Posted by Scott Charney
Corporate Vice President, Trustworthy Computing
To help address growing concerns regarding Internet security and privacy, I recently published a paper outlining an approach to addressing botnets and malware that threaten consumer devices connected to the Internet entitled Collective Defense: Applying Public Health Models to the Internet.
Today at the RSA 2011 conference in San Francisco, I presented the details of this proposal for collective defense, and shared a proof of concept scenario exemplifying how an organization, such as a bank, might promote better device health. Below is video of that scenario:
Microsoft is committed to advancing the idea of collective defense, and now is the time for action. As more of the world’s people, computers and devices come online, threats also become more sophisticated. As the number of reported cybercrime victims grows, protection becomes not just an individual concern, but more of an ecosystem or societal concern.
It is also true that consumers may feel challenged by the types and sophistication of cyber threats as well as uncertainty regarding what and whom to trust online. In short, security is not a problem that can be addressed fully by individual consumers, or even individual companies or governments. That is what led to the development of my public health model proposal, which calls for collective defense against cyber threats.
Since publishing the proposal in October, we’ve seen a robust debate around the idea among industry experts and members of the media. I’ve also received feedback through my interactions with the security community and policymakers around the world, which I outline further below. For example, in October of last year, Bruce Schneier, chief security technology officer at British Telecom, wrote a Forbes essay on the proposal, providing a thoughtful analysis, which is precisely what’s needed. While he raises a variety of questions worth considering, he concluded that “this conversation—between the rights of the individual and the rights of society—is a valid one to have, and this solution is a good possibility to consider.”
In this post, I hope to address a few of the main considerations with the health model, and share more detail on feedback I’ve received and progress made since October.
Effectiveness and Ability to Implement on Scale
One great question raised relates to the effectiveness of the health model for consumer machines and the ability to keep up with a rapidly evolving threat landscape. Indeed, one of the major differences between public health and Internet health is that human viruses are not malicious and can adapt slowly. Although malicious actors will write new malware for which we lack signatures, a broadly deployed health system would permit us to respond more quickly once a new infection is identified.
And while we may never identify all strains of infection, that happens in the physical world too. The fact that some health problems are untreatable for a wide range of reasons does not suggest that all health problems should be left untreated. Absent some widely deployed process, even the diseases we know about will not get treated.
Regarding questions of scale, implementing a comprehensive model for consumer Internet security will take a collective effort, and will not happen immediately. However, we can do much on a smaller scale that helps protect people and gets us closer to a comprehensive model.
In my paper, I identified two complementary strategies that draw from lessons of the health model to improve Internet health:
1) Bolstering efforts to identify infected devices and get them healthy
2) Implementing policies and practices that promote device health by reducing known risks
In some parts of the world, programs have been implemented to identify infected devices and help get them healthy. The Internet Industry Association of Australia launched its voluntary ISP Code of Conduct, which creates a notification system for consumers with compromised computers and a standardized resource to clean them. In Germany, the Anti-Botnet-Advisory Centre works with ISPs to notify infected customers and provide them with tools and guidance to remove the infection from their computers. More examples are in the paper.
In the banking scenario that we shared at RSA 2011, we demonstrated one way that existing state-of-the-art Network Access Protection technology could be implemented to encourage machine health. In the scenario, a consumer chooses to opt-in to a program that promotes machine health by alerting the individual to a security risk identified by her bank (in our simple demo, that risk was out-of-date anti-malware software).
Even though a machine might not yet have a malware infection, the user can be notified of problems or configuration issues that might increase his or her risk of a malware infection. The recommended remediation can help reduce risk for that customer and – by extension – for all of the customers participating within that ecosystem. We believe helping to reduce risk and increasing protection for devices before they experience a compromise is a defense strategy that citizens, industry and government should support. It is a key first step in transforming our current computer security posture from reactive to preventative.
Balancing Internet Access and Security
Another broad area of feedback I’ve received since October can be characterized as apprehension that the collective defense measures could be used by governments or organizations to monitor people for purposes not related to Internet health and safety. As I outlined in my paper, it is important to achieve these security benefits in a way that does not erode privacy or otherwise adversely impact freedom of expression and freedom of association.
That being so, contracts should provide, and legal frameworks should help ensure, that any such programs are limited to ensuring device health and that information gathered is used for no other purpose (for example, the enforcement of intellectual property rights or the creation of marketing profiles). Limiting the scope of the program to device health issues would help reduce concerns that Internet health measures were being used to justify activities not related to Internet security.
A related concern raised is that people might be cut off from key services like Voice over Internet Protocol (VOIP) phones to contact emergency services or machines used for medical devices. This is an area that needs to be accounted for in driving social, political and technical alignment to develop acceptable solutions. As devices converge (e.g., a computer may be used to make VOIP calls, including calls to emergency services), denying a user complete access to the Internet, even for a short period, could well have damaging consequences. It is important that solutions be developed that promote a healthy Internet without limiting its utility, much like a cell phone may require a password but still allow emergency calls to be made even without that password.
Advancing such a far-reaching proposal certainly raises many important issues that will need to be worked out, but when I look at the extent of the problem we are dealing with, I think we need to come up with systematic solutions.
I hope to continue this conversation, and encourage readers to provide us with your comments. Learn more about the Collective Defense proposal and Collective Defense: Device Health at http://microsoft.com/security/internethealth
For more details about Microsoft’s participation at RSA 2011, see http://www.microsoft.com/presspass/presskits/security/