The Snake Oil Days of Internet Health

One popular ruse was to find a fellow con artist with a very thick crop of hair, shave his head completely bald and send him into town for a few days where he would re-shave his head at night, and wander around the streets by day. When the snake oil salesman rode his wagon into town later in the week, guess who was asked to accept a free sample. And in the days that followed, as hair began to emerge from the once shiny scalp, a good business was done before the team left town—often just ahead of the sheriff.

In the mid-1800s, Chinese laborers working on the Transcontinental Railroad rubbed sore muscles with an ointment made from the Chinese water snake.  According to a 2007 article in Scientific American, a California researcher found that there could have been some medicinal value in that original ointment.  Unfortunately, though, hucksters heard about the miraculous powers of the snake oil and decided to sell their own versions without actually using Chinese water snakes – or any snake at all.  Thus,  a possible real solution in 1800s medicine was tarnished by “rogue snake oil” fraudsters.

This sounds a lot like the state of Internet security – or Internet health, if you will – today.   Companies and researchers introduce products and services that provide some amount of protective benefit, but Cyber fraudsters churn out rogue security software with socially engineered interfaces that look and feel like the real thing, but either provide no benefit or instead do actual harm to computers.  This undermines confidence in legitimate solutions right along with the fraudulent ones and it is challenging for an average Internet user to tell the difference.

I believe we can learn lessons about combating the snake oil salesmen of today by taking a look at how we defeated the snake oil peddlers of the past. At the same time there were con artists selling bottles of elixir from the back of a wagon, there were scientists and physicians doing the hard, but rewarding, work of building our knowledge base across the sciences and developing cures and preventative measures to help their patients. 

The rise of modern medicine pretty much shut down the old snake oil business – but what elements of modern healthcare make it hard for “traditional” Snake Oil medicine men to thrive?  Why is it that even my 6-year-old would be unlikely to fall for a spiel from a huckster selling a cure out of the back of his car?  Let’s consider healthcare from the perspective of a 6-year-old.

Any six year-old knows that:

• if he is sick, he doesn’t have to go to school because that could make others sick  (temporary self-quarantine to prevent spread)
• he has to wash his hands a lot, especially during flu season (promotion of healthy habits to prevent spread)
• he should cover his mouth when he coughs (promotion of healthy habits to prevent spread)
• if he is only a little sick, Mom and Dad may be able to nurse him back to health with over-the-counter medicine (using basic tools for self-healing)
• he should not take medicine (or candy!) from some random stranger (don’t accept unsolicited and non-authoritative health ‘solutions’)
• if he is really sick, he has to go to a doctor (seek a professional, certified by Mom & Dad and ultimately an authoritative medical association)
• if he is really, really sick, he might have to go to a hospital – which could be expensive and is kind of scary (specialist services, usually more expensive and possibly requiring an extended stay)

And of course, there are elements of modern health that are benefitting him that he has no idea about, such as public sanitation and all of the details behind how doctors are trained or authorized to practice.

In the same way that modern healthcare has made it more difficult for snake oil peddlers to do their business, we need to modernize Internet health in a way that that addresses the ambiguity in the minds of the public.  Internet citizens need a system that is authoritative, yet simple enough that even a six year old can understand it and know what to do.

Last year, I was a contributor on a paper (by Microsoft CVP Scott Charney) Collective Defense: Applying Public Health Models to the Internet, and in June participated in a breakthrough group on Internet Health at the East West Institute Cybersecurity Summit, so this is by not means a new topic.  In fact, that breakthrough working group continues to meet and discuss actions we can collectively pursue to improve Internet Health.  As I’ve worked more on this Internet health view of cybersecurity during the past year, I’ve found the concept of public health to be a useful working model to have discussions with people across the industry. 

Much remains to be done.  It will take a global effort to create a worldwide system to promote Internet health. However, now is a good time for IT professionals and other stakeholders to start conceptualizing what a public health model for the Internet might look like and especially look at what we need to do to address the social issues of trust and education with the public.

One possible insight is that “snake oil” wasn’t really a technical problem for healthcare, it was a problem that contributed to social uncertainty about what actually worked.  While we can think of technologies as approaches to improving health (e.g. oil from a Chinese water snake), I think we might make more progress, more quickly, by taking a hard look at the social and people aspects of Internet health and trying to define systems that address the social uncertainties.

Can we build trusted sites that could make an authoritative diagnosis of malware infection or cleanliness?  How can we make those sites well-known and deploy them in a way that people would trust them?  Can the existing security software business models evolve to one that separates trusted independent diagnosis from tools for treatment? Interesting questions remain to be addressed and I am thinking about what I might propose to help address the social problems with Internet health.   I’m very interested in other perspectives, so if you have thoughts, please share them with me.

Regards ~Jeff (@securityjones)

NOTE: This article is cross-posted to The Security Decode blog on csoonline.com and the Microsoft Security Blog.