Last year at the ISSE conference in Berlin, Scott Charney shared the Collective Defense proposal and the Internet health model for addressing cybersecurity with the goal of protecting consumers and their devices from botnets and other malware. That paper looked at two models to improve the health of devices: observing symptoms to detect infected devices and demonstrating health to help keep devices protected over their lifetime. We have seen proof points of the former model around the world this past year ranging from coordinated botnet takedowns like Rustock and Coreflood, national level efforts for example in Germany, and individual internet service providers launching remediation programs.
Demonstrating the health of devices requires technology advancements as well as the alignment of social, political and economic forces. At the RSA Conference 2011, Microsoft demonstrated a proof of concept demonstrating one way this might be imlemented. That demonstration showed how a device can communicate the status of defensive technologies such as antimalware software and security updates to an online service provider. If the device lacks antimalware software or a security update, the online service provider can notify the user and direct them to resources to enable the protections.
Today, I published a new whitepaper that discusses this concept in further detail with a focus on the considerations for user privacy and control. Like with the initial proof of concept, our intent with this whitepaper is to stimulate necessary debate on this approach including full examination of security and privacy ramifications. The paper looks at the fundamental questions of who decides the health requirements, what happens if a device is not healthy, and how this model may evolve for other computing devices such as mobile phones and consumer electronics. We also advocate for an opt-in approach where consumers and service providers voluntary participate in this model to help reduce fraud and increase the security of their devices.
I am excited by the possibilities of this future vision and look forward to continuing the discussion on how to help consumers protect their devices online while balancing the important aspects of user control and privacy.
This week we are discussing this concept and other important aspects of Collective Defense at the EWI Worldwide Cybersecurity Summit. If you have thoughts on this paper or the overall concept, please contact me at firstname.lastname@example.org.
Download the whitepaper: