Massachusetts assaults monoculture

Verdasys chief scientist Daniel Geer says Massachusetts' decision to go with OpenDocument Format comes not a moment too soon.

When governments maintain their public records electronically, does a member of the public have to buy something from a specific company to read those records? The rational, fair, democratic answer has to be "no." The Massachusetts executive branch agrees in blunt and perceptive language: "A public record, once stored electronically, must not require a proprietary computer program to read it; it should be readable by many different word processors, spreadsheets and other productivity applications, regardless of vendor."

Simple, isn't it? A public record on paper requires no one to buy anything. Everyone can read it. And it more or less keeps forever. That's a good standard, and Massachusetts will soon require public records be held in OpenDocument Format.

OpenDocument Format, unlike Microsoft Word's .doc, is a way to save electronic documents that anyone can read. The OpenDocument Format specifications are free; any competent programmer can produce a fully featured word processor or spreadsheet that will work with it. What's more, since no company owns the standard itself, forward and backward compatibility with former and future word processors is guaranteed.

No more: "Somebody upgraded, so now everyone has to." By making the "public" in "public record" mean something, Massachusetts gets better accessibility, plus competition--not a sole-source provider.

In biology, a monoculture--a singular species that supplants all others--is a bad thing. When every plant is the same species, every plant is susceptible to the same predators, the same diseases. Examples are as plentiful as they are sad: Consider the virus that brought on the Irish potato famine or the boll weevil that nearly obliterated the South's cotton crop in the early 20th century, and you see the destruction that human-made monocultures bring upon themselves.

Computers are no different. Computer viruses spread efficiently, lethally when all computers on a network run the same software. MyDoom, Melissa and MSBlast were a function not of the Internet, but of a Windows monoculture. They caused havoc because they were designed for specific vulnerabilities of Windows. Since one virus generally affects one species of software, any computing monoculture poses a hazard the same way it does in nature.

Microsoft's monopoly in the market creates a Microsoft monoculture on the network. Microsoft maintains its monopoly and the monoculture through user-level lock-in, especially by keeping document formats as trade secrets. Massachusetts noted as much in its antitrust proceeding against the company. And so long as that lock-in persists, there will be no solution to the monoculture risk.

As a matter of logic alone: If you care about the security of the commonwealth, then you care about the risk of a computing monoculture. If you care about the risk of a computing monoculture, then you care about barriers to diversification. If you care about barriers to diversification, then you care about user-level lock-in. And if you care about user-level lock-in, then you must break the proprietary format stranglehold on the commonwealth. Until that is done, the user-level lock-in will preclude diversification and the monoculture bomb keeps ticking.

The risk of remaining as we are exceeds the understanding of nonspecialists, including, with all due respect, the average legislator.

The Massachusetts Department of Administration and Finance does care, and its Enterprise Technical Reference Model specifies OpenDocument Format. That standard is precisely what is needed and not a moment too soon.

OpenDocument Format is the point of maximum leverage. Of all the things Massachusetts could do to make risk diversification possible, the most effective is to remove user-level lock-in by making document storage formats no longer the one thing that forces everyone to use Microsoft Office. As long as the commonwealth voluntarily allows itself to be locked in by the proprietary document formats of a proven monopoly, the commonwealth cannot diversify and therefore cannot mitigate its risk.

The risk of remaining as we are exceeds the understanding of nonspecialists, including, with all due respect, the average legislator. There are new Windows viruses all the time. Perhaps 15 percent of all desktop Windows computers are running malicious software at any time. The monoculture makes attacks automatable--so automatable that there is money to be made. And, sure enough, the menace once posed by teenage hackers has been replaced by that of professional, organized crime.

Do we say that Microsoft is the only interpreter of a public record? That everyone has to buy Microsoft Word to read the documents their taxes paid for? That monoculture is public policy? Or do we say that a public record is not a public record unless it is in OpenDocument Format? I'll take the latter, both because I agree with the idea that a public record is not a public record unless it is in an open format, and also because this is an unavoidable step if we are to dodge the monoculture bullet. The former reason is moral. The latter reason is self-protection.

If we miss this chance, we'll keep paying through the nose until there is a cascade failure among our identically vulnerable computers. It would give no decent person pleasure then to say, "I told you so."