Aided by home users blissfully unaware of their computers' security holes, Sasser strangled millions of PCs in May. Others like Mydoom, Bagle and Netsky menaced the Internet throughout 2004. And more people worked remotely, picking up infections on laptops that were carried back to their company networks.
All this left some wondering if it's time to make users get a license to travel online.
"People need to know what they're doing to protect themselves and others," said Ned Lindburg, a network engineer for Dallas, Wis.-based Chibardun Telephone Cooperative. "They need a rudimentary education before going on the Internet. I support the concept that you must provide proof you know what you're doing."
With that in mind, SearchSecurity.com asked IT practitioners if 2005 should be the year users are required to earn a computer license through a government agency, independent organization or their PC vendor.
Three of nine respondents supported the idea. After all, you need a license proving you can get behind the wheel of a car without hurting yourself or others. Why not require something similar to get behind the keyboard to cruise cyberspace?
The rest said it's an unfair, unenforceable and even zany idea. In the end, they said, vendors must write better software and build more secure operating systems to protect us from ourselves.
"AV should no longer be something you can choose to buy," said Jesse Correll, manager of IT infrastructure for MetLife Investors of Newport Beach, Calif. "It needs to be part of the operating system. My view is that the ultimate responsibility must be on the vendors, not the users."
Danger on the road
As far as Lindburg is concerned, minimal government regulation is usually best. But with cyberspace crowded with reckless browsers, he said it may be the only way to bring sanity to the Internet.
"I don't see vendors wanting to get involved," he said. "With vendor incentives, you're dangling a carrot. That's not the same as a license. It would have to be more of a regulatory thing. My overall philosophy is that less government regulation is better. But in this situation people are endangering others. It's like someone who doesn't know how to drive getting on the highway."
Jon Benson, a network systems administrator for Neurome Inc. of La Jolla, Calif., took the concept a step further, saying the actual computers should be licensed.
"It really isn't the person that should be licensed, but the computer connected to the network," Benson said. "Any computer connected to the Internet should be shown to be free of malicious code; that it actively seeks out and destroys malicious code. You prove your car is safe [with inspection stickers]. You should also prove your computer is safe."
James Ott, IT auditor for a global high-tech manufacturing firm, said people should be made to understand the risk they pose to others. "The concept of a Web driver's license and Web insurance might be the way to go," said Ott, who did not want his company named. "The number of zombie machines on the Internet is huge and the impact can be enormous. If we don't put some fiduciary responsibilities on the Web and e-mail users these two marvelous technical resources are going to become more and more expensive to use."
He said he read George Orwell's "1984" like everyone else of his generation, "but that does not mean we cannot have some monitoring and regulating of the e-mail and Web traffic on the Internet."
Won't change a thing
Correll believes a license would be overkill and "wouldn't really change anything." People can't be forced to become competent in information security, he said. In the end, it's up to the software writers and computer manufacturers to create a secure product.
"It's really difficult to educate people on this stuff, even in the company setting," he said. "People read the material and forget. The best we can do is control access and monitor for unusual behavior."
Correll said it's also important to remember that the professionals are sometimes the guilty party. "When we got Nimda, it got in through the IT department, so you can't always blame the user," he said.
Dave Bixler, chief security officer of Norwalk, Conn.-based Siemens Business Services, said, "The real problem is that companies aren't making software that's user-friendly enough. And with the operating systems we have today, maintenance is a constant issue."
He added, "We do offer employees training and we have policies people must follow. In the home market, though, the responsibility is on the ISP to do more to close security holes and keep viruses from spreading. Maybe it's for the ISP to provide better help desks and a more proactive response."
As for those home users who aren't updating their antivirus or installing security patches, Bixler said, "Sometimes you have to let a kid fall off the bike, break the glass or touch the flame before he understands the pain. With users, maybe it's that you need to get hit by one of these viruses to learn the importance of security."
Bradley Dinerman, technical operations manager for Newton, Mass.-based IT management firm MIS Alliance Corp., said that while he'd love to insist his clients obtain a license to operate a computer, he doesn't think it would be practical or even enforceable.
"Computers are ubiquitous now, and not just in the workplace," he said. "Asking a home user to obtain a license to use his or her computer is like asking that person to obtain a license to operate the oven. Misusing an oven can result in tragedy -- not just to the soufflÉ -- yet we all use them without any formal training."
Those who don't like the idea of a license said there are other ways to make users smarter.
"Here is what might be a bit more practical and something that I would personally support: Small employers should require that users acquire a certificate from an independent agency, such as a training center, that would offer half-day courses in basic computer security, covering topics such as antivirus, e-mail threats, phishing and other dos and don'ts of day-to-day use," Dinerman said. "Once the user takes and/or passes the course, he would obtain a certificate, which he would present to his employer to be entered into his record. Larger employers could probably afford to offer their own courses rather than sending users to an outside agency."
Nathan St. Germain, an IT administrator for The Eagle-Tribune Publishing Co. in North Andover, Mass., said he'd much rather see more time and money invested in training programs anyone could have access to.
"We have small, grassroots efforts right now in the open source community, though their reach isn't quite wide enough to affect widespread change among the masses," he said. "Linux install and training days are a good start. The next step might be to drum up grassroots funding for more visible training programs. Other countries, like South Korea, offer state-funded and other programs today."
Correll suggested vendors make antivirus a bigger focus in their products, so "when you turn on the computer, the AV kicking in is the first thing you would see. I also think maybe Microsoft and the AV companies need to form a partnership and combine the AV with the operating system."
Robert Stevenson, technical strategist for New York-based Nielsen Media Research, believes there should be different types of operating systems geared toward different users.
"Instead of licenses, it may be better for vendors to gear operating systems toward specific types of users, where your level of access and what you can open is dependent on the average knowledge of a given group," he said. "There could be more access for corporate users; more things blocked for home users."
In the end, though, he agreed with most respondents that "it's the responsibility of programmers to limit the damage."