Crossroads Blog | CYBER SECURITY LAW AND POLICY

Official Policy, regulation

Public Health Care Model for Internet Security – U.S., Australia, & Microsoft all consider

In an earlier post on October 8th, we discussed Microsoft Vice President Scott Charney's proposal to use the public health care system as a model for Internet security.  That post highlighted the international nature of Charney's proposal.  The news media and this post, however, highlight its references to the public health care system.

The Wall Street Journal called Charney's plan, "A Quarantine System for Computers:"

As with our own health care, it’s usually not until a PC starts acting up that we ask ourselves if there is something wrong with it. But with the threat of bots — programs that infect computers and secretly do the bidding of a central operator at a central location — experts say proper Internet security is no longer just a concern for individual computers.

One way to deal with the problem is by instituting measures that effectively quarantine infected computers, said Scott Charney, corporate vice president for trustworthy computing at Microsoft, in a paper entitled “Collective Defense: Applying Public Health Models to the Internet.” …

While public health organizations advise the population on helpful practices such as hand-washing, when the public can no longer be relied on to stop the spread of disease, stricter measures such as quarantine can be taken. Access can also be limited or restricted for people who do not have the proper vaccinations.

In that same vein, Mr. Charney in his paper suggests that when consumers can’t be relied on to keep their computers bot-free, a new system could detect those computers that are a threat to the larger community, enable users to treat their infected devices and take measures to ensure that their infected computers cannot put other systems at risk.

One way to do it, Mr. Charney suggested in an interview, is to issue health certificates for individual computers. When the health certificate shows that the computer is healthy, users could present the document to Internet service providers or businesses that operate secure websites such as banks, in return for access to the network. If a computer was deemed unhealthy, access would be denied or restricted. The user would then have to explore options to update the device.

“If the machine isn’t showing good health, or the person says, ‘No I don’t want to show a health certificate’…the Internet service provider might say I am going to give you access to the Internet, but I might throttle your bandwidth a bit,” Mr. Charney says.

The full Wall Street Journal article can be read, here.

Aside from political and privacy concerns, the proposal has some technical limitations.  Just limiting an infected computer's bandwidth might induce an owner to clean the infection and might, in the mean time, limit the computer's effectiveness as a part of a webot distributing spam or participating in a DDoS attack, but any connectivity could allow the infected computer to spread the virus or malware to another computer.  Second, a computer can become infected at any moment, so the good health certificates proposed here would need to timeout very quickly, perhaps weekly or even daily, to be of much use.

Another article entitled "Microsoft Proposes Public Health Model For Internet Security" can be found on InformationWeek.com.

Predicatably, many whose primary concern are civil liberties and privacy see this model as an attempt to require government licensing of computers.  For example, prisonplanet.com reports on Charney's proposal with the headline "Microsoft Proposal Opens Door For Government Licensing To Access Internet."

Still, reports indicate that the Obama Administration is considering a similar approach.  The Associated Press reported yesterday, October 16, 2010, that:

WASHINGTON – The government is reviewing an Australian program that will allow Internet service providers to alert customers if their computers are taken over by hackers and could limit online access if people don't fix the problem.

Obama administration officials have met with industry leaders and experts to find ways to increase online safety while trying to balance securing the Internet and guarding people's privacy and civil liberties.

Experts and U.S. officials are interested in portions of the plan, set to go into effect in Australia in December. But any move toward Internet regulation or monitoring by the U.S. government or industry could trigger fierce opposition from the public.

The full Associated Press article can be found here, entitled "US Studying Austalian Internet Security Program."   Here at Crossroads, we blogged about the Australian plan back on June 22, 2010.  While the AP notes that the Obama Administration is not necessarily considering a complete denial of service for infected computers, the Australian plan certainly does.

It seems to me (Snyder) that some form of enforcement of minimum security standards (e.g., firewalls, anti-virus software) will be required beyond just incentives.  Indeed, the AP article linked above notes that White House Cyber Security Coordinator Howard Schmidt is already making the "it's for your own good" argument:

"Without security you have no privacy. And many of us that care deeply about our privacy look to make sure our systems are secure," Schmidt said in an interview. Internet service providers, he added, can help "make sure our systems are cleaned up if they're infected and keep them clean."

Who would set the criteria for a certification of good health?  Who will enforce any limitation or denial of service? How would an aggrevied (disconnected) person appeal, and to whom?

A full copy of a 13-page paper outlining Mr. Charney's proposal can be found, here.

Leave a Reply