In his keynote at the RSA conference Tuesday, Microsoft's Scott Charney, corporate vice president of their Trustworthy Computing Group, raised several ideas for improving the general security of users on the Internet. One was to bring outside administration to consumer PCs.

In his keynote at the RSA conference Tuesday, Microsoft's Scott Charney, corporate vice president of their Trustworthy Computing Group, raised several ideas for improving the general security of users on the Internet. One was to bring outside administration to consumer PCs.

Enterprise PCs have lots of security problems, but they are much better protected than consumer PCs in part because such companies have IT departments that can administer PCs and exercise authority over them, for instance forbidding users to run certain software and pushing security patches to their PCs. Perhaps it would be better to say that they *can* be better administered.

But there is no administrator, usually, for the home PC. The only entity in a position to be one is the Internet Service Provider.

Charney wasn't all that specific; he just wants to get a discussion going. In fact, I've had this discussion in the past myself with others. It's not a new idea and I think that if it could be made to work someone would at least be trying it now. (Here's my column on the idea in eWEEK in 2006.)

Charney had the same idea I did: use something like NAC (Network Access Control), a technology Microsoft calls NAP (Network Access Protection). The idea is that PC can't connect to the network unless they demonstrate to an authority on the network that they meet certain criteria: for instance, that they have applied a certain level of operating system updates, or that they have antivirus protection and that it's updated. If they don't meet these criteria, they are shifted off to a separate network, sometimes called a "walled garden," in which they can do little more than to mitigate the problems that kept them off the network.

NAC has been around quite a while now and it's out there, but it's not widespread. Implementing it on an ISP would be quite a challenge, and I'm not sure any vendors are really ready to do it. Besides, telling people they have to run certain software on their computers will be unacceptable to many. Charney's idea is somewhat different. He proposes that demonstrably infected computers, those creating a threat to others, be walled off.

But the bigger problem is that nobody has the incentive to do this. ISPs would be overwhelmed with customers requiring hours of support and who would pay for it? Plus, you'd need for every ISP to do it, or the ones that did would lose customers to those who don't. Yes, some of you might think "good riddance" but it's clear that ISPs don't want to lose that $30/month, even from the customer who dumps all over their neighbors on the Internet.

We're talking public policy here, so Charney makes the next obvious leap in the argument: Perhaps tax revenues should be used for this purpose. General funds? Some sort of special tax on Internet use? That seems a smaller question than the sheer radicalism of having the government take over security policing of the Internet through a series of local semi-monopolies. Maybe this is the "right" way to do it from a public policy standpoint, or maybe we're just better off the way things are.

Originally posted to the PCMag.com security blog, Security Watch.