Malware, You're the Disease

Scott Charney of Microsoft advocates a public health model for malware and botnets. I found Charney's paper worth the time to read. He offers some fine definitions of individual defence, collective defense, active defense, and offense as means to combat cyber crime, and compares these to their physical conuterparts.

That said, I'm not getting in line for a laptop health certificate. I do not find the public health model valid. It's an old saw in cyber threat modeling. I object to it as a false analogy. Measures like vaccination and quarantine are weighed carefully against civil liberties because in public health concerns, we deal with people and populations. Computers, ISPs, and the like do not have such advocates. My ISP can choke off my traffic, and no one would blink.

Furthermore Charney acknowledges that his proposal sacrifices privacy at the intent of security. Using his health model, he further blunders in his discussion on anti-smoking regulations as a comparative privacy loss for the public good. We must acknowledge that smoking in public is a willful act, unlike my computer's infection. Downloading software doesn't compare to lighting up.

It's time that security researchers shelve our copies of Outbreak and The Hot Zone. We need a model for the spread of software threats that applies to software threats.