EastWest Institute proposes public health model for internet cybersecurity

6th June 2012 Mickey McCarter Just as computers get viruses, cybersecurity professionals should consider establishing a framework to surveil and monitor networks’ health worldwide based on a global public health model, an international cybersecurity think thank proposed in a recent…

6th June 2012

Mickey McCarter

Just as computers get viruses, cybersecurity professionals should consider establishing a framework to surveil and monitor networks’ health worldwide based on a global public health model, an international cybersecurity think thank proposed in a recent report.

The EastWest Institute (EWI), with US offices in New York, NY, put together a team of experts to examine the benefits of a global, coordinated effort to protect information infrastructure from Internet threats like malware and botnets that take advantage of vulnerabilities in computer systems to spread and to compromise them. The resulting report, The Internet Health Model for Cybersecurity, suggested that effort should mirror the public health community in its efforts to protect populations from physical illness.

Said EWI President John Mroz in a statement Monday, “For years, we have talked about computers being infected by viruses. With this breakthrough report, we have the opportunity to treat the health of the entire Internet as a shared problem needing cooperative solutions.”

Following the public health model, cybersecurity practitioners could track and block malware and thwart malicious actors, said the EWI report, which was sponsored by Microsoft Corp. In a manner similar to how the US Centers for Disease Control and Prevention (CDC) and the World Health Organization monitor epidemics and examine ways to stop the spread of pathogens, cybersecurity experts could track and stop malicious code in a coordinated approach that is lacking today.

“A public health agency, whether operating on the local, state, national, or international level, is a robust model for potential application to cyberspace, with basic functions including education, monitoring, epidemiology, immunization and incident response,” the EWI report stated. It then offered principles for applying an Internet health model.

The principles, as taken straight from the report, frame an arrangement for collective benefit from protecting against malware: Internet health is a public good. The proper function of today’s connected society, including global communication, collaboration and commerce, requires a baseline of Internet health.

  1. Internet health depends upon shared responsibility. Internet users-both individual and institutional-must take responsibility for the health of their devices and networks. Users must also be supported by an ecosystem that enables and encourages healthy choices.
  2. Internet health relies on evidence-based approaches. The success of the Internet health model depends on developing, documenting, and disseminating proven methods for diagnosis and treatment of security issues.
  3. Internet health emphasizes prevention over treatment. The Internet health approach does not seek simply to improve the efficacy of treatment; rather, it aims to increase prevention of compromise and infection. While treatment is a natural function of public health, it is in the best interest of the ecosystem to help users avoid malware in the first place.
  4. Internet health is a spectrum. While we may, in some cases, be able to identify a specific infection, the overall health of a device or network is not binary. There are multitudes of attributes that comprise the health of a system and should be considered in assessing its state.
  5. Internet health efforts minimize potential harm. Efforts to prevent or treat “disease” should avoid impinging on the safe, legitimate use of devices and the Internet.
  6. Internet health efforts protect privacy. Protecting the privacy of users’ behavior, data, and communications should be a primary consideration when collecting, inspecting, and sharing data about Internet health.

Following these concepts, Internet security personnel can apply the global health concepts of education, monitoring, epidemiolgy, immunization and incident response to cybersecurity practices for the public good, particularly as another one billion people are expected to start using the Internet by 2015, the report said.

“A public health model encompasses several interesting concepts that can be applied to Internet security,” said Scott Charney, vice president of Trustworthy Computing at Microsoft, in a statement. “As use and reliance on the Internet continues to grow, improving Internet health requires all ecosystem members to take a global, collaborative approach to protecting people from potential dangers online.”

The report acknowledged that the public health model for cybersecurity on the Internet wasn’t perfect. Computer systems do not have natural immune systems. Viruses do not attack physical entities on purpose but malicious actors do attack cyberentities on purpose.

Moreover, in the public health community, concepts such as monitoring and surveillance and quarantine have recognized public benefits. But in cyberspace, they may carry negative connotations, the report said.

“First, while the public health field accepts the term surveillance as a tool for understanding the environment, it has a negative privacy connotation in cybersecurity,” the report said. “Within the public health model, consider an example of syndromic surveillance where increased sales of orange juice and chicken soup may point to an influenza outbreak. Equivalent surveillance techniques on aggregate or anonymous data can be valuable in cybersecurity as well, but the community will need to find a way to address user privacy concerns.”

Quarantine can involve separating the sick or separating the healthy to prevent the spread of infection. When undertaking such actions online, the Internet community must consider the benefits of protecting the public against threats by limiting access to content and services in some cases, the report added.