Innovation: Sending botnets the way of smallpox

Innovation is our regular column that highlights emerging technological ideas and where they may lead

Compulsory vaccination programmes have rid the world of scourges like smallpox and controlled the spread of diseases such as polio. So could similar strategies be applied to the internet to help stop the spread of cybercrime?

Computer viruses, spam and online identity theft have been able to proliferate because of the large number of internet-connected machines that don't have up-to-date security software installed. That security software could be thought of as the internet equivalent of a vaccine.

"In the US you cannot go to school unless you have the appropriate vaccinations. Maybe you shouldn't have access to the internet without the right computer vaccinations, too," says computer scientist Sujeet Shenoi at the University of Tulsa in Oklahoma.

Shenoi and colleagues have just published a legal study on three "technically feasible" compulsory vaccination scenarios that governments could consider.

Public safety

This is no academic pipe dream: Microsoft's security vice-president Scott Charney last week said the firm backs a public-health-like inoculation model because too few people use up-to-date antivirus software. He says internet service providers (ISP) should have the power to sever internet connections if they detect a subscriber has infected computers – only restoring their link when it has helped them become virus free.

If it happens, Shenoi imagines a government-controlled "Computer Protection Board" overseeing one of three potential vaccination scenarios. First is "quarantine and vaccinate". When an ISP detects that traffic flowing across its infrastructure bears the hallmark of a botnet – such as data being directed to a blacklisted address or sudden torrents of email traffic from a single machine – they would be empowered to quarantine their subscriber, destroy any malware found on the user's machine, and vaccinate it by installing the latest security software.

This sounds like a consumer-liability nightmare to Ray Stanton, head of security at BT, the UK's biggest ISP. The ISPs cannot know enough information about their customers' computers to know whether they'd even be able to install software, he argues. "You can't know the configuration of every single machine. How do you know it has enough memory to run the vaccine? The download could make it crawl to a halt," he says.

Prying eyes

Attempting to implement a system of large-scale security monitoring would also raise privacy concerns, says Lilian Edwards, an internet law researcher at the University of Sheffield in the UK.

As Shenoi's second public-health inoculation scenario illustrates, the best way to ensure a computer is not just free of known viruses but also not infested with yet-to-be-identified ones would be to install a set of feedback sensors. These would analyse all internet-bound traffic, looking out for anomalous behaviour that may be indicative of a new virus.

"Sensor feedback would probably use deep-packet inspection on your data," says Edwards. This can analyse network traffic, spotting the difference between that associated with emails, pictures or even malware. Widespread, government-backed use of deep-packet inspection "really would be the death of privacy", she says.

But if those two approaches were deemed insufficient, the Tulsa team offer a third possibility: adding a cybercrime-fighting capability to their sensor feedback model. Here, software downloaded to our computers would allow a government to assemble PCs into a benevolent "national defence botnet" that can mount cyberattacks to counter, say, attacks on the electricity grid.

Conscientious objectors

It's an alarming idea. "A defensive botnet would be akin to conscription of user's computers, basically creating an amateur army the government could use any time to attack absolutely anyone it likes," warns Edwards.

Stanton agrees. "What constitutes a national cyber-emergency? You could lose control of your PC once a week with the volume of attacks these days."

The Tulsa team conclude that, in the US at least, and taking previous medical case law as a template, it should be possible to establish the framework for a legal internet inoculation programme.

But Stanton says only global, not national, action on this issue will work because botnets are no respecters of borders. That's a major stumbling block.

"Even if this bears constitutional scrutiny in the US, it probably would not under human rights law in Europe," says Edwards. "Blanket surveillance, as might be possible with sensor feedback, is illegal in Europe."

Courtesy Computer Crime