There are many outspoken voices in the security field, but most pale in comparison with Russ Cooper, Surgeon General of TruSecure Corporation and editor of the essential security site NTBugtraq.
Fed up with people who do nothing to protect themselves (and others) from security threats that could be easily stopped, Cooper recently proposed financial penalties for users and ISPs who dont take reasonable antisecurity measures.
Now, Im not sure whether this proposal is entirely serious or more of a trial balloon to gauge opinion among Coopers technically sophisticated audience. He definitely will solicit reader reaction and Im sure hell discuss those reactions in a later commentary.
Most worm and viral attacks spread because so many systems on the Internet are unprotected, even though countermeasures are free or inexpensive and have been available for a long time. This is an outrage, as Ive mentioned in previous columns.
The gist of Coopers plan is to hold users and ISPs to a minimum level of responsibility for taking measures to protect themselves. For example, the Slammer worm spread throughout the world quickly even though there had been a patch available for about 6 months. Too many people decided they were just too busy to apply it.
Under Coopers proposal, users and especially ISPs would be expected to apply it. ISPs would be expected to do what they could to block it and to notify their customers when patches are available.
However, the plan goes farther than warnings. If a client system becomes infected as a result of a missing and available patch, Cooper suggests that ISPs impose a fine on the customer and collect it.
This is a shocking notion, most shocking to the ISPs themselves no doubt. The fines, or at least a portion of them, would go to the ISPs to support these efforts, giving them a stake in it or at least some coverage. Cooper also states that ISPs would need freedom from liability for dropping customer traffic pursuant to the new rules. Even with all this, I suspect few, if any ISPs would be happy about their business being turned into a security enforcement mechanism.
In addition, this scheme would require the creation of a squad of Internet Police, potentially a security firm under contract (like Coopers own TrueSecure, a possibility he raises himself). This firm would regularly scan systems on the Internet and forensically examine attacks—their goal would be to determine how ordinary people should respond to an attack, not so much who instigated the attack. These responsible actions would include applying patches, running anti-virus software and keeping them up-to-date.
At one level I find this plan quite tempting. People often compare the Internet to a highway, except the analogy falls apart when we look that the details. We have strict rules for our roadways and a police force authorized to enforce them. Drivers can incur fines and even go to jail based on their misbehavior.
On the contrary, there no authority on the Internet to protect the innocent against the malicious attacks of bad guys; or as Cooper is more concerned with, against those who have taken no measures to protect their own security. Worse, its not even clear that some of the attacks being perpetrated are illegal.
Still, if we take the highway analogy further, Coopers plan for Internet cops looks reasonable. We expect drivers to inspect their cars and maintain safety standards, standards which have become much more rigorous over the years. We expect drivers to have insurance. For heavens sake, we license drivers! Shouldnt we expect something similar as our data maneuvers through traffic?
Reaction thus far to Coopers plan, such as in a Slashdot thread, has been varied. Of course, a large and predictable element blames the whole thing on Microsoft, or for the most part on those who write software that can be abused.
In my book, this attitude distorts right and wrong. If someone breaks into my house, am I to blame for not having sufficient defenses, or is it the company that manufactured my door lock? To an extent perhaps, but we shouldnt lose sight of the fact that its the attacker, the author of the worm or the hacker breaking into the system, who is really to blame. And its the responsibility of governments to protect us from such people.
At the same time, Im concerned about giving power to such an agency, which would maintain records of users and their practices. And Im worried about the likelihood that it would make mistakes.
Besides, is this plan politically feasible? From a practical point of view, its difficult to imagine anything like this happening. Coopers Internet cops would have to have international powers, and the very idea of some international über-cyber authority is outside the comfort level of most people, including me.
Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer