Microsoft Proposes PC Health Certificate for Internet Access

Scott Charney, Corporate Vice President of Microsoft’s Trustworthy Computing division, has proposed a radical solution to the problem of virus-infected PCs. Mr. Charney believes that infected computers should be quarantined from the Internet, and that PCs have to prove themselves clean with a digital health certificate in order to access the Internet.

In a blog post, Mr. Charney laid out the proposal, which he also presented in a speech on Tuesday at the International Security Solutions Europe (ISSE) Conference in Berlin, Germany. His vision is to look at cyber health as a global problem, and to implement a, “global collective defense of Internet health.”

Scott Charney, Microsoft VP

Scott Charney
Corporate Vice President of Microsoft’s Trustworthy Computing division

“Just as when an individual who is not vaccinated puts others’ health at risk,” he wrote, “computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society.” He argues that in the physical world there are national and international agencies tasked with, “identifying, tracking and controlling the spread of disease which can include, where necessary, quarantining people to avoid the infection of others.”

He infers that the risks presented by botnets of PCs that are controlled by criminal organization (he does not infer that there are botnets controlled by nation-states) are just as important and just as great as the risks involved with uncontrolled epidemics and pandemics. By taking a global, unified approach to the problem, the good guys would find it easier to stop the spread of viruses and malware used by the bad guys to take over PCs and use them to disseminate spam, attack corporate and governmental computer systems, and other nefarious deeds.

“To realize this vision,” he said, “there are steps that can be taken by governments, the IT industry, Internet access providers, users and others to evaluate the health of consumer devices before granting them unfettered access to the Internet or other critical resources.”

At the heart of his proposal is the idea of requiring digital health certificates on PCs that certify they are running current antivirus software, are patched with the latest OS patches, and are otherwise clean and free of malware or viruses. Without a valid certificate, those PCs would not be able to access the Internet, though he offers detailed exemptions for being able to download patches and contact emergency services in order to make the system palatable to the public.

He also laid out the following five central points that must be considered as key to any such solution:

  • The risk that botnets present to Internet users and critical infrastructures must be addressed.
  • Collective defense can and should be used to help improve the security of consumer devices and protect against such cyber threats.
  • A public health model can empower consumers and improve Internet security.
  • Voluntary behavior and market forces are the preferred means to drive action but if those means fail, then governments should ensure these concepts are advanced.
  • Privacy concerns must be carefully considered in any effort to promote Internet security by focusing on device health. In that regard, examining health is not the same as examining content; communicating health is not the same as communicating identity; and consumers can be protected in privacy-centric ways that do not adversely impact freedom of expression and freedom of association.

Microsoft has published a White Paper from Mr. Charney on the subject titled, Collective Defense: Applying Public Health Models to the Internet.