Achieve online safety through collective defence, says Microsoft

Internet users are facing increasingly complex threats they can't defend themselves against, according to Microsoft.

Internet users are facing increasingly complex threats they can't defend themselves against, according to Microsoft.

Anti-malware software can only go so far, but will not protect against more advanced threats, said Jeff Jones, director of Microsoft's Trustworthy Computing.

"For this reason, we need to adopt a new model of defence that will require the participation of government and the whole security industry," Jeff Jones told Computer Weekly.

Now is the time to take action, he said, because not only have threats reached a critical level of complexity, but there is also sufficient awareness of the threats to drive demand.

For over a year, Microsoft has been using its industry leadership position to champion the idea of collective defence based on the public health model.

Until now, said Jones, social, political and economic alignment had been lacking, but this is changing.

"Socially, we believe the awareness of threats is now high enough to spark the imagination of internet citizens to want a cyber equivalent of a neighbourhood watch," said Jones.

Politically, too, conditions are increasingly favourable, he said, with a higher level of awareness among people in government of the threats and of citizens' desire for action.

"The risk is that if there is no discussion between government and the security industry, solutions will be developed in isolation that will not be interoperable," said Jones.

Also, with so many governments on the brink of finalising cyber strategies, he said, now is the time to push the idea of collective defence to ensure its inclusion in those strategies.

Economically the time is right, because internet service providers (ISPs) around the world are beginning to see business value in collaboration.

"They see value in cutting down the wastage of bandwidth by the huge volume of spam generated by botnets, and are therefore more likely to develop new business models that incorporate the systematic protections we are talking about," said Jones.

The way forward, according to Microsoft, is to collectively engage in solving the problem as some ISPs are already doing. They should learn from the public health model to establish an equivalent system of systematic infection control in the cyber world. ISPs must develop such a system in a way that is sensitive to privacy concerns, ensure it aligns with market forces and enable the system to address advanced threats such as botnets.

Just as there are well-established and trusted ways of monitoring our physical health in the real world, we need to work together to do the same online, said Jones.

Microsoft is engaging with policy makers around the world and investing in several proof-of-concept projects around setting up health checks and fixing infected PCs as part of its mission to help create a safer, trusted internet.

This is the goal of the Trustworthy Computing division, said Jones, which was set up in 2002 by Bill Gates with the long-term goal of making Microsoft a champion of security and privacy.

But this initiative is not about Microsoft products, he said, it is about prompting government and industry to work together to solve a common problem.

"There is no single silver bullet, but we believe the IT industry and government can get ahead of the threat curve by introducing multiple systematic changes that all reinforce each other to create multiple layers of defence for all internet users," said Jones.

Microsoft has published details of its proposal for collective defence, and is seeking feedback on that proposal from the IT industry and all other interested parties, he said.

Read more on IT risk management