enisalogo_thumb4Over the past year, we have been looking at how to apply concepts from public health to address internet security. Last week I noticed two new reports published by the European Network and Information Security Agency (ENISA) on the topic of botnets. The reports make a key observation that “research on botnets is the key to analyzing, understanding and finally mitigating botnets.” Like the amazing breakthroughs that scientific research has made possible in fighting human diseases, protecting our information infrastructure against evolving threats will require research and innovation from around the world.

One of the reports looks at ten tough research and policy questions, some of which I wanted to examine here.

How much Trust to Put in Public Figures?

It’s fitting for the first question to ask – just how big is this problem? In order to tackle botnets as a scientific research problem, we need to be able to accurately assess the current state of the problem. Further, for a variety of commercial interests, stakeholders want to be able to measure the success being made (or not made) against this problem. The report also raises an interesting concern about what is not visible and thus can’t be measured, but it seems we can make meaningful progress on the information we do have. Determining a commonly accepted methodology for measuring the botnet infection is an important first step in facilitating the cooperative action required to address this problem.

Which Parties Should Take Which Responsibilities?

If we agree that cooperative action is required to adequately address the botnet threat, who needs to do what? The report calls out that clear laws and guidelines are necessary to guide the actions of investigators, researchers and infrastructure operators. The report notes that some service providers are well positioned today to help detect infected systems and notify the customers. However, as the cooperative response model matures, I can envision this detection and notification scheme extending beyond service providers to other business services as we demonstrated at RSA 2011. Because the infected systems are owned and operated by private individuals, it is important to help people keep their systems clean with actionable guidance and effective tools within a well-defined system they trust. The report reinforces a key part of our collective defense proposal; “users should therefore be supported by other parties.” The kinds of support needed and who will deliver it are future questions for research.

The Internet is a shared ecosystem that we must work cooperatively to protect against botnets and other threats. Microsoft’s collective defense proposal is to find novel methods for members of that ecosystem to work together to protect our customers, employees and neighbors.  I believe that the scope of the problem warrants this collective response and that the most effective solutions to the problem may be found at the intersections of existing boundaries. It is clear that much work remains including establishing measurements, determining responsibilities and more, but the reports from ENISA lay out a research agenda worthy of pursuit.

~ Kevin