There are over 200 million consumer PCs in the US alone. It is staggering to realize that millions of these PCs are infected with malware or are otherwise compromised. In fact, a substantial fraction of those millions of infected PCs – hundreds of thousands, perhaps millions – are unwittingly enlisted in botnets or serve as Command and Control (C&C) computers for malicious software.
Many, and perhaps most of these compromises can be prevented by simple protective anti-malware products. An interesting analogy to use here is vaccinations; vaccines and widespread vaccination are extremely effective at stopping the spread of ambient diseases that have been around for generations; stop vaccinations, and a number of frightening diseases can quickly take hold again.
Of course, in the case of biological diseases, we complement vaccinations with antibiotics and other therapies to keep our community healthy. Your measles vaccine won’t keep you from getting Typhus, so we have a separate vaccine for that and take other steps to prevent its spread, like maintaining public health infrastructure and battling rodents. The same is true of modern security software.
Unfortunately, a very large fraction of consumers do not take the first step of adequately “vaccinating” their PCs. The reasons for this vary, just as with medical vaccinations. But unlike biological infections, the perception of the risk and cost of having an unprotected PC is low. Many consumers believe that theft of personal pictures and data is a crime that affects celebrities like Britney Spears, not ordinary folk.
Furthermore, in the US, credit card companies indemnify their customers against credit card fraud after the first $50 in fraudulent charges. From a consumer’s perspective, this creates the perception of a limited downside. And from the bank’s perspective, credit card fraud represents 1% of total card volume- a cost they can pass on to merchants as part of the processing fee. Presumably, this cost eventually results in a 1% “tax” (or surcharge) on our collective purchases, but this has clearly not been enough to drive a change in behavior.
But compromised consumer PCs carry other negative consequences beyond the theft of personal information. In fact, there are substantial negative externalities associated with the potential (and realized) threat of millions of compromised PCs. Among these are botnets – global networks of infected computers that are capable of launching devastating DDoS attacks against critical infrastructure, enterprise systems, and other high value targets. These same compromised PCs are also often used as as part of command and control (or C&C) networks that provide cyber criminals an additional layer of anonymity and legitimacy when they carry out their malicious acts.
The bigger point is that software and the critical systems it powers are central to our modern lives. But that very software is under growing threat even as we understimate the consequences of attacks and compromises to our society and economy.
Clearly, our existing economic, cultural and legal incentives to online hygiene are inadequate. Consumers are not being sufficiently encouraged to protect their PCs. True: modern operating systems are far more secure than they were even a few years ago. But attackers are vastly more sophisticated, meaning that there is no net improvement in public health.
This problem only gets worse as we move to the Internet of Things. With 10- or 100 times as many connected devices, few of which look anything like the personal computers of the last 30 years, the threat surface is much larger. In addition, IoT devices hardware and processing constraints make current endpoint protection models (“vaccination”) impossible. Instead, they require security by design. To continue with our public health analogy, think about this as genetically engineered immunity instead of vaccination.
We need to act quickly. Already, public health on the Internet of Things is falling by the wayside. Manufacturers everywhere are racing to win the hearts and wallets of consumers and investors with their latest gadgets. And, since buyers care more about bells and whistles than security, it falls way down on the “must have” feature list. Unfortunately, unlike Windows systems, devices that are conceived and designed without security in mind may be permanently vulnerable to infection once they leave the factory.
What can be done about this? To start, we need to begin differentiating between PCs and devices that are hygienic and those that aren’t. Much as with vaccinations, attempts at cyber health policing will provoke debate.
But the choice doesn’t need to be a binary one in which devices (patients) are either compliant or non-compliant. Imagine, instead, a system where PCs with poor hygiene (as measured by the presence or absence of a security patch, proper configuration or protection capability) were instead offered a degraded online experience: latency on the sites that they could connect to or even quarantine that would limit them to a small set of approved addresses online. This notion is already common in the business world, where organizations use “network access control” technologies to keep infected machines off their network. This hygiene model would scale NAC principles globally.
Enterprises would have many reasons to sign up for such a system; they have much to gain by having their customers’ and employees’ devices (PCs, mobile phones, wearables) kept free of malware. Consider, for example, the bank that wants to ensure that its online banking customers are free of credential stealing malware. Such a system would also improve the health of the entire online community, providing other, downstream benefits to companies that are often the target of botnet attacks.
Today, few of the major consumer websites that are responsible for much of the online traffic (and utility) have incentives to implement these approaches. Firms like Google, Facebook and Twitter have built business models that are user-driven (advertising). In the absence of enforcement from major consumer websites, any global enforcement system will have limited effect.
But that may change. The advent of the Internet of Things promises to upset many established online dynasties, even as it creates demand for a way to differentiate between trusted and untrusted devices. In a computing environment that includes not only desktops, laptops and servers, but also pacemakers and thermometers, we will need different levels of certification depending on the criticality of what the device does. For example, a central authority could certify a device’s authenticity and trust level as a way to potentially restrict the data and functions that devices with poor hygiene can access or perform.
Regulation and legislation is – and should be– a choice of last resort for solving problems in the digital age. However, externalities are sometimes best managed via regulatory intervention. (Consider global climate change as one example.) Just as the federal government sets a minimum standard for motor vehicles on public highways (functional brakes, turn signals etc.), perhaps it is time to start discussing a standard of hygiene for the computing devices traveling our digital highways.