ISSE 2010: PCs should have regular checks before accessing the internet

Security experts generally agree that a well-resourced and persistent cybercriminal will usually succeed in attacking corporate IT systems.

Security experts generally agree that a well-resourced and persistent cybercriminal will usually succeed in attacking corporate IT systems.

Raising the defences does not seem to be the answer, with firewalls, anti-virus programs and automated patching failing to keep out determined hackers.

What, then, is to be done?

The answer is collective defence, according to Scott Charney, Microsoft's corporate vice-president of Trustworthy Computing.

Public health model

He believes the world should apply a public heath model to the internet, which dictates that all infected PCs be quarantined or given limited access until fixed.

Just as individuals carrying a deadly disease put the health of others at risk, so computers that are infected with malware put others at risk and pose a threat to all, says Charney.

One possible way to address this, he told the ISSE 2010 conference in Berlin, is to implement a global system of health checks similar public health systems in the physical world.

"Unlike human health, computer health can be automated," he says.

To achieve this vision, outlined in a paper published by Microsoft, Charney says the world needs a system to evaluate and certify the health of computers connecting to the internet.

The technology for such a system already exists is various network access systems widely used by enterprises to ensure the health of PCs connecting to their networks, he told Computer Weekly.

Microsoft also plans to provide and promote research and development that will make system-scanning and cleanup more cost-effective, he says, along with looking to solve current technical barriers.

Only machines with valid health certificates should be allowed free access, he says, while infected computers should be given only limited or selective access until they comply with a minimum health standard.

Banking and other service providers could bar access to PCs without valid health certificates, explains Charney, but they would still be allowed internet access for remediation purposes in much the same way as mobile carrier sometimes allow access only to emergency services.

"The key will be creating value for both internet users and service providers, and do so in parallel to ensure adoption through market forces," he says.

PC MOT tests

This is the ideal, but if that fails, Charney believes governments will then have a role to play in encouraging service providers to require health certificates for access because governments have the unique role of setting policies.

Just as a driver who refuses to have a blood alcohol test could have their licence revoked, he says any user refusing to have a PC health check could, for example, have their access to services blocked.

"IT security is not really intuitive because threats are not always as obvious as they would be in crossing a road in the physical world, so perhaps government needs to take on some of the responsibility for keeping citizens safe online as it is not really fair to ask ordinary computer users to become IT professionals, and healthcare professionals only allow people to medicate so much before they need to intervene, such as prescribing antibiotics," he says.

Microsoft will advocate for legislation and polices worldwide to help advance the model, he says, but in a way that advances principles supporting user control and privacy.

But, Charney says, governments ultimately do not control or own the internet, and he is confident that market forces alone will go a long way in promoting the adoption of his model because of the inherent cost incentives.

Just as preventative medicine is a lot cheaper than dealing with the consequences of widespread disease in the physical world, he says, keeping networks clean by notifying users will be less costly for internet service providers than having to deal with widespread malware infections.

Governments could also play a role, as large enterprises that will not involve legislation, says Andy Bates, director of government technical marketing at UK-based networking services firm Global Crossing Telecommunications.

"As with standards like ISO27001, ISO9000 AND ITIL, we see government's role as key in specifying these features in new contracts and thus create a wider adoption of de-facto industry standards rather than impose them as law," he says.

Bates believes this approach will be spearheaded by early adopter customers and providers.


The idea of PC health checks could raise privacy concerns, but Charney believes privacy can remain intact by separating device health from device content, and that communicating the machine's overall health does not necessarily mean revealing the user's identity.

It is important to achieve better security in a way that does not erode privacy or otherwise raise concern, he says, and this is why it is crucial to have the right regulatory framework that will give internet users the assurance that any monitoring system will inspect their machines for botnet and other infections, but nothing else.

Providing these assurances, however, is perhaps one of the biggest challenges to Charney's proposal.

Unlike most health services in the physical world, the process for checking PC health would be relatively opaque, he admits.

However, having an independent third-party to check the system and verify that only relevant information is being collected, he says, could be a simple way around the problem of ensuring the service is trusted.

"This approach already works for Microsoft's Windows Update service, where the service is independently checked and verified by an independent third party," says Charney.

The proposed system would also need a standard approach to health checks, and Charney concedes it may require some sort of international standard on operations.

"Just as international phone calls required certain operational standards, we may have to look at setting up an international operational standards body for IT," he says.

Critics of the proposed model have said that with rapid rate that new malware is produced, a health check system could never keep up.

But, says Charney, there is tremendous value in blocking the threats that are known, and he says, the system will help pick up unknown malware faster to enable the security community to study it and develop defences.

Like most security initiatives, collaboration is key to Charney's proposal, but again, he says, although 100% collaboration would be best, it is not a requirement to improving the overall health of PCs connecting to the internet.

There are also a finite number of service providers, he says, which should not prove too difficult to manage in terms of getting support.

There are four distinct kinds of cyberthreat, says Charney, which is why a single broad cyber security strategy will never be able to deal with cybercrime, economic espionage, military espionage and cyber warfare.

But, applying the public healthcare model to the internet can deal with the common threat of botnets, which are routinely used in all four kinds of attack, he says.

Cyber security policy and legislation is being discussed in many countries around the world, says Charney, and this presents a huge opportunity to introduce a public health model to the internet for the benefit of the whole online community.

Read more on IT risk management