Are computer “health certificates” the answer for the botnet problem?

Back in March, at the RSA Conference in San Francisco, Corporate Vice President for Trustworthy Computing at Microsoft Scott Charney proposed to the audience and to the world the idea of confining infected computers into quarantine.

He recently talked about it again in a blog post, where he touched the subject of a potential approach to resolving the problem of malware infecting consumer machines and recruiting them into botnets.

He spoke of the need for a global collective defense and says that securing “Internet health” should be executed in a way that’s similar to securing public health, and noted that current defense measures such as anti-virus, automatic patching and firewalls are not enough.

“Just as when an individual who is not vaccinated puts others’ health at risk, computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society,” he said, and linked to a paper in which he explored those options more in-depth.

In short, he believes that society needs to explore ways to implement collective defenses to help protect consumers, and also that a system including “health certificates” for computers should be implemented.

He admitted that it would take a great deal of effort to put such a system in place, and that the mechanism for producing the health certificate must be impossible to manipulate and its results faked, but that once that all that was put in place, a computer that couldn’t produce the health certificate, it would require the owner to fix the problem before it was allowed complete access to the Internet.

He also says that he is aware that implementing such a system would require careful consideration of the issue of user privacy, since the testing of the users’ machines and the devices inside and surrounding it in order to obtain said health certificate could result in information that can be tied to a particular individual.

But there are those who think that this approach is not currently feasible. As Joe Stewart, Senior Security Researcher at SecureWorks and botnet expert pointed out to ComputerWorld, it is highly likely that this idea will just not fly with users.

There are a lot of people out there who keep their computers patched, behind a firewall and have an up-to-date antivirus, but still have a system infected with malware. How can anyone explain to them why they can’t get on the Internet? he asks. He believes that people are just not ready to be told what they can and cannot do with their personal computers.

He thinks Charney’s “health certificate” solution would be a failure because history has shown us that technical solutions are flawed because criminals are too clever and have a seemingly infinite capability for adapting to new circumstances.

He suggests an “offense in depth” instead – a collaboration between researchers and law enforcement that would allow and require the hounding down of botnet operators and a legal framework that would hold ISPs accountable for hosting botnets’ C&C servers, wherever their location.