RSA 2011: Microsoft performs u-turn on malware policing

Says the initiative it launched last year was flawed

Microsoft appears to have given up on a campaign it launched at last year's RSA security conference that called for ISPs to block malware-infected PCs from the internet, with one senior executive telling delegates at this year's event that the idea was flawed.

In 2010, Microsoft called for a new "global collective defence" requiring ISPs to scan computers for infected malware and restrict their access to the internet.

But this year Scott Charney, Microsoft's corporate vice-president of Trustworthy Computing, proposed an alternative scheme in the form of an "Internet Health Certificate", which would see web sites able to check whether a computer system has the certificate, and if it doesn't, decide whether or not to grant access.

"Last year at RSA, I said we need to think about ISPs as the CIOs of the public sector, and that they should be scanning consumer machines, making sure they're clean, and sometimes quarantining them from the internet," said Charney.

"But, in the course of the last year I have realised there are flaws with this model, and that it could be improved. One is that consumers may not want their machines scanned. They have a privacy interest in their machine.

"The second is, of course, that it puts a big burden on the ISPs."

Charney said that under the proposed Internet Health Certificate scheme "a user could say I don't want to pass a health certificate. Now, there may be consequences here. If you're pulled over and a police officer thinks you've been driving drunk, you can refuse a breathalyzer. There may be consequences there too, but you can do it.

"As long as we're transparent and people can make choices, that's fine. So, the user remains in control. The second great thing about this model is that it's not all up to the ISP, any organisation can say we want to look at a health certificate."

In other news, security guru Bruce Schneier, said there is a fundamental problem with the way corporations approach the risk from cyber attacks.

"We're seeing the increasing use of war-like tactics in cyber conflicts – politically motivated hacking and espionage – these things used to be the purview of war," he said.

"A chemical plant faced with the risk of a terror attack will secure it to the value of the company," he added.

In other words, according to Schneier, there is a failing in the market as a company is only ever going to secure against an attack up to the value of its own worth. It is not in its own interest to secure to a value of more than that, which is a problem as a cyber attack is often carried out with the intention of disruption that is wider than the company itself.

In response to Schneier's comments, Bill Phelps, Accenture's global cyber security lead, said that prevention is the best deterrent for cyber crime.

"Against this background, attention is increasingly switching to deterring such attacks before they take place, which the UK government has acknowledged requires significant investment," said Phelps.