Keeping the masses safe on the Internet

SANTA CLARA, Calif.--Recognizing that all the technology in the world can't protect the Internet from attacks, the security industry is targeting an education campaign at the weakest link--the computer users.

It's the first public service message of its kind in the U.S. and it's simple: Stop. Think. Connect.

The campaign was unveiled yesterday at Intel headquarters here. It is part of Cyber Security Awareness Month, an annual event since October 2001, and was organized by the National Cyber Security Alliance, the Anti-Phishing Working Group (APWG) and more than two dozen government agencies and companies including Microsoft, Google, PayPal, RSA, Facebook, Visa, and Wal-Mart.

The goal is to get security precautions to become second nature, like looking both ways before crossing a street, covering your mouth when coughing, and washing hands frequently.

Public health is a common analogy for computer security. Both deal with infections, viruses and worms that are passed, often undetected, to others with little or no effort.

There are also obvious military correlations. Remember "loose lips sink ships," the phrase promoted by the U.S. Office of War Information during World War II to prevent Americans from revealing information to spies about the war effort?

Well, consumer concerns about hacked bank accounts and identity fraud, as well as increasing crossover between critical infrastructure systems and the Internet (the Stuxnet worm, which spreads via Windows-based PCs but targets industrial control systems, for example) reinforce the notion that secure online practices are a matter of public safety and even national security.

A security frame of mind needs to be built into the culture of society and starting at the ground level with end users, said Phil Reitinger, deputy undersecretary for the national protection and programs directorate at the U.S. Department of Homeland Security, speaking in a keynote address at the event.

"We all have lived in a legacy world (of code)...that is fundamentally insecure," he said. The Internet "was built for reliability, but not with security" in mind.

Ground zero
Security experts are constantly admonishing people to keep their anti-virus and other software up to date and update other programs. But all of that doesn't matter if the computer user falls for a social engineering phishing attack, such as typing a password into a fake bank account login page, or clicks on malicious links in e-mails and Web pages. Such attacks have become commonplace on the Web.

Engineers who used to blame end users and complain that "you can't fix 'stupid,'" have come around to realizing that they can't ignore the human factor, that there is a science to changing peoples' behavior. Making security easy and understandable will have more impact on protecting the ecosystem than throwing sophisticated tools at the problem, they acknowledge.

"Security is really confusing for normal people. "It's almost like diet advice, where you are told 'eat this, don't eat this,'" said Nathan Good, a member of the APWG and principal of consultancy Good Research. "People are trying to get stuff done (online) and get what they need and if security is an impediment it won't work. That's the challenge--to make it a lot simpler."

In order to come up with an effective message, the group conducted an online survey of more than 1,000 U.S. adults to find out how they feel about computer safety. Asked why they choose not to be safer, 28 percent said they don't have enough information. And 96 percent said they feel a personal responsibility to be safer online. Consumers want and need more information that is understandable, the campaign organizers said.

In its long form, the message is stop and understand the risks; think about how your actions could impact your safety and the safety of others; and connect with others with confidence. And a tag line, if there were to be one, would be "keep a clean machine," said Michael Kaiser, executive director of the National Cyber Security Alliance.

Specific tips to that end, in addition to keeping software up to date, are: use strong passwords and using different ones for different accounts; be wary of links of unknown origin; use secured Wi-Fi networks; make sure to use secure Web connections (https://, for example) for banking and other important sites; and back up your data.

In addition to online promotion and offline advertising campaigns, the members of the coalition will be taking specific measures to get the word out to as many people as possible. For instance, AT&T is promoting the education campaign on its Web sites and via messages to its tens of millions of customers, as well as to its 275,000 employees, said Chris Boyer, assistant vice president of public policy at the telecom provider. Employees at EMC and its RSA security division will be going to classrooms to talk about responsible online behavior. And Facebook will be offering a security quiz that its members can take and share, said Joe Sullivan, Facebook chief security officer.

While the focus of the program is on consumers, Internet service providers, which have a unique ability to see traffic patterns that point to potentially malicious activity, should be doing more to protect computers, said Dave Jevans, APWG chairman and chief executive of security provider IronKey. (One positive example is Comcast, which last week launched a free nationwide antibotnet service that notifies customers of suspected malware infections.)

"Progress is being made, but it's slow," Jevans said, adding that domain name registrars have been more active and have even been convinced to shut down domains that were being used for fraud.

Industry executives and policymakers are optimistic about the success of the education campaign. Being a skeptical journalist, I asked someone who has worked as a tech support specialist and who deals with consumer education every day what he thinks the chances are that the message will make a difference.

"This is a start, but it's going to be really hard," said David Perry, global director of education at Trend Micro, who worked on the year-long initiative.

"We need to teach people impulse control and good computer hygiene," he said. "People, including me, just act on our impulses."