Public Health Practices Could be Model for Cybersecurity, Microsoft Says
In developing a national cybersecurity strategy, Microsoft said the public and private sectors should look to the public health system as model. Executives met with the FCC Public Safety Bureau and the Office of Engineering and Technology. A cyber policy framework should focus on practices limiting the spread of botnets and maintaining the health of consumer devices, Microsoft said. While a public health approach can be applied to the health of information technology, other measures are needed and privacy can be impacted, some technology experts said.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Common practices limiting the propagation of medical pathogens range from hand washing to administering vaccinations to kids before they enter school, Microsoft said. Government and industry can engage in methodical and systematic activities “to improve and maintain the health of the population of devices” by “promoting preventative measures, detecting infected devices, notifying affected users … and taking additional action to ensure that infected computers do not put other systems at risk,” the company said in a filing.
The public health model is “a good analogy, particularly for consumers because they have some level of understanding and can relate to that,” said bureau spokesman Robert Kenny. The FCC cybersecurity roadmap will reflect the perspective that “cybersecurity awareness and education is an ongoing responsibility for everyone, from government to industry to consumers,” he said.
The public health model “may have some reference for us in cybersecurity,” said Michael Kaiser, executive director of the National Cyber Security Alliance. The idea shows that the industry is reexamining the cybersecurity model and identifying “the lessons we've learned in the other aspects of our culture to keep people safe and secure,” he said. The idea is interesting and focuses on the “hygiene of the equipment and the hygiene of the user,” he added.
To stop botnets, the government and information technology industry “should ensure the health of consumer devices before granting them unfettered access to the Internet,” Microsoft said. The company suggested that a consumer machine seeking to access the Internet could be asked to present a “health certificate” to demonstrate its state. “If a device is known to be a danger to the Internet, the user should be notified and the device should be cleaned” before it is granted access, the filing said.
"Looking for new ways of letting people do their online commerce is a good idea,” said Peter Eckersley, a technologist for the Electronic Frontier Foundation. Advice given to consumers so far “is both good and frequently not followed,” he said. Microsoft agreed that consumers need help because IT is a complex issue, the filing said. Protecting oneself online “is not intuitive,” and “many consumers may be unwittingly running malware and their computers may be part of a botnet,” it said.
While there are parallels in principle between public health and “computer public health,” the differences in threats may create difficulties in applying the public health model to IT, EFF said. Controlling Internet worms and viruses is much more complex, said Seth Schoen, senior staff technologist. The attackers are reading the newspapers and the protection software, and they're “thinking about what to do next,” he said. “They're also actively trying to trick human users into doing the wrong thing."
The civil liberties impact may be more extreme for computers than for public health measures, Schoen said. Surveillance of computers in the name of the health of the Internet “is closely related to surveillance of our communications and relationships,” he said. Preventing infected computers from getting online “is closely related to censorship and targeting of other disfavored Internet activities,” he added.
The use of a health certificate could become an anti-competitive measure under the guise of cybersecurity, Eckersley said. Approving a code that’s running on a device gives companies “a tremendous amount of power over what software other companies can install on the device” and the modifications the users may want to make on their devices, he said.
The industry could develop a grading system to determine the health of devices, but preventing devices from accessing the Internet is a tough sell, said President Larry Clinton of the Internet Security Alliance. The devices “are too ubiquitous,” he said. “There will be a backlash and it will be costly” if that method is adopted, he said. Keeping consumer devices and infrastructure safe from attacks will take more than public education, Clinton said. But ISA wouldn’t say “you can’t sell that,” he said. Companies could grade devices “in the same way drugs are graded,” he said. People didn’t quit smoking “because there were labels on cigarette packs,” he said. “That didn’t happen until the insurance companies were involved and employers included incentives to stop smoking.”