2008-12-01
Abstract
'By installing a security suite you not only protect yourself, but you increase the safety of the whole community.' Claudiu Musat, BitDefender.
Copyright © 2008 Virus Bulletin
Spam and malware are problems for everyone who uses the Internet, and common methods that are used to combat the phenomena – such as filtering the junk and controlling access – do not seem to be much of a deterrent for the attackers.
The creation and distribution of malware and the sending of spam are activities that are driven by profit, and they will continue for as long as the benefits to the perpetrators exceed their cost. But these activities also impose costs on other users of the Internet: spillover costs. In any activity, spillover costs are a sign that the activity has exceeded an acceptable level. There must be a way to counter the spillover costs by diminishing the benefits or increasing the penalties for the perpetrators.
The most obvious solution is to increase the penalties for spamming and unauthorized computer intrusion – and many countries now have extensive anti-spam and computer crime laws, but they have had little impact on the levels of these crimes. Suggestions for economic solutions, such as imposing a minimal price for each email sent, have also had little success. So far, one thing no one seems to have considered is the idea of tackling the other categories of users – those who purchase the products/services advertised in spam, and those who leave their computers unprotected and consequently get infected.
Tracking down those who make purchases from spam is likely to be very difficult – which leaves us with those who do not secure their PCs.
In order to understand how a greater number of protected computers would be beneficial, let’s look at motor insurance. Uninsured car drivers cause higher insurance premiums (because if an uninsured driver causes an accident and cannot pay the damage, the other driver(s) have to collect from their own insurance companies, driving their premiums upwards). Thus driving an uninsured car imposes spillover costs on all the people you meet on the road. However, the higher the insurance premiums, the less likely that drivers will take out insurance. There is no way to get out of that vicious circle without help from the outside – which comes in the form of mandatory insurance. Mandatory motor insurance brings down the cost of insurance (spillover cost) both because there are fewer uninsured drivers to drive up premiums, and because the more people buy insurance the more likely it is to be offered at a lower cost.
What would happen if the use of security solutions was mandatory? More people would install security products, which would have multiple effects. First, with more machines protected it would be harder for botnet masters to recruit new zombie machines, thus increasing their costs, which in turn would increase the cost of spamming and decrease its profitability. It would also increase the revenues of security companies which, in a highly competitive market, could lead to an overall decrease in the cost of the security products themselves. That would complete the circle, with the lower cost of solutions combined with their mandatory use resulting in a larger number of people protecting their computers.
The key to all this is that by installing a security suite you not only protect yourself, but you increase the safety of the whole community as you protect the rest of us from the menace you would become once infected. Thus it might be viewed as a form of liability insurance.
This approach does face significant obstacles – such as the fact that legislation would have to be passed, which would take time. Furthermore, making computers harder to attack in one country would have little effect unless other countries took action as well – otherwise the attackers would simply shift the focus of their operations to another geographical area. Complications would also arise regarding enforcement of the legislation. A possible solution would be to insist that every buyer has a licence for a security solution when buying a new computer or any major computer component such as the motherboard.
It is my belief that making the use of security products mandatory could make the lives of spammers and other online criminals so much more difficult that it would act as a deterrent and make the Internet a safer place for all.