Advancing the Idea of Collective Action to Improve Internet Security and Privacy

Posted by Scott Charney
Corporate Vice President, Trustworthy Computing

To help address growing concerns regarding Internet security and privacy, I recently published a paper outlining an approach to addressing botnets and malware that threaten consumer devices connected to the Internet entitled Collective Defense: Applying Public Health Models to the Internet

Today at the RSA 2011 conference in San Francisco, I presented the details of this proposal for collective defense, and shared a proof of concept scenario exemplifying how an organization, such as a bank, might promote better device health. Below is video of that scenario:

Microsoft is committed to advancing the idea of collective defense, and now is the time for action. As more of the world’s people, computers and devices come online, threats also become more sophisticated. As the number of reported cybercrime victims grows, protection becomes not just an individual concern, but more of an ecosystem or societal concern. 

It is also true that consumers may feel challenged by the types and sophistication of cyber threats as well as uncertainty regarding what and whom to trust online. In short, security is not a problem that can be addressed fully by individual consumers, or even individual companies or governments. That is what led to the development of my public health model proposal, which calls for collective defense against cyber threats.

Since publishing the proposal in October, we’ve seen a robust debate around the idea among industry experts and members of the media. I’ve also received feedback through my interactions with the security community and policymakers around the world, which I outline further below. For example, in October of last year, Bruce Schneier, chief security technology officer at British Telecom, wrote a Forbes essay on the proposal, providing a thoughtful analysis, which is precisely what’s needed. While he raises a variety of questions worth considering, he concluded that “this conversation—between the rights of the individual and the rights of society—is a valid one to have, and this solution is a good possibility to consider.”

In this post, I hope to address a few of the main considerations with the health model, and share more detail on feedback I’ve received and progress made since October.

Effectiveness and Ability to Implement on Scale

One great question raised relates to the effectiveness of the health model for consumer machines and the ability to keep up with a rapidly evolving threat landscape. Indeed, one of the major differences between public health and Internet health is that human viruses are not malicious and can adapt slowly. Although malicious actors will write new malware for which we lack signatures, a broadly deployed health system would permit us to respond more quickly once a new infection is identified.

And while we may never identify all strains of infection, that happens in the physical world too. The fact that some health problems are untreatable for a wide range of reasons does not suggest that all health problems should be left untreated. Absent some widely deployed process, even the diseases we know about will not get treated.

Regarding questions of scale, implementing a comprehensive model for consumer Internet security will take a collective effort, and will not happen immediately. However, we can do much on a smaller scale that helps protect people and gets us closer to a comprehensive model.  

In my paper, I identified two complementary strategies that draw from lessons of the health model to improve Internet health:

1) Bolstering efforts to identify infected devices and get them healthy
2) Implementing policies and practices that promote device health by reducing known risks

In some parts of the world, programs have been implemented to identify infected devices and help get them healthy. The Internet Industry Association of Australia launched its voluntary ISP Code of Conduct, which creates a notification system for consumers with compromised computers and a standardized resource to clean them. In Germany, the Anti-Botnet-Advisory Centre works with ISPs to notify infected customers and provide them with tools and guidance to remove the infection from their computers. More examples are in the paper.

In the banking scenario that we shared at RSA 2011, we demonstrated one way that existing state-of-the-art Network Access Protection technology could be implemented to encourage machine health. In the scenario, a consumer chooses to opt-in to a program that promotes machine health by alerting the individual to a security risk identified by her bank (in our simple demo, that risk was out-of-date anti-malware software). 

Even though a machine might not yet have a malware infection, the user can be notified of problems or configuration issues that might increase his or her risk of a malware infection. The recommended remediation can help reduce risk for that customer and – by extension – for all of the customers participating within that ecosystem. We believe helping to reduce risk and increasing protection for devices before they experience a compromise is a defense strategy that citizens, industry and government should support. It is a key first step in transforming our current computer security posture from reactive to preventative.

Balancing Internet Access and Security

Another broad area of feedback I’ve received since October can be characterized as apprehension that the collective defense measures could be used by governments or organizations to monitor people for purposes not related to Internet health and safety. As I outlined in my paper, it is important to achieve these security benefits in a way that does not erode privacy or otherwise adversely impact freedom of expression and freedom of association.

That being so, contracts should provide, and legal frameworks should help ensure, that any such programs are limited to ensuring device health and that information gathered is used for no other purpose (for example, the enforcement of intellectual property rights or the creation of marketing profiles). Limiting the scope of the program to device health issues would help reduce concerns that Internet health measures were being used to justify activities not related to Internet security.

