The swine flu outbreak has inspired a flood of comparisons and false analogies to Conficker and other worms, most of which miss the many key differences between the Internet infrastructure and the human population. But there are lessons that security personnel can learn from the ways that health organizatons respond to and handle epidemics.
Although people often use terms borrowed from biology and epidemiology to describe computer attacks, botnet propagation and virus infections, the comparison is not necessarily an apt one. As Jose Nazario of Arbor Networks, one of the foremost experts in the world on botnets and large-scale infections, points out in his excellent post on the topic, there are more differences between human and computer networks than there are similarities.
At it’s core as a set of technologies the Internet is simply infrastructure, communications infrastructure. It is just routers, packets, switches, fiber and copper, and ultimately bytes on the wire. This isn’t much different than the phone system. Its role in global commerce, communications or entertainment is no less significant.
But unlike the telecommunications infrastructure, the endpoints can cause outages via malcode, and the infrastructure itself is vulnerable to attacks from any endpoint. Furthermore data store on other nodes is vulnerable to outsiders eavesdropping or accessing. The water supply isn’t analogous; a stranger halfway around the world can’t modify the water in your tap. The telephone system isn’t analogous; it’s a gated network and devices can’t make arbitrary requests for resources.
But there are still a lot of things that can be learned by studying the way that health scares are handled. The health industry has a number of national and international organizations, such as the Centers for Disease Control and Prevention and the World Health Organization, that are tasked with identifying and tracking disease outbreaks as well as providing warnings to doctors and the general population about these events. The US-CERT originally was meant to fill this role on the Internet, but its charter has changed and the scope of the Internet has made it impractical for one group to handle it.
And various people have called for an international organization to coordinate response to large attacks and worm outbreaks. Nazario, for one, thinks it may be time for such a group. And I agree with him. But as he rightly points out, any group like this would face a number of major challenges.
So, if we’re to have an accurate and complete picture of threats to the Internet (and hence global commerce), what would we need? What are the real threats to the Internet and how do you measure them? Can someone take all of the real time data feeds that we produce from our sensor networks and come up with an accurate picture of the state of the Internet? Where are those gaps and what questions need to be answered, with what tools, and in what format? Folks have tried and tried but we don’t seem to be getting anywhere. We’re a long way off of a true early warning system.
And that shouldn’t be that surprising, really. The commercial Internet is less than 20 years old, and while its growth has been exponential, it’s still in its infancy. But it may be past time for something akin to the WHO for the Internet.