A senior Microsoft executive has gone on the record this week stating that virus-infested computers should be banned from the internet until cleared of their infection(s).
Scott Charney, the Corporate Vice President of the company’s Trustworthy Computing team, posted on the Microsoft On the Issues Technet blog to introduce this idea as a new “internet health model” for nations to consider as they create cyber security policies:
“This approach involves implementing a global collective defense of Internet health much like what we see in place today in the world of public health. I outline my vision in a new position paper Microsoft is publishing today titled Collective Defense: Applying Public Health Models to the Internet.”
He cites the increasing use of “Bots” and the detrimental effect that a widespread attack could have on critical government and financial infrastructures as the reason why the protection of firewalls and antivirus software is no longer enough.
While the idea sounds extreme in the context of an unregulated internet, Charney compared the situation to quarantining people in order to contain an infectious disease:
“Just as when an individual who is not vaccinated puts others’ health at risk, computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society. In the physical world, international, national, and local health organizations identify, track and control the spread of disease which can include, where necessary, quarantining people to avoid the infection of others. Simply put, we need to improve and maintain the health of consumer devices connected to the Internet in order to avoid greater societal risk.”
In the accompanying paper, Charney addresses that cutting someone off from the internet completely could have serious consequences, and suggests that an “emergency services” connection still be available to those who are affected by a quarantine situation:
“An individual might be using his or her internet device to contact emergency services and, if emergency services were unavailable due to lack of a health inspection or certificate, social acceptance for such a protocol might rightly wane. But much like a cell phone may require a password but still allow emergency calls to be made even without that password, infected computers may still be permitted to engage in certain activities."
The ideas that are contained in the post are definitely thought-provoking, but I have to wonder if a system like this would work in practice. Virus detection systems would have to be strengthened first, as we’ve learned with the Zeus trojan, and a plan to let people reasonably deal with false-positive detections would also be needed.