A related concern raised is that people might be cut off from key services like Voice over Internet Protocol (VOIP) phones to contact emergency services or machines used for medical devices. This is an area that needs to be accounted for in driving social, political and technical alignment to develop acceptable solutions. As devices converge (e.g., a computer may be used to make VOIP calls, including calls to emergency services), denying a user complete access to the Internet, even for a short period, could well have damaging consequences. It is important that solutions be developed that promote a healthy Internet without limiting its utility, much like a cell phone may require a password but still allow emergency calls to be made even without that password.

Advancing such a far-reaching proposal certainly raises many important issues that will need to be worked out, but when I look at the extent of the problem we are dealing with, I think we need to come up with systematic solutions.

I hope to continue this conversation, and encourage readers to provide us with your comments. Learn more about the Collective Defense proposal and Collective Defense: Device Health at

For more details about Microsoft’s participation at RSA 2011, see

Comments (9)

  1. Anonymous says:

    Since we pay to get onto the internet this would waste our money banning us Its not right to ban people especially for users who do not that know about computers and it may put them off or make them feel like they have lost control of their computer 🙁

    Instead please consider securing Windows in a way that will not affect the users PC experince unless its to make things better or easier for the user 🙂

  2. K B Sørensen - Denmark says:

    You just keep off your fingers from my PC – I have payed it – so it is unlawful tresspass in my computer – And YOU say, that YOU come from the United States ??? –

    It is not your Internet!

    I won´t have any Virus-programs – I won´t have any Firewall.

    They are the worsest Viruses. They takes all your PC´s reserve of strength and energy.

    So – keep off your fingers!

    I would rather boot my PC one time a year – instead of have YOUR troubles EVERY day!

    K B Sorensen – Denmark

  3. Soren Rasmussen, Denmark says:

    Whatever Scott thinks of himself and his proposal to improve internet security for society's around our globe – he and his current company Microsoft is in NO – I repeat NO position to determine the final strategy for Internet Security for any government in any country.

    It is premature – to refer his article the most pleasent way – to suggest a supernational (read Microsoft controlled) body to instigate rules for the everyday PC user.

    It took Microsoft a considerable time to discover the Internet – and to build in protection against Internet related threats into their products – especially into their funny operating system – which the Windows consumer finally have got in 2008 or later.

    Maybe Microsoft should concentrate on protecting the SW they are selling to their customers instead of elaborating on political issues that in the end will put in the box.

    With the best regards,


  4. Soren Rasmussen says:

    Sorry  – that in the end will put them in the box – another American/USA company that have misunderstood it's mission.


  5. senshikaze says:

    So, in this 1984-esque world, where does desktop Linux sit? Will the Microsoft cartel automatically ban all non-MS approved Operating Systems out of hand? Microsoft is not god of the Internet. Leave us alone.

  6. Baserk says:

    "Even though a machine might not yet have a malware infection, the user can be notified of problems or configuration issues that might increase his or her risk of a malware infection."

    What would that be?

    Something like: "Idiot, you are using an OS which default offers only an admin account and forces you to read up on how to set up a safer user-account."

    Marvellous idea!

  7. A. Nilsson says:

    Please ,

    if microsoft with it´s monopoly in the market ,

    beleive that this antivirus programs and so on , is very important ,


    TO INCLUDE A GOOD WORKING PROTECTION IN THEIR WINDOWS PROGRAMME AND OFFICE PROGRAMS ETC,  without extra cost , because we have a wright to a functioning windows 7 and earlier programs and office programs that is in good working order and safe to use !

    Don´t you agree ?

    So do not talk nonsens, inclute these security programs now without extra cost .  in Sweden temporarily otherwise in California

  8. Phillip Boegh says:

    It is crazy if Microsoft achieve police status to close internet access to any computer just because they cannot create and maintain a secure operative system (Windows). If we with Linux should be forced to run a slowing anti-virus program to keep the Windows computers free of virus, we'll risk that our computers become just as slow as the Windows-computers.

  9. Rudolf Sneek, Norway says:

    Just make a unreliable OS like Windows, full of security issues, and make your customers buy expensive, non working, antivirus. What's next? What was previous we know: the obligatory Internetexplorer had to be removed from Windows, to give other options a chance. Word document standards had to be opened (and next came office 2007). Even this page cannot be displayed without Microsoft, because it uses Silvelight, which is designed to conquer out Adobe flash, so that Mac OS and Linux have trouble displaying the page. I had even to startup a Windows computer to wright this comment.