As I read about recent ransomware attacks on hospitals, I was reminded of a seemingly unremarkable event years ago when I was still using a computer with the Windows operating system. I was working with a medical doctor turned medical IT specialist. His preferred operating system—though not that of the hospitals he worked for—was the one on his Apple computer. When he loaded files from a flash drive onto his machine in my presence, I asked why he didn't check for viruses first. He had a one-word answer: biodiversity.
He was, of course, using the metaphor of biodiversity to refer to the fact that the vast majority of computer viruses and malware targeted Windows systems at that time, something that is still true today. Very few threats targeted the Apple operating system, and because of its design the system was (and is) more resistant to such attacks.
Every student of biology—which naturally includes doctors and health care workers—ought to be aware of the advantages of biodiversity in natural systems. Biodiversity brings resilience to species and to entire ecosystems. Variations in members of a species make it more likely that some will survive to propagate. Variations across species that inhabit an ecosystem make it more likely that the system will survive as a coherent unit when some, but not all of a particular species die out.
Of course, computer networks are not biological systems (unless you include the human operators). But they suffer some of the same obvious vulnerabilities. When you look at the share of operating systems worldwide for all platforms there appears to be at least some diversity with two major systems, Android and Windows vying for first place. But when you consider that desktop computers make up most of the institutional use of operating systems including use in hospitals, the diversity plummets. Close to 80 percent of all desktops use the Windows operating system. And, a recent study confirms that the health care industry relies on Windows for 80 percent of its operating systems—even if, as reported by this study, the industry doesn't keep its systems up to date.
I am not making the case that computer networks can be made entirely safe by switching to something other than Windows. But it is noteworthy that none of the articles I've read about the recent ransomware attacks on hospitals even mentions the name of the operating system being attacked—as if that were irrelevant to the story. I suspect that most, if not all, of the reported attacks are on Windows systems.
It is a feature of modern industrial society to try to standardize and homogenize our systems. We are told this will make them more "efficient" and more "seamless." For those who understand systems, the more efficient a system becomes the less resilient it becomes since efficiency requires that redundancy be reduced or eliminated. Seamless means that criminals can jump more easily from node to node and system to system. A connected world is a more vulnerable world. But a connected world that functions using what is almost a monoculture for its operating systems is vastly more vulnerable.
Last year I wrote about a bill in the U.S. senate that called for examining "ways to replace automated systems with low-tech redundancies, like manual procedures controlled by human operators" to protect the electrical grid from attacks. Connectivity is the focus here though I suspect that a software monoculture of sorts exists in the utility industry as well.
For the record I have used the Linux operating system since 2013 though I own an Apple desktop which I use for presentations. But the question of diversity goes far beyond computer systems and networks. To the extent that we continue to "streamline," "optimize" and "link" all the systems we rely on rather than incorporating decentralized, diverse approaches, we are setting ourselves up for even greater calamities ahead—both those inflicted by criminals and those we inflict on ourselves when complex systems fail and that failure cascades across systems.