—apparently it did not—they were growing it because the politics and economics of the time made maximum yield appear to be the highest good. America’s dependence on fossil fuel and a single source of software also has economic and political elements (prices have been relatively low, producers politically powerful, and so on). 

Obviously, the dominance of Microsoft products in operating system and application areas has its own economic and political angles. However, while the reasons for Microsoft’s dominance, and the extent of the negative impact of that dominance on other companies, have been hotly debated, very few people have voiced the following argument: Regardless of how secure or insecure Microsoft software is—or has been, or becomes—we think that using it, or any other single source, to the virtual exclusion of all others, will never be good security.

In other words, even if Microsoft’s Trustworthy Computing initiative succeeds in making the company’s products more secure than they are right now, it would still be foolhardy for any organization to adopt them as a universal standard. Unfortunately, our opinion is not shared by the Department of Homeland Security and other 3LA’s that had best remain nameless.

And just to show how fair and balanced our coverage is, we will say the same of Adobe’s Acrobat format. This grows more powerful with each version. We use it. We love it’s convenience and the fact that most people with whom we communicate can read Acrobat documents. But the extent to which some government agencies are relying on it is now approaching scary. 

Notes: 

1. Portions of this column first appeared in a lecture we delivered in 2002 as part of the Master of Science program in Information Assurance at Norwich University, Vermont.

2. Crowdstrike has assured customers and the public that their software update, which led to the global IT outage of July 19, 2024, was not malicious. However, it is remains to be seen if this assertion will be confirmed by independent analysis.

3. The attack technique of placing malicious code in a software update has been used for many years, notably in the 2017 Wannacry incident that took down hundreds if thousands of systems and cost companies billions of dollars. Ironically, Wannacry did not impact organizations that were protected by some brands of endpoint protection software, the same category of software as Crowdstrike Falcon. [Disclaimer: In 2017, I was working for ESET, one of those brands that stopped Wannacry.]

Internet crime keeps on growing, as do efforts to understand the harm it causes

Internet crime losses 2014-2023, as reported to IC3/FBI,
 and compiled by S. Cobb

Losses from Internet crimes reported to the FBI's Internet Crime and Complaint Center in 2023 rose 22% above the record losses in 2022. 

This means that 2023 set a new annual record, just north of $12.5 billion, according to the press release announcing the latest IC3 annual report (PDF). 

About the only good thing you can say about this news is that the annual Internet crime loss figure rose by only 22% in 2023. That is less than half the 49% increase in in 2022, which was well below the 64% surge in 2021. However, before anyone gets too optimistic, take another look at the chart at the top of the page. 

While there have been several years this century in which rate of increase in losses to Internet crime has slowed down, I see the general direction over the last decade as fairly relentlessly upward. And this is despite record levels of spending on cybersecurity and cybercrime deterrence.

This time last year I discussed the implications of these trends in an article over on LinkedIn. That was written in the hope that more people will pay attention to the increasingly dire state of Internet crime prevention and deterrence, and how that impacts ordinary people. At the start of this year, I wrote about the implications of digitally-enabled fraud reaching record levels, framing this as a public health crisis. 

During 2023, I delivered and recorded a well-received talk on cybercrime as a public health crisis. Here is the video, hosted on YouTube.

The talk was originally delivered at the Technical Summit and Researchers Sync-Up 2023 in Ireland. The event was organized by the European arm of APWG, the global Anti-Phishing Working Group. (Talks at that event were not recorded, so I made this recording myself; sadly, it lacks the usual gesticulation and audience interaction of my live delivery, but on the plus side you can speed up the playback on YouTube.)

Also sad is the fact that, due to carer/caregiver commitments, I had to cancel delivery of the next stage of my research at APWG's Symposium on Electronic Crime Research 2023 (eCrime 2023). 

On the bright side, I did manage to write up my ideas in an article on Medium: Do Online Access Imperatives Violate Duty of Care? There I started building my case that exposure to crime online causes harm even to those who are not directly victimized by it, much in the same way that living in a high crime neighbourhood has been proven—by criminologists and epidemiologists—to be bad for human health. Basically, the article made four assertions:

1. going online exposes us to a lot of crime, 
2. high crime environments are unhealthy, 
3. governments and companies that make us go online may be breaching their duty of care, 
4. there is an urgent need to reduce cybercrime and increase support for cybercrime victims.

To explain these assertions I introduced my "Five levels of crime impact in meatspace and cyberspace" which are captured in this table:

I also introduced my take on a concept used by environmental exposure scientists and epidemiologists: the exposome. A key role of the exposome is to help us acknowledge and account for everything to which we are exposed in our daily lives that may affect our health. 

My article proposed using online exposome as a term for everything that individuals are exposed to when they go online. This builds on thinking by Guillermo Lopez-Campos et al. (2017) that there is a "digital component of the exposome derived from the interactions of individuals with the digital world."

In summary, as we look over the latest tabulation of reported financial losses due to Internet crimes I think we need to bear in mind that these are only a fraction of the total number of such crimes, and monetary loss is only a fraction of the harm these crimes cause. The stress and anxiety of victims has to be taken into account, as does the deleterious effect of having to spend time online where we are constantly exposed to, and reminded of, the many different ways in which digital technologies and their users are being abused. 

Postscript: Not all the news about online crime is bad. The last 12 months have seen some very impressive anti-cybercrime law enforcement efforts all around the world, including the recent disruption of "the world’s most harmful cyber crime group." I applaud those efforts and encourage governments to fund more of them. Here's to a drop in Internet crime losses in 2024!