Microsoft: Use Public Health Strategies to Fight Cyber-attacks

By Brian T. Horowitz  |  Posted 2010-10-06

Microsoft: Use Public Health Strategies to Fight Cyber-attacks

Scott Charney, Microsoft's corporate vice president of trustworthy computing, is advocating that governments enact legislation that would isolate computers from the public Internet if they aren't adequately protected by the latest security technology.  

Speaking at the International Security Solutions Europe (ISSE) Conference, in Berlin, Charney said governments should establish computer security policies modeled after public health measures that isolate people who are exposed to infectious diseases. His keynote at the conference was based on his paper "Collective Defense: Applying Public Health Models to the Internet." 

The ISSE is the largest independent IT security and identity conference in Europe, according to the organization's Web site. 

Charney wrote that collective cyber defenses are often unsuccessful because consumers' machines are not checked often enough for infections. "Whereas enterprises typically have a CIO and CSO to help them manage the threats they face, there is no equivalent for consumers worldwide, or even at the national level for most countries," Charney said in his keynote address. 

To address cyber threats and botnets and tighten Internet security, Charney recommends that governments adopt legislation and policies based on this public health model. Like requiring students to get vaccinations before being admitted into universities and ordering food service workers to wash their hands before preparing meals in restaurants, similar steps should be taken by the government, IT industry and ISPs to ensure that consumer devices are bug-free before connecting to a network.  

Consumer devices need to be isolated just as they would be under the firewall of a corporate network. "Just as when an individual who is not vaccinated puts others' health at risk, computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society," Charney wrote in an Oct. 5 blog post

"For a society to be healthy, its members must be aware of basic health risks and be educated on how to avoid them," he explained. 

Microsoft: Use Public Health Strategies to Fight Cyber-attacks

title=Established Methods Inadequate in Fight Against Botnets} 

In his paper, the Microsoft executive compared not following security risks to ignoring the hazards of smoking or spreading dangerous human viruses such as SARS and H1N1. 

According to Charney, established security methods-firewalls, antivirus software, patching and the like-have been inadequate in fighting botnets, which are computer robots that spread malware or viruses. 

"If a device is known to be a danger to the Internet, the user should be notified and the device should be cleaned before it is allowed unfettered access to the Internet, minimizing the risk of the infected device contaminating other devices or disrupting legitimate Internet activities," he advised. 

Charney proposes that technology products be required to receive a health certificate, while suggesting that health certificate requirements could lead to software patches, firewalls and antivirus programs being applied properly. He mentioned the EuroPriSe (European Privacy Seal) as an independent seal to use as a model. 

Of course, it's not a perfect solution. Charney notes that it could happen that a user requires a VOIP connection for a 911 call and his or her connection gets blocked because the system lacks a proper health certificate. 

"Information learned through the health examination process may be extremely valuable to those attempting to understand and preserve the health of the Internet," Charney wrote. 

In his paper, Charney proposed three steps: ensuring that devices can earn trustworthy health certificates; building an infrastructure that allows companies to receive the health certificates and act on them; and encouraging quick sharing of information about new threats. 

The "Collective Defense" strategy entails teamwork among governments, ISPs, the IT industry and users, according to Charney. 

"We cannot expect consumers to become security experts, but if we think about how the public health model helps consumers to understand when they are ill and when they should get treated, we can come up with relevant concepts that are applicable to Internet security," Charney concluded. 


Rocket Fuel