To stymie the threat of botnets and other malware impacting consumer machines, internet industry stakeholders should ensure the security of consumer devices before allowing them full access to the internet, a Microsoft executive said this week.
Speaking Tuesday at the International Security Solutions Europe (ISSE) conference in Berlin, Scott Charney, Microsoft's corporate vice president for trustworthy computing, called on the IT industry, government and internet service providers to institute a new internet "health model."
The "approach involves implementing a global collective defense of internet health much like what we see in place today in the world of public health,” Charney wrote in a blog post Tuesday.
To limit the spread of disease in the physical world, society is educated about basic health risks and how to avoid them, he said. In many schools, students are required to be vaccinated before admission and ordered to stay home when sick. Additionally, world health organizations identify, track and control the spread of disease and can, when necessary, quarantine those who may spread infection to others.
In the same vein, to improve internet security, government and industry should promote security measures, detect infected devices, notify affected users, enable users to treat malware-infected devices and take additional action to ensure infected computers do not place other systems at risk, Charney suggested in a paper outlining the proposal.
Such an effort is needed, according to Charney, because many consumer computers are infected and belong to botnets, which can be used to launch attacks against other users, the government, critical infrastructure and financial systems.
“Simply put, we need to improve and maintain the health of consumer devices connected to the internet in order to avoid greater societal risk,” Charney said.
Under his idea, consumer machines seeking to access the internet would be asked to present a “health certificate,” which indicates whether software patches are applied on the machine, a firewall is installed and configured correctly and an anti-virus program with current signatures is running, and confirms that the machine is not currently infected with malware, Charney said.
If a minor problem is found, such as a missing patch or anti-virus signature, the user may be provided assistance in mitigating the issue, he said. If a more serious issue, such as a malware infection, is discovered, it may be appropriate to constrict the device's bandwidth.
Building an internet protection model that is socially acceptable would require finding a balance between security and privacy, Charney said. Specifically, users must retain control over their certificates.
Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham (UAB), told SCMagazineUS.com on Wednesday that he likes the idea of health certificates, but all of the possible legal implications must be considered before implementing such a plan.
The model could, for example, turn into a “dangerous game” if an individual, who is denied internet access, cannot do their job and decides to sue, Warner said.
He said the effort will only work if involved parties use the information they gather for public good, much like in the public health community when vaccines are developed.
“We have to find ways to break down these barriers of information sharing,” Warner said. “Until we have full visibility on the problem, we aren't going to know how to solve it.”