President Obama recorded the following video (also available here) promoting National Cyber Security Awareness Month and reminding all Americans of our shared responsibility to keep the ’net safe.

In addition, Janet Napolitano, Secretary of Homeland Security, will be delivering a live webcast tomorrow (Tuesday, Oct. 20, 11 a.m. EDT) on the issue of cyber security and the role that the Department of Homeland Security is playing in this field. The webcast will be available from DHS.gov

In a New York Times op-ed piece today, Harvard Law School Professor and Berkman Center Faculty Co-Director Jack Goldsmith called on the federal government to regulate consumer-level PC security:

Our digital security problems start with ordinary computer users who do not take security seriously. Their computers can be infiltrated and used as vehicles for attacks on military or corporate systems. They are also often the first place that adversaries go to steal credentials or identify targets as a prelude to larger attacks.

President Obama has recognized the need to educate the public about computer security. The government should jump-start this education by mandating minimum computer security standards and by requiring Internet service providers to deny or delay Internet access to computers that fall below these standards, or that are sending spam or suspicious multiple computer probes into the network.

Obviously we at StopBadware agree strongly with the first paragraph. Rather than taking a position on the second, I pose these questions that would have to be answered about Prof. Goldsmith’s policy recommendations:

• Would computer security standards be based on technology (e.g., computers must have real-time anti-virus scanning), principles open to interpretation (e.g., computers must be kept updated with security fixes), or something else? In any case, who decides on these standards and how do we ensure that they are kept current and do not benefit the software industry more than they benefit national security?
• If ISPs are expected to play gatekeeper, how do we build transparency and a fair, responsive appeals process into the system? What happens when an ISP blocks my connection because they think I’m sending spam, when in fact I’m operating a high-volume, opt-in mailing list?
• If the government "jump-starts this education," who will actually provide the education? After all, blocking a user from the Internet because his computer is infected does not educate the user, it just creates a motivation for the user to become educated. Is the responsibility of helping the user to clean up and protect his PC the ISP’s? The government’s? StopBadware’s? Or is the user just expected to be on his/her own?

These are not trivial questions, but there is precedent for answering all three successfully. Our Badware Guidelines have been a helpful tool in identifying applications that dip below a certain level of community expectations. Our independent review process keeps a check on our data partners’ autonomous detection of badware websites. And our BadwareBusters.org community and StopBadware security tips have proven a useful educational resource for website owners with compromised sites.

Despite these successes, there are many differences between Prof. Goldsmith’s proposal and StopBadware’s independent, voluntary system. And setting minimum security standards for computers is a different animal than setting behavioral standards for applications. It remains to be seen whether the questions above can be adequately answered within a system like the one described by Prof. Goldsmith.

It’s been a busy week for declarations about how bad a problem malware and cyber security are. "Thieves Winning Online War, Maybe Even in Your Computer" declared the New York Times. "U.S. Is Losing Global Cyberwar, Commission Says," announced BusinessWeek, referring to a Center for Strategic and International Studies report that, among other things, concluded that "cybersecurity is now a major national security problem for the United States." And security firm F-Secure labeled 2008, "Another record breaking year in the growth of malicious software."

Unfortunately, there is some justification for the negativity. There is plenty of evidence that malware has become more technically sophisticated, that the criminal underground has become more developed, and that botnets can be effectively harnessed for targeted attacks against critical resources. We must, as a society, take these threats seriously and work collaboratively to address them.

That said, there is also reason for optimism. All three major U.S.-based search engines (Google, Yahoo!, Microsoft Live) now provide proactive warnings to users about known malware (and, in some cases, phishing) sites. So does the second most popular web browser (Firefox), and Internet Explorer is integrating such a feature in its next release. In the U.S. and Europe, public outreach campaigns have started to make users aware of the dangers of phishing, even as the messaging industry has worked together to reduce the amount of spam that reaches users’ inboxes. Law enforcement has recently busted some large Internet fraud rings, even as independent security researchers have brought down hosting providers and registrars alleged to have been complicit in harboring dangerous websites.

Even with these successes, we have a long way to go. This will require cooperation and communication, at unprecedented levels, amongst businesses, governments, security researchers, and the general public. It will also require StopBadware.org and others to continue innovating in how we harness the power of the Internet to help preserve what’s great about the Internet.