Wanted: Dead or Alive

Last week, Microsoft opened an interesting and controversial new front in its war on electronic attacks, offering up $5 million in bounty money to aid law-enforcement officials from around the world in their efforts to catch malicious users who create damaging viruses and worms. In the first stage of this program, Microsoft is offering $500,000 in reward money for evidence that leads to the capture of the authors of the MSBlaster and SoBig attacks (two separate awards of $250,000 each), both of which brought down thousands of Windows systems earlier this year. The remaining money will be placed in a fund to help pay for evidence in future attacks.

Law-enforcement officials from the FBI, US Secret Service, and Interpol are supporting the new program, dubbed the Anti-Virus Reward Program, and agents from those organizations are now working closely with the software giant to help investigate and prosecute electronic attacks. The hacker community has reacted to the program mostly with yawns, although that attitude will likely change if and when arrests and prosecutions occur

For critics of the software giant, the program is yet another example of Microsoft moving the focus of its security problems away from the company. But I don't see this initiative like that: In recent months, Microsoft has publicly affirmed its desire to fix security vulnerabilities in virtually any way possible, and the Anti-Virus Reward Program is just another avenue of attack. To gain further insight into this matter, I spoke last week with Hemanshu Nigam, the corporate attorney for Microsoft's Digital Integrity Group within Law & Corporate Affairs.

Nigam told me that law enforcement is the crucial element of this program. "They are the folks that will investigate, prosecute, and convict, though we'll do whatever we can to help," he said. "It's critical to note that there has to be a conviction. Law enforcement will perform the investigation, but once there is a conviction, Microsoft will provide the reward funds in a lump sum."

In my mind, the Anti-Virus Reward Program invokes sort of a "Wanted: Dead or Alive" Wild West ideal, which is a unique tactic for the computer industry. However, Nigam told me that reward programs have been used previously in numerous other situations, including banking and vandalism. "I suppose this is unique for the PC industry, certainly in the security and virus communities," he said. "But it's been an effective tool in other industries. The FBI, Secret Service, and Interpol were in on this plan from the beginning, and we've forged a strong and necessary partnership with law enforcement."

Nigam stressed that the Anti-Virus Reward Program was only one component of the company's wider security strategy and didn't replace any other necessary plans, such as the "Securing the Perimeter" strategy I've discussed previously in Windows & .NET Magazine UPDATE or the wider Trustworthy Computing initiative the company is rolling out. "It's just one aspect of our security work," he said. "Obviously, we hope that people won't [launch electronic attacks]. But this is a crime, and we have to bring these people to justice and send a message to the international community. This is a crime, and it hurts a lot of people."

Microsoft also hopes that other high-tech companies will join the program and contribute funds to help capture and prosecute computer criminals. "This effort takes partnership with industry and law enforcement," Nigam noted. "It's not something one company can do alone." Nigam also said that the $5 million fund wasn't a hard amount and that the company would evaluate whether to add more when the funds are depleted. "Of course, if that happens, it means people were arrested and convicted. So first, we'll celebrate. Then, we'll examine whether we need to add more dollars to that fund."

"The one thing I'd like to say is, if you're about to launch a malicious virus, and you're about to hit that button, think twice," Nigam concluded. "There may be somebody out there who will turn you in."

Clearly we've crossed a line of sorts, and security concerns in the PC industry have changed forever. As many security experts and analysts are finally coming to understand, computer and network security is a topic that extends far beyond the simple components that comprise our networks. Wider moral and legal issues are involved, and perhaps Microsoft's controversial Anti-Virus Reward Program will have a positive effect. It certainly can't hurt.