Microsoft’s Scott Charney says we should treat malware-infected PCs in the same manner as 19th century public health officials treated victims of typhoid, tuberculosis and cholera: quarantine. Yes, the head of Microsoft’s Trustworthy Computing believes malware infections are so pervasive and destructive that isolation is the only means for protecting the greater good. Perhaps, but I have a better idea: recall.
First, let’s review Charney’s idea – quarantine.
“Governments, industry and consumers should support cyber-security efforts modeled on efforts to address human illnesses. For a society to be healthy, its members must be aware of basic health risks and be educated on how to avoid them,” Charney said at the International Security Solutions Europe (ISSE) Conference in Berlin this weekend.
Charney, who worked at the Department of Justice prior to joining Microsoft, is essentially correct. In the past three years, the world has seen an explosion of malware – more than 5 million new samples. Just one of the past three years has produced more malware than in 20 years prior to 2007. Each year, malware costs individuals and businesses millions of dollars in damages to equipment, destroyed data, disrupted commerce and communications, and the cost of prevention and remediation.
So Charney would have us treat every infected PC as Typhoid Mary. We would isolate them in some quarantine area, like a remote hospital on some island in the middle of the New York City harbor. Charney wants governments and Internet service providers (ISPs) to lock out these contaminated computers until such time as they are certified as clean and fit for return to digital society.
Let’s set aside the obvious arguments of how ISPs and governments would identify and isolate tainted PCs. Charney’s idea is ludicrous on the surface because it blames the victim – the PC owner. If software were any other product – car, toaster, radio, cribs, etc. – the government would compel a recall and the manufacturer would be liable for correcting the defect or compensating the customer.
Faulty operating systems and software requires complex security applications and infrastructure to give it even a minimal amount of protection. Spending on security technologies and services tops $40 billion annually – a massive amount of money that’s greater than 107 countries’ gross domestic product. If end-users didn’t have to pay for expense security software, hardware and managed services, they could apply valuable capital toward investment, growth and jobs.
OK, let’s accept that all software is faulty. Why are PCs infected in the first place? They’re connecting to the Internet. Within 40 seconds of connecting, PCs are scanned, probed and attacked. And the conduit for attack is the ISPs, which people and businesses pay good money for their high-speed connections. The Internet is often compared to the public highway system because of the speed and ubiquitous connections. But this is about as far as the comparison carries. The Internet is not a public network since it requires contracts and payments with private entities. Shouldn’t they provide clean pipes for transmission and receipt of data? Isn’t that what we’re paying for?
Internet threats are a boon for the IT industry and the channel. Solution providers earn billions of dollars each year providing security assessments, equipment, professional consulting, management and remediation services. Despite what anyone says about making the Internet a safer place, no one wants to see the threats go away. It’s like politicians saying that they hope cigarette taxes lead to a decline in smoking; they don’t really mean it because it would cost them revenue.
But whose fault is it that threats exist? It’s not the users’ or businesses’ fault that their machines get infected. It’s the criminals fault for creating the malware. Blaming the victims isn’t the solution. The real solution is fixing the products and infrastructure that costs businesses hundreds of billions of dollars annually.
Security Idea: Recall the Internet
Email us at blogeditor@comptia.org for inquiries related to contributed articles, link building and other web content needs.
Read More from the CompTIA Blog
Newest on top
Oldest on top