Microsoft’s Solution to Cyber Attacks: PC Health Certificates

Quarantine officers on our flight

If you haven’t already, please read Seymour Hersh’s insightful and non-alarmist New Yorker article on cyber security in the context of the recent Stuxnet virus and China’s growing hack capabilities.

The Hersh piece contains a very simple solution to safeguard our nation’s IT against government or mere freelance hackers: mandatory encryption of all commercial and civil Internet communications.

While this broad approach is attractive in principle, cost and inconvenience make this less than desirable. And there’s also opposition from the same government intelligence agencies responsible for protecting us against cyber attacks in the first place: they wouldn’t be able to eavesdrop as easily.

Though perhaps not the most credible candidate, Microsoft has offered its own proposal, an idea that has proved useful in managing infectious diseases: PC health certificates.

There I was examining recent FCC filings when I stumbled upon Collective Defense: Applying Public Health Models to the Internet, which was submitted by Scott Charney, Vice President of Microsoft’s Trustworthy Computing division.

Why was Microsoft getting involved in cyber security public policy issues?

In April, the FCC opened a Notice of Inquiry to seek  “public comment on the proposed creation of a new voluntary cyber security certification program that would encourage communications service providers to implement a full range of cyber security best practices.”

Not surprisingly, this idea did go over well with the service providers. AT&T, for example, responded with a 60 page comment in which it more or less told the FCC to mind its own business and leave this problem to the private sector. More of the same lecturing on market-based incentives came from T-Mobile and others.

If you filter out the free-market posturings of the service providers, they actually made some valid points in their comments. AT&T noted that a “significant portion of vulnerabilities arise from the application and device layers.”

Touché AT&T.

Perhaps realizing that now was the time to introduce its own views before the FCC did something rash, Microsoft hurled a comment over the FCC wall.

Unlike the carriers, MS did not rule out a government-industry partnerships. Instead they suggested procedures that have worked well in the public health sphere. Just as we contain disease spread by tracking infections and enforcing quarantines as needed, computer attacks could be equivalently managed by compiling information on devices and preventing infected or less-secure computers and smartphones from accessing the Internet

Microsoft has in mind a secure computing element (probably running at the kernel level in the operating system) checking that the latest application patches and current anti-virus software with up-to-date signatures are in place, and ensuring that the silicon is not already infected.

If it passes its “physical,” the patient would be issued a digital digital certificate to engage in Internet communications.

The Microsoft report notes there would be potential privacy issues as, er, service providers, would be asked to interpret the health certificate, which could include unique identifying information.

And service providers would also be given the responsibility in deciding whether a device that didn’t meet all the health requirements would be allowed to access its network.

On that last point, deciding who would gain network permissions, I suspect carriers and providers might be willing to bend principles and embrace Microsoft’s good bill of health concept.

Think about it: carriers could charge more for the right to access its network if a customer’s computer didn’t have the latest security patches!

It’s a free market solution AT&T et. al. could really get behind: shift the responsibility of securing the Internet to customers too lazy to keep up with Microsoft’s barrage of Windows, Internet Explorer, Office, etc. updates.

Who knows, they may even ask the FCC to issue a rule requiring health certificates. 😉

Enhanced by Zemanta