
Innovation is our regular column that highlights emerging technological ideas and where they may lead
Compulsory vaccination programmes have rid the world of scourges like smallpox and controlled the spread of diseases such as polio. So could similar strategies be applied to the internet to help stop the spread of cybercrime?
Computer viruses, spam and online identity theft have been able to proliferate because of the large number of internet-connected machines that don鈥檛 have up-to-date security software installed. That security software could be thought of as the internet equivalent of a vaccine.
Advertisement
鈥淚n the US you cannot go to school unless you have the appropriate vaccinations. Maybe you shouldn鈥檛 have access to the internet without the right computer vaccinations, too,鈥 says computer scientist Sujeet Shenoi at the University of Tulsa in Oklahoma.
Shenoi and colleagues have just published a legal study () on three 鈥渢echnically feasible鈥 compulsory vaccination scenarios that governments could consider.
Public safety
This is no academic pipe dream: Microsoft鈥檚 security vice-president Scott Charney said the firm backs a public-health-like inoculation model because too few people use up-to-date antivirus software. He says internet service providers (ISP) should have the power to sever internet connections if they detect a subscriber has infected computers 鈥 only restoring their link when it has helped them become virus free.
If it happens, Shenoi imagines a government-controlled 鈥淐omputer Protection Board鈥 overseeing one of three potential vaccination scenarios. First is 鈥渜uarantine and vaccinate鈥. When an ISP detects that traffic flowing across its infrastructure bears the hallmark of a botnet 鈥 such as data being directed to a blacklisted address or sudden torrents of email traffic from a single machine 鈥 they would be empowered to quarantine their subscriber, destroy any malware found on the user鈥檚 machine, and vaccinate it by installing the latest security software.
This sounds like a consumer-liability nightmare to Ray Stanton, head of security at BT, the UK鈥檚 biggest ISP. The ISPs cannot know enough information about their customers鈥 computers to know whether they鈥檇 even be able to install software, he argues. 鈥淵ou can鈥檛 know the configuration of every single machine. How do you know it has enough memory to run the vaccine? The download could make it crawl to a halt,鈥 he says.
Prying eyes
Attempting to implement a system of large-scale security monitoring would also raise privacy concerns, says , an internet law researcher at the University of Sheffield in the UK.
As Shenoi鈥檚 second public-health inoculation scenario illustrates, the best way to ensure a computer is not just free of known viruses but also not infested with yet-to-be-identified ones would be to install a set of feedback sensors. These would analyse all internet-bound traffic, looking out for anomalous behaviour that may be indicative of a new virus.
鈥淪ensor feedback would probably use deep-packet inspection on your data,鈥 says Edwards. This can analyse network traffic, spotting the difference between that associated with emails, pictures or even malware. Widespread, government-backed use of deep-packet inspection 鈥渞eally would be the death of privacy鈥, she says.
But if those two approaches were deemed insufficient, the Tulsa team offer a third possibility: adding a cybercrime-fighting capability to their sensor feedback model. Here, software downloaded to our computers would allow a government to assemble PCs into a benevolent 鈥渘ational defence botnet鈥 that can mount cyberattacks to counter, say, attacks on the electricity grid.
Conscientious objectors
It鈥檚 an alarming idea. 鈥淎 defensive botnet would be akin to conscription of user鈥檚 computers, basically creating an amateur army the government could use any time to attack absolutely anyone it likes,鈥 warns Edwards.
Stanton agrees. 鈥淲hat constitutes a national cyber-emergency? You could lose control of your PC once a week with the volume of attacks these days.鈥
The Tulsa team conclude that, in the US at least, and taking previous medical case law as a template, it should be possible to establish the framework for a legal internet inoculation programme.
But Stanton says only global, not national, action on this issue will work because botnets are no respecters of borders. That鈥檚 a major stumbling block.
鈥淓ven if this bears constitutional scrutiny in the US, it probably would not under human rights law in Europe,鈥 says Edwards. 鈥淏lanket surveillance, as might be possible with sensor feedback, is illegal in Europe.鈥
Read previous Innovation columns: Bloom didn鈥檛 start a fuel-cell revolution, Who wants ultra-fast broadband?, We can鈥檛 look after our data 鈥 what can?, How far can you trust an AI assistant?, The relentless rise of the digital worker, What use is a smartbook?, The sinister powers of crowdsourcing, Making a map for everyone, by everyone, Where next for social networking?.