CYBEREYE

Can a public health approach cure the Internet?

Plan has attractive features but doesn't mesh with the real world

Microsoft’s Scott Charney has proposed a new scheme for promoting Internet security based on the international public health model used to fight epidemics and pandemics in the real world.

In a speech at the Information Security Solutions Europe conference in Berlin and in a white paper released by Microsoft, Charney suggested that a system of computer health standards and checkpoints could be used to ensure that infected computers are not allowed widespread access to the Internet, where they could be a threat to public IT security. It would be analogous to the health standards used to track infectious diseases and quarantine infected individuals in the real world.

“If a device is known to be a danger to the Internet, the user should be notified and the device should be cleaned before it is allowed unfettered access to the Internet, minimizing the risk of the infected device contaminating other devices or otherwise disrupting legitimate Internet activities,” wrote Charney, the company’s corporate vice president for trustworthy computing, in the paper “Collective Defense: Applying Public Health Models to the Internet.”

The technology exists to do this, he said, and the time might be right to consider putting such a scheme in place. “Cybersecurity policy and corresponding legislation is being actively discussed in many nations around the world, and there is a huge opportunity to promote this Internet health model,” he wrote.

The model has attractive features, but there are serious real-world challenges that would stand in the way of its implementation.


Related stories:

Why cybersecurity experts can never rest

How spammers are like a force of nature


Charney proposed the model because, despite advances in security technology for computer users, infections by known exploits continue to pose a threat to cyberspace. And botnets of infected computers could more effectively be countered by stopping individual infected computers in the first place.

He suggests requiring a digital health certificate from a trusted authority certifying that a computer meets baseline requirements for configuration, uses security tools such as firewalls and antivirus software, and is free of known malware. That certificate would have to be presented before the computer is allowed full Internet access.

But one reason such a model works in the real world is because there are national borders at which health laws can be enforced and individuals can be denied entry or quarantined in the name of public health. Those borders are largely absent in cyberspace, and service providers would have to place effective gateways on public networks — a trickier proposition.

Moreover, the real-world model is focused on preventing threats from entering a country. The cyber model would focus on preventing threats from leaving — that is, getting onto the Internet. It is one thing to keep someone from entering your private network but something else again to prevent someone getting onto a public network he has paid to use.

Another problem is that we do not have reliable ways to define what malware or proper configurations are. One person’s malware might be another person’s application; a secure configuration on one computer might be a bug on another. Who will define what is a legitimate antivirus product and what is a malicious, rogue tool? Setting the bar for compliance low enough to make it practical could also make it ineffective.

And would such a scheme open up a new vector for attacks? Computer users are already plagued with phony virus alerts from apparently reputable sources that end up infecting computers rather than cleaning them. It is easy to foresee a rash of notices that a computer is out of compliance with public security standards, with a request to “click here” for remediation.

Charney acknowledged the challenges to the scheme and said government and industry should begin working now to iron them out. But I have serious doubts that a broad enough consensus on regulating Internet access can be reached to make such a model practical across national partitions.

Reader Comments

Tue, Oct 12, 2010 SFerris California

Well meaning but nutso. The best protection is for the good guys to be better than the bad guys, as always.

Tue, Oct 12, 2010 Answers1

What happens when the "digital health certificate" gets hacked? The openness of the internet is its biggest protection.

Tue, Oct 12, 2010 Jeffrey A. Williams Frisco Texas

I like Scotts approach and suggestion to a great degree except that there is no government agency that has yet to even meet it's own cybersecurity standards yet and only 25% will be meeting FISMA standards by the deadline of 11/15/10 for security monotoring. Very similar situation exists with ISO, ICANN, and other NGO's. As such this suggestion/recomendation even within the US alone is not implamentable in any practical manner at this time.

Tue, Oct 12, 2010 JimB Chantilly VA

I personally like Charney's solution. Things are getting so ugly on the Internet that perhaps totally free and open is not what we need in the long term. We license vehicle operators and make them register their vehciles, why not the same for users and their computers, but in an automated fasihion. Standards could be set by an organization similar to ICANN, or ISO, or one that is yet-to-be-defined.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above