Is Internet and computer security ‘health’ like public health? What it means for ISPs

At the recent RSA Security Conference, Microsoft – whose Windows operating system is the target of so many network-based security attacks – called for the computer and telecom industry to take a “public health” style approach to protecting computers from malware attacks. The idea, according to Scott Charney, corporate vice president for trustworthy computing at Microsoft, is that when it comes to our physical health, doctors (and the government) don’t think about individual health – they think about collective health. So you get government health programs and oversight, not just every individual looking out for themselves.

The same approach is required on the Internet, Charney said, calling for a more collective approach to cyber-security that would operate to protect us all at a local, national and international level.

Of course such systems exist today to some extent, as attack info and virus signatures get shared. But often-times, entities – from individual computer users (wanting to protect their privacy) to large enterprises (wanting to protect their corporate interests) – don’t do enough to protect the interests of the whole.

“Most of our efforts today are reactive, but we need to be proactive,” Charney told RSA attendees . “We promote wellness and exercise to promote public health. We can promote wellness for the internet.”

Of course collaboration sounds great in theory. One controversial aspect of Microsoft’s call for such collective efforts in the past has been the idea that Internet Service Providers (ISPs) would help out that whole by quarantining –in essence cutting off – customers whose virus-addled computers posed a threat to everyone else. In the latest form of this idea, ISPs would issue “health certificates” to signify if a user’s machine was healthy or not.

Microsoft’s stance here is a bold one – and has been met with criticism from a variety of quarters. The company has backed down a bit from its initial idea (saying it should be up to private industry, not the government, to put such ideas into place). But it isn’t backing down completely.

And it probably shouldn’t. Given the problems that viruses, phishing attacks and other security breaches cause, not just for the first user to get them but every subsequent user infected, a more collaborative approach to Internet security is undoubtedly called for.

For ISPs and other managed services providers, the idea of health certificates is no doubt a double-edged sword. On the one hand, the idea should appeal to ISPs, which as the first line of defense in the Internet security wars spend untold amounts of time and money cleaning up other people’s messes. At the same time, such an approach could potentially place ISPs in the role of arbiter, deciding which computers are healthy and which ones are not – not to mention which customers they’ll be forced to “punish” by potentially knocking their systems off-line.

Like most things when it comes to Internet security, it looks like there are no easy answers. But the idea of Internet “health certificates” are now in the air – we’ll see what becomes of them.