Many organisations are stuck in a state of paralysis because they fail to understand the nature of cyber threats, says Scott Charney, corporate vice-president of Microsoft's Trustworthy Computing Group.
These organisations are failing to see that cyber threats fall into four distinct categories, each needing its own strategy, he told the RSA Conference 2011 in San Francisco.
The first type of threat is aimed at stealing data for financial gain, the second is aimed at stealing intellectual property for commercial advantage, the third is aimed at stealing military information, and the fourth is cyber warfare.
Although the attackers may use similar techniques, their motives are different and therefore require different approaches, said Charney.
Most organisations will not have to deal with the last three types of threats, but every user of the internet is targeted by cyber criminals collecting information to commit fraud, which is therefore of concern to everyone.
For over a year, Microsoft has been advocating a public health model for the internet that initially envisioned a cyber equivalent of the World Health Organisation that would require computers to pass a malware check before being allowed to connect.
"Experience has shown that collective defence is better than individual, isolated efforts," he said.
While championing the public health model for achieving collective defence on the internet, Charney said he had identified some flaws in the original concept that needed ironing out.
"First, not all internet users will want their machines scanned, second, it would place a heavy burden on internet service providers (ISPs) to act as gate keepers, and third, denying access to the internet may have unforeseen negative consequences," he said.
The answer to enabling a public health model on the internet is claims-based identity, where the user retains control and decides what information to pass on, said Charney.
Claims-based authentication would enable users to decide when not to submit PC health check information, he said.
"This could have consequences in much the same way as refusing to take a blood-alcohol test would have if requested by traffic police, but users would remain in control," said Charney.
This approach would also take away the burden on ISPs as gatekeepers and allow a variety of options in response, he said. Any organisation, such as a bank offering online services, could request PC health certificates from customers and then, depending on the status of the PC, they could decide whether to block access until problems have been fixed, or take a range of different risk-management steps such as limiting the value of transactions.
A claim-based approach, said Charney, will enable the internet community to apply a public health model and address the botnet risk without threatening users' rights to privacy.
Access to the internet would remain open to all, but just as children attending school are required to have vaccinations against common diseases, users of particular services will be required to prove their PCs meet the required security standard.
"We need think about collective defence to raise the basic level of hygiene because the botnet threat is not just to the individual, but to the whole community of internet users," said Charney.
The next step is to focus on trusted IT stacks and deploy claims-based identity systems to enable collective defence using the public health model he said.
According to Charney, Microsoft is committed to advancing the idea of collective defence, and now is the time for action.
"As more of the world's people, computers and devices come online, threats also become more sophisticated, and as the number of reported cybercrime victims grows, protection becomes not just an individual concern, but more of an ecosystem or societal concern," he said.