Microsoft exec: Infected PCs should be quarantined (Q&A)

Under Scott Charney's plan, ISPs would keep infected PCs off the Internet, much like doctors quarantine sick people and governments restrict smoking in public areas.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
5 min read

Scott Charney, corporate vice president of Trustworthy Computing at Microsoft James Martin/CNET

SAN FRANCISCO--In his keynote at the RSA security conference on Tuesday, Scott Charney, Microsoft's corporate vice president of Trustworthy Computing, suggested that the security industry should follow the health care model of quarantining infected PCs to prevent them from being used to send spam and conduct denial-of-service attacks.

In a follow-up interview afterward, Charney elaborated on his vision for reducing the damage from botnets and explains how infected computers should be kept off the Internet just like doctors quarantine sick people and smokers are restricted as to where they can light up in public.

Q: So you teased us with references to a system of quarantining computers during your keynote but didn't provide details. Can you explain what you have in mind?
Scott Charney: When people get diseases and they run the risk of contaminating other people the medical community has devised mechanisms to help ensure the public's health. It's a combination of inspection, quarantine, and treatment. I remember going to Asia during the SARS epidemic and as soon as I got off the plane they were standing there with these little guns that took your temperature as you got off the plane and if they registered that you had a temperature they would talk to you and if they thought you might have SARS they would quarantine you and treat you. We've done this with other kinds of illnesses over generations actually. In the enterprise in computers we do it today, we have Network Access Protection...The theory is if a machine is known to be infected do you want it to connect to the network and infect everyone else? Or do you want to clean the machine and then let it connect? So, the concept isn't that complicated but the challenge is once you move into the consumer environment you raise a lot of interesting issues.

The Internet is so many things for consumers. It's a way to engage in free speech, to engage in online commerce, to get education, to seek health care information. Their lives center around this technology in so many important ways. And they're used to the PC being in their home. It's considered a very private device in a way. And it may be storing a lot of private sensitive data, like your diary or your tax records. But what we've seen is that when people get infected they may not be the ultimate victim. They are a victim. The ultimate victim might be the person who receives the spam directed by the botnet or the site or service shut down by the denial-of-service attack. I'm a big fan of consumer education and we've been doing it for 20 years, but it doesn't work at scale. You can tell people make sure you've updated your machines, you're running antivirus, and you're backing up your data. Yet we still see a lot of people just don't do that. So, the question becomes how do you create a less infected Internet?

If the access provider just made sure you're not carrying any disease and you're not going to infect the community we'll let you connect with no further ado. But if you are infected with something we recognize and have a signature for, let's clean you up and allow you to connect.

I wondered what is the rational basis for doing this to consumers and I started thinking about smoking. People smoked for the longest time even after we knew it causes many types of cancer, heart disease. Society said you have a right to smoke. Even though you're going to add cost to the health care system that we're all going to have to pay for, if you're going to risk lung cancer that's your right. Then the EPA came out with the secondhand smoke report and suddenly smoking was banned in a lot of public places. The philosophy is simple--you may have the right to risk your own life and risk disease, but you don't have a right to sicken the person next to you. So when we started in Internet security we said to consumers, run antivirus, update your software, and back up your data, and many people didn't. The problem with botnets is you're not just risking yourself any more, you're risking everybody else in the community. It's just like smoking.

You mentioned the need in such a system to protect consumers from privacy intrusions. What do you mean?
Charney: Well, there is the question of public acceptance. To make it work you really have to focus on cleaning known malware and having a regime that doesn't allow access providers to look for other stuff, like copyrighted material. Maybe you shouldn't be violating copyrights, but that's not a public health issue. You have to limit it to the true purpose. The second thing you have to do is to think about how you pay for this. I don't know what the right funding model is but I know what some options are. One is market forces. Comcast is doing some of this because it's cheaper to clean their machines than it is to lose the bandwidth on their network created by all the bots...If you can't do it through market forces, then you could go to a use tax. For instance, everyone who has a telephone pays a universal access fee so that you can have phone service in rural communities. Because it is good for everyone to have phone service we fund it. And there is a security tax on airline tickets to pay for the extra security post-September 11. So one argument is the people who use the technology should pay for the cost of making the technology safe. Another argument is if this is a public safety issue it should be paid for out of general taxes.

Will we see anything like this soon?
Charney: Will the government undertake this soon? In the next two to five years will there be discussions and some activity, yes. There are many things to work out along the way. One of the things to work out is the notion of social acceptance.

So, you are recommending government regulation, right?
Charney: Ultimately if you want social acceptance, with one caveat. If these market forces (are adequate) it might just work on its own. And in general if the market is working then you don't need government regulation. However, I can see a real a government role particularly if the market doesn't sustain this. There might be a role for government to ensure that the rules are fair and evenhanded and enforced. But is it absolutely necessary? We don't know yet.

But Internet service providers have in general been resistant to calls in the past to do anything on their end to proactively block malware.
Charney: And that's another reason for government intervention. The government could say if you do these things and you have to pick your standard you're in a safe harbor.

Last year following his speech at RSA, Charney discussed the threats to PCs on the Internet in a videotaped interview with CNET's Ina Fried.