Licensed to Surf

2:55 PM -- In the United States today, individuals are required to get a license to drive a car, run a business, or own a gun. They're also required to get a license for far less risky activities, including owning a dog, selling t-shirts in a public place, or going crabbing.

(Yes, I said crabbing. You tie a chicken neck to a string, throw it in the water, and wait for a crab. To me, it doesn't seem that dangerous. But then, I'm not a crab.)

Here in the world of IT security, we're all agreed that end users, God bless 'em, are the weakest link in any chain. It's end users who fall for phishing attacks and click on worm-infested spam. It's end users who leave their wireless connections open and lose laptops containing thousands of customer names. It's end users who forget to update their security software, becoming unwitting participants in botnets and other online scams.

These practices are unsafe, and they endanger the personal data and identities of other users on the Internet. The people who engage in such practices are at least as dangerous as an unlicensed t-shirt vendor. Shouldn't we require users to get a license before they can surf the Web?

A few of our experts at last week's Dark Reading roundtable raised this idea, and I think it bears some consideration. (See Getting Users Fixed.)

OK, it sounds a bit crazy, but when you think about it, it's not all that far-fetched. Most companies already require their employees to complete some sort of computer security training -- or at least sign a copy of the company security policy -- before they log on. What if ISPs had a similar requirement?

And with the concept of network access control becoming more popular, many companies are also saying they will not allow computers on their networks unless they have been safely configured. What if all computers, including consumer PCs and wireless devices, had to prove such safety before they could be issued an IP address?

Now, I'm not saying that the concept of licensing Internet users is workable, or even realistic. Clearly, the administration of such licensing would be a nightmare, and there would be many ways to circumvent it. And of course, anything done in the U.S. would be of very limited value unless other countries followed suit.

But the fact is, most Internet users aren't well trained in security. Even those who are security-savvy often don't practice safe surfing because they simply don't see any consequences to their behavior. You can't get kicked off the Internet, nor are there any penalties for promulgating spam or playing part in a botnet. So most users don't take the time to learn how to avoid any of those things.

Until users become more accountable for their actions, they will continue to be the weakest link in the security chain. And, like unlicensed drivers -- or at least, crabbers -- they'll continue to be a threat to those around them.

— Tim Wilson, Site Editor, Dark Reading