In a recent posting Microsoft VP of Trustworthy Computing, Scott Charney, raised more than just a few eyebrows by proposing that only PCs with a “clean bill of health” should be able to connect to the Internet. The security condition of each PC should, according to Charney, be evaluated, and if the PC passes a health check, it should be issued a certificate attesting to its good security condition. The health check should, according to Charney, include determining whether or not the PC is up to date with respect to patches and whether or not it is infected with malware. Unpatched and/or infected PCs should be automatically patched and/or disinfected–if this proves unsuccessful, Charney says, these machines should be quarantined such that they could not connect to the Internet.
I’ve known Scott for a long time–over 20 years. He was a prosecutor in the US Department of Justice (DOJ) in Washington DC while I headed the Department of Energy’s incident response team. We interfaced quite frequently; his outstanding communication skills, intelligence and knowledge of his field helped make interfacing with him easy. Also, he was clearly a rising star within the DOJ. Somehow, I wasn’t at all surprised when he suddenly jumped to a Big Four Firm, and then on to Microsoft. The fact that he has flourished within Microsoft over the years should come as no surprise, either. Scott has a rare blend of traits and abilities. Given all this, it is hard to understand how he could have made the statements he recently made. Sure, there are way too many bot-infested machines on the Internet and something must be done to slow down or possibly even stop the momentum that botnets currently have. But proposing that changes such a patches be installed in individuals’ PCs without their consent is downright frightening. Who would the “Big Brother” in charge of forcibly patching and disinfecting machines be? Microsoft? Internet Service Providers (ISPs)? And think of the opportunities the “Big Brother” would have to read and glean information from PCs. Come on, get real!
Charney is an amazing person, but he does not have a technical background, so it is extremely unlikely that he has ever implemented and/or maintained a network access control (NAC) system. If he had, he would not have so enthusiastically called for quarantining unpatched or infected PCs. Of all security technologies currently available, I would rate NAC as the most or one of the most troublesome from an operational standpoint. Although NAC can and does stop infected and unpatched machines for being able to obtain a network connection, few if any NAC implementations perform up to customer expectations. Sometimes users who have machines that are configured and patched properly and are not infected end up getting blocked from network access anyway, prompting help desk calls and time spent troubleshooting. In contrast, users who use machines that are not so good from a security perspective are sometimes able to obtain network access. But the worst problems occur when something goes wrong with NAC systems, such as when they freeze or start working extremely slowly, blocking of severely slowing down network access.
Additionally, I know of one case in which an attacker broke into a NAC system and locked out all network administrators for nearly one day. Now apply what we know about the limitations of NAC to the entire Internet–it is potentially mindboggling.
Other objections to Charney’s proposal have also been raised. If ISPs were to become the proverbial “Big Brother” in Charney’s proposed scheme, they would have to bear the costs of monitoring and blocking unhealthy PCs. ISPs are already being financially pinched; how could they bear even more operational expenses? And certificates of health may superficially sound like a good idea, but anything that is electronic can be forged, altered and destroyed, as attackers already very well know. The potential chaos as well as labor costs associated with certificate authenticity and integrity would quickly completely get out of hand.
But what scares me the most about Charney’s ideas is that some Congressperson might read them and decide to initiate some kind of half-baked legislation accordingly. You say this cannot happen? Well, just look at the Digital Millennium Copyright Act, which was voted into law despite overwhelming objections by information security professionals and others. So be careful what you ask for, Scott–you just might get it!