Vulnerabilities / Threats
12:39 PM
Connect Directly

RSA: Microsoft Revises Computer Quarantine Proposal

Scott Charney now believes users should present claims about the health of their computers without the involvement of ISPs.

At the RSA conference in San Francisco, Calif., on Tuesday Scott Charney, Microsoft's corporate vice president for trustworthy computing, revised his controversial call to apply the public health model to cybersecurity.

Charney had previously proposed that computers should be required to present cryptographically signed claims to ISPs about their health -- as measured by the absence of infectious malware -- before being granted network access.

But rather than push for an authoritarian approach in which infected machines could be quarantined and kept offline, Charney has come to believe that a community-based paradigm, in which users present machine health claims directly to Web services, without the involvement of ISPs, presents a more workable path.

"What's really changed is that as we started thinking more about the identity model, where you pass claims about your identity, we realized a better model is to pass claims about machine health, where the user controls the claims," he said in an interview last week.

Charney acknowledged that his message -- presented under the theme "Collective Defense" -- is not really a new one. He and his company remain interested in leveraging identity as a means of enhancing network security -- primarily through its Windows CardSpace identity system -- without doing away with the possibility of anonymity.

Identity, says Charney, is even more important as we shift toward a cloud computing model because so much information can be accessed through the network. But Charney now sees value in putting users rather than ISPs in control of the security-related claims process.

"It's not about gating people's access to the Internet," he said. "It's really about taking preventive measures to ensure they have a healthy experience on the Internet."

When Charney first proposed applying the public health model to cybersecurity last year, Electronic Frontier Foundation legal director Cindy Cohn urged caution in using the public health model for computer security until the implications are more fully understood. Her concern was that users could find themselves denied network access without adequate safeguards.

Part of what has prompted Charney to revise his suggestion is the extent to which the Internet has become indispensable. "Increasingly around the world, access to the Internet is being viewed as a fundamental right," he said. "That's an important change in perception."

Charney acknowledges that we have other fundamental rights, like freedom of speech, and says that while these rights are not absolute, they're of such importance that you want to be sure that security needs don't impact those rights in an unreasonable or unnecessary way.

"This model of passing health claims is actually what companies do today with network access protection," he said," where you pass a machine claim that your antivirus and your patches are up to date. And if not, your CIO and your company help remediate your machine. We realized with a claims-based model, that could scale to the public as well."

"The beauty of this model is the user remains in control," said Charney in his keynote address.

Charney argued that finally the social, political, economic, and IT spheres are aligning to make collaborative cybersecurity more workable. He suggested that rather advancing one cybersecurity policy, we need four: one for cybercrime, one for economic espionage, one for military espionage, and one for cyber warfare.

The first three, he said, are problems with precedents. We can harmonize laws to better address cybercrime, use diplomacy to press for international behavioral standards to limit economic espionage, and accept that we're not going to get rid of military espionage, which has persisted for centuries. Cyber warfare he sees as uncharted territory since it's not clear how nations should respond to the theft or destruction of data.

Justifying his advocacy of a public health model for computer security, Charney suggested considering other shared environments like public schools, where children are required to be vaccinated. "We need to make sure that people understand this is a shared and integrated domain," he said.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest September 7, 2015
Some security flaws go beyond simple app vulnerabilities. Have you checked for these?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-09
Simple Streams (simplestreams) does not properly verify the GPG signatures of disk image files, which allows remote mirror servers to spoof disk images and have unspecified other impact via a 403 (aka Forbidden) response.

Published: 2015-10-09
The Telephony component in Apple OS X before 10.11, when the Continuity feature is enabled, allows local users to bypass intended telephone-call restrictions via unspecified vectors.

Published: 2015-10-09
IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks.

Published: 2015-10-09
IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly determine the origin of unsigned applets, which allows remote attackers to bypass the approval process or trick users into approving applet execution via a crafted web page.

Published: 2015-10-09
The Safari Extensions implementation in Apple Safari before 9 does not require user confirmation before replacing an installed extension, which has unspecified impact and attack vectors.

Dark Reading Radio
Archived Dark Reading Radio
What can the information security industry do to solve the IoT security problem? Learn more and join the conversation on the next episode of Dark Reading Radio.