Risk
10/5/2010
02:51 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Microsoft Proposes Public Health Model For Internet Security

How far can we push the virus metaphor for harmful computer code?

Speaking before the International Security Solutions Europe (ISSE) Conference in Berlin, Germany, on Tuesday, Scott Charney, Microsoft's corporate vice president for trustworthy computing, proposed extending the health metaphor that dominates discussions of dangerous computer code to organizational and national network security policy.

His proposal, laid out in detail in a newly published paper titled "Collective Defense: Applying Public Health Models to the Internet," calls for cyber security efforts modeled on efforts to address human illness.

Indeed, with all the computer viruses on the Internet, it only seems prudent to educate people about STDs (server-transmitted diseases), to promote electronic vaccination, to require some measure device hygiene, and to quarantine infectious computers.

"Simply put, we need to improve and maintain the health of consumer devices connected to the Internet in order to avoid greater societal risk," wrote Charney in a blog post summarizing his speech. "To realize this vision, there are steps that can be taken by governments, the IT industry, Internet access providers, users and others to evaluate the health of consumer devices before granting them unfettered access to the Internet or other critical resources."

On a general level, Charney is rephrasing calls for cooperation to address computer security issues. That's something the public and private sector have been pursuing for years and no doubt will continue to do in the years ahead.

But Charney has more than information sharing among the white hats on his mind. He cites both simple and systematic measures -- the promotion of hand-washing, vaccination requirements for admission to schools, and students being forced to remain at home when sick -- as approaches that should be considered for Internet security.

In his paper, he suggests that devices could be required to present a "health certificate" as a condition for Internet access.

But using health as a metaphor for Internet security is not without problems. In 2009, the U.S. spent 17% of its GDP on healthcare, more than any other developed nation. It's safe to say that few aside from security vendors would favor mapping the healthcare spending model onto Internet security.

What's more, health rules have been misused around the globe in the name of the social good, through efforts to "cure" political prisoners in mental health institutions and through forced medical procedures and medical experiments, for example.

"You always have to be careful with metaphors," said Cindy Cohn, legal director for the Electronic Frontier Foundation. "Metaphors can lead to really bad policy. That doesn't mean what Microsoft is proposing is bad. But the point here is to think hard about what it would mean."

Cohn points to peer-to-peer file sharing as an example of a technology that some people still consider to be harmful. She said she'd be nervous about using health as a security model until the implications are more fully understood.

To Charney's credit, he does note that some circumstances, like the need to preserve human health by making an emergency call from an infected cell phone, might override network health measures. What remains to be determined is when network health concerns might trump other rights we take for granted.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.