End To End Trust

Creating a Safer, More Trusted Internet

United States   Change | All Microsoft Sites
Internet Health
Scott Charney keynote

"Simply put, we need to improve and maintain the health of consumer devices connected to the Internet."


SOCIAL, ECONOMIC, POLITICAL, AND IT ALIGNMENT

Microsoft Calls for Internet Health Model for Cybersecurity Collective Defense

At his keynote at RSA in San Francisco, Scott Charney, Corporate VP of Microsoft's Trustworthy Computing, profiled the Collective Defense proposal and shared the Internet health model for addressing cybersecurity issues.

In the shared and integrated domain of the Internet, organizations, governments, and consumers face a myriad of threats that are technically advanced, persistent, well-funded, and motivated by profit or strategic advantage. Commonly available cyber defenses such as firewalls, antivirus software, and automatic updates for security patches help reduce the risk from threats, but they are not enough.

Despite our best efforts at education and protection, many consumer computers are host to malware and may be part of a "botnet," unbeknownst to their legitimate owners. Botnets are used to send spam or engage in illegal activities, but a more serious threat from botnets is that they could be used to attack critical government infrastructure or threaten economic interests.

There is currently no global approach to protecting people from the potential dangers of the Internet. Whereas enterprises typically have a CIO and CSO to help them manage the threats they face, there is no equivalent for consumers worldwide, or even at the national level for most countries. Unlike enterprises, consumers don't have support from IT experts nor do most people want to become security experts themselves. Information technology is complex and many people are unaware of how to protect themselves, even though tools have been built to automatically scan machines, install program updates, update virus signatures, and remove malware when found. As helpful as education and these tools are, they have proven inadequate to the task of preventing the proliferation of botnets. Some consumers do not follow the guidance provided and engage in other unsafe actions—such as downloading executable programs from unknown sources—leading to a large number of machines infected. Those with infected computers are not simply risking their own valuable information and data; they are putting others at risk too. Because of this threat to greater society, it's essential that the technology ecosystem take collective action against this threat.

Simply put, we need to improve and maintain the health of consumer devices connected to the Internet. This will benefit not only users, but also the IT ecosystem as a whole. To realize this vision, governments, the IT industry, and Internet access providers should ensure the health of consumer devices before granting them unfettered access to the Internet. One approach is to look at addressing online security issues using a model similar to the one society uses to address human illness. The public health model encompasses several interesting concepts that can be applied to internet security.

With both security and privacy in mind, the following statements reflect the concepts outlined in the paper Collective Defense: Applying Public Health Models to the Internet (PDF), intended to help guide stakeholders efforts, promote action, address challenges, and influence future initiatives.

  • The risk that botnets present to Internet users and critical infrastructures must be addressed.
  • Collective defense can and should be used to help improve the security of consumer devices and protect against such cyber threats.
  • A public health model can empower consumers and improve Internet security.
  • Voluntary behavior and market forces are the preferred means to drive action but if these means fail, governments should ensure these concepts are advanced.
  • Privacy concerns must be carefully considered in any effort to promote Internet security by focusing on device health. In that regard, examining health is not the same as examining content; communicating health is not the same as communicating identity; and consumers can be protected in privacy-centric ways that do not adversely impact freedom of expression and freedom of association.

In order to improve the security of the Internet, governments and industry should engage in more methodical and systematic activities to improve and maintain the health of the population of devices in the computing ecosystem, These activities include detecting infected devices, notifying affected users, enabling those users to treat devices that are infected with malware, as well as taking additional actions to ensure that infected computers do not put other systems at risk. While the security benefits may be clear, it is important to achieve those benefits in a way that does not erode privacy or otherwise raise concern.

This model will only work if it's accepted by society and people are assured their privacy is protected. With that in mind, the model must empower people by developing socially acceptable cyber health policies, laws, and international agreements.

To learn more about Microsoft's proposal, download and read Collective Defense: Applying Public Health Models to the Internet (PDF), in which Microsoft proposes government and industry take action to help mitigate cyber threats today and ensure the long-term health of the Internet as it continues to grow and evolve.

SHARE THIS PAGE:
 Post it to Social Post it to MSDN Post it to del.icio.us Post it to digg Post it to Facebook Post it to live Post it to reddit Post it to technorati Post it to yahoo Share on Twitter
Was This Information Useful?