• Trials & Downloads
  • Personal / Home Office products
  • Business Products
  • Malware Cleaner
  • Installers
• • Corporate
  • Norge
  • France
  • Deutschland
  • Sverige
  • Danmark
  • Suomi
  • Nederland
  • Schweiz
  • España
  • United States
  • United Kingdom
  • Italia
• About Norman
  • Vision & Values
  • Management Team
  • Our Technology
  • Awards & Certifications
  • Customer Cases
  • Press & Media Center
  • Events
  • Careers
  • Subscribe to newsletter
  • Contact Us

Security Center

Collective defense against Internet threats

2011-02-25 [Privacy issues, Protection projects, Trends & predictions]

Introduction

The RSA Conferences are among the most important annual security conferences. This year's US conference was held in San Francisco 14 - 18 February.

One of the speakers was Microsoft's Scott Charney, Corporate Vice President Trustworthy Computing. On the RSA Conference 2010, Charney advocated a system for handling infected computers in a similar manner as infected human beings ("the health model for Internet security"). His views was further elaborated and made more specific in a paper published in October 2010. We have discussed both of these in separate security articles, Handling an infected computer as an infected human being and Your computer has been quarantined and cannot access the Internet, respectively.

Minor(?) modifications to the model

During this year's conference, Charney continued his discussion of the health model for Internet security - "collective defense". Many of the comments that were put forward during the debate after his previous presentations were valid and are taken into consideration in the refined model.

Charney also posted a blog item further outlining some of the aspects of the collective defense model.

Some of the issues raised in the presentation and the blog item were:

• The most effective model is one that is implemented on a global scale, encompassing all areas. However, this does not conflict with the fact that implementing the ideas behind the model on smaller scales, will bring us step-by-step further towards a comprehensive system.
   
• The rights of the individual vs. the rights of the society is a challenging issue with the model. It is not ideal to force individuals into certain actions. However, if an individual does not comply with defined regulations, it should have certain consequences. For example, if an online banking customer refuses to keep his antivirus program updated, he is not allowed to transfer more than a certain amount of money from his account. 
  This system should ensure the individual's right to choose to participate in the collective defense model or not.
   
• Collective systems may be misused for purposes non-related to security and health in computer environments by governments and organizations. Legislations and contracts are needed in order to avoid abuse of the health model for Internet security.
   
• A system where one could opt-in to receive notifications about the "health" of a device - e.g. misconfiguration - would reduce risk. Even though this is not set up as a mandatory system, it will imply a shift in strategy from reactive to preventive.
   
• If devices are blocked from access to the Internet (quarantined), services like access to emergency systems over e.g. Voice-over-IP may be blocked as well. This objection can and should be taken care of by technology, similar to how it is solved in mobile phones (where emergency calls are allowed without the SIM card's password).

A dilute model?

Some commentators stated after the recent RSA presentation that the modifications to the model are in reality a backtracking from the health model for Internet security. 

We do not agree with that view. The main parts of the collective defense model proposed in the paper from October 2010 are still upheld. The fact that minor aspects of the proposal are adjusted as a result of comments from peers and further thinking on the author's side, should not be perceived as negative.

In the summary of our security article from October last year we wrote:

It is however of utmost importance that the above-mentioned challenges are addressed and resolved before such a model can be successfully implemented.

As we see it, the adjustments to the model do to some extent address the challenges that we brought forward, and we still recommend that this model's approach is investigated further.

References

• Advancing the Idea of Collective Action to Improve Internet Security and Privacy (Microsoft On the Issues blog item 15 February 2011)
• Webcast from RSA Conference 15 February 2011, Scott Charney, Corporate Vice President Trustworthy Computing, Microsoft Corporation
  (Flash Player 10 required)
• Collective Defense -  Applying Public Health Models to the Internet (Paper from Microsoft's Scott Charney, October 2010) 

• Privacy policy
• License agreement
• Trademarks
• Sitemap
• Contact Us

© Norman ASA