Can a public health approach cure the Internet?
Plan has attractive features but doesn't mesh with the real world
- By William Jackson
- Oct 08, 2010
Microsoft’s Scott Charney has proposed a new scheme for promoting Internet security based on the international public health model used to fight epidemics and pandemics in the real world.
In a speech at the Information Security Solutions Europe conference in Berlin and in a white paper released by Microsoft, Charney suggested that a system of computer health standards and checkpoints could be used to ensure that infected computers are not allowed widespread access to the Internet, where they could be a threat to public IT security. It would be analogous to the health standards used to track infectious diseases and quarantine infected individuals in the real world.
“If a device is known to be a danger to the Internet, the user should be notified and the device should be cleaned before it is allowed unfettered access to the Internet, minimizing the risk of the infected device contaminating other devices or otherwise disrupting legitimate Internet activities,” wrote Charney, the company’s corporate vice president for trustworthy computing, in the paper “Collective Defense: Applying Public Health Models to the Internet.”
The technology exists to do this, he said, and the time might be right to consider putting such a scheme in place. “Cybersecurity policy and corresponding legislation is being actively discussed in many nations around the world, and there is a huge opportunity to promote this Internet health model,” he wrote.
The model has attractive features, but there are serious real-world challenges that would stand in the way of its implementation.
Why cybersecurity experts can never rest
How spammers are like a force of nature
Charney proposed the model because, despite advances in security technology for computer users, infections by known exploits continue to pose a threat to cyberspace. And botnets of infected computers could more effectively be countered by stopping individual infected computers in the first place.
He suggests requiring a digital health certificate from a trusted authority certifying that a computer meets baseline requirements for configuration, uses security tools such as firewalls and antivirus software, and is free of known malware. That certificate would have to be presented before the computer is allowed full Internet access.
But one reason such a model works in the real world is because there are national borders at which health laws can be enforced and individuals can be denied entry or quarantined in the name of public health. Those borders are largely absent in cyberspace, and service providers would have to place effective gateways on public networks — a trickier proposition.
Moreover, the real-world model is focused on preventing threats from entering a country. The cyber model would focus on preventing threats from leaving — that is, getting onto the Internet. It is one thing to keep someone from entering your private network but something else again to prevent someone getting onto a public network he has paid to use.
Another problem is that we do not have reliable ways to define what malware or proper configurations are. One person’s malware might be another person’s application; a secure configuration on one computer might be a bug on another. Who will define what is a legitimate antivirus product and what is a malicious, rogue tool? Setting the bar for compliance low enough to make it practical could also make it ineffective.
And would such a scheme open up a new vector for attacks? Computer users are already plagued with phony virus alerts from apparently reputable sources that end up infecting computers rather than cleaning them. It is easy to foresee a rash of notices that a computer is out of compliance with public security standards, with a request to “click here” for remediation.
Charney acknowledged the challenges to the scheme and said government and industry should begin working now to iron them out. But I have serious doubts that a broad enough consensus on regulating Internet access can be reached to make such a model practical across national partitions.