Microsoft backtracks on internet quarantine idea
Microsoft has backtracked on a previous suggestion to put ISPs in charge of computer security, instead backing a “trusted certificate” model.
Last year, vice president of Trustworthy Computing Scott Charney said users should be quarantined by their ISPs if their PCs were infected, for the good of the whole internet.
At this year’s RSA Conference, Charney has backtracked on that much-criticised idea, saying: “My thinking has evolved a great deal.”
My thinking has evolved a great deal
He said such a system had “many flaws”. For example, he noted consumers may not want their machines scanned by a third-party, and network-level controls would put a heavy burden on ISPs.
Charney also admitted it wasn’t fair to cut people off from the internet when it had become so vital.
“My internet PC may have VoIP, and may be how I access… emergency services,” he said. “You see the scenario: I’m having a heart attack, I run to my computer, it says you need to install four patches and reboot before you can access the internet – that’s not the user experience we strive for.”
Now, Charney has a new idea, suggesting the industry and users consider “trusted certificates” instead.
Under this system, a specific website – such as a bank – would ask to view a PC’s “health certificate” before allowing access to an account. If the certificate showed a PC didn’t have up-to-date antivirus or was infected, the bank would alert the user.
The system wouldn’t necessarily require the bank to block all access to an account if a health certificate failed or a user refused to provide one; instead, it could limit transactions to a smaller amount to cut risk, Charney said.
This sort of system would still offer a collective defence for everyone on the internet, but leave security in the hands of users, Charney said.
While he admitted the system wouldn’t catch all security risks, it would “raise the basic level of hygiene” for internet-connected PCs.
Charney also raised some issues around cyberwar, calling it the most complicated area of data security, because “we don’t even know how to define it yet”.
He also questioned how governments would respond to cyberwar. “Policy makers haven’t yet grappled with the question: would we order the destruction of people in response to the destruction of data?” he noted.
If someone bombed a telecommunications building, there might be a “kinetic” response, he said. “But if you can cause that destruction through IT, would there be a kinetic response – or just an IT response?” Charney added.