Nov. 15 Ottawa—The Public Interest Advocacy Centre (PIAC) today released a report entitled “Whitelisting for Cyber Security: What It Means for Consumers” that examines the technique of whitelisting and provides examples of how whitelisting is being deployed in Canada by security companies. As cyber threats continue to increase, traditional cyber security protections such as anti-virus solutions are challenged to keep up and provide diminishing returns in effectiveness.
The practice of whitelisting defines a set of parameters that designate applications, email addresses and websites as “safe” for a given system and enforces a set of accesses in order to control the computer system. This means that any application or email or website that does not meet the defined safelist is automatically blocked from the computer or network.
PIAC conducted interviews with industry and government stakeholders and found that the use of whitelisting has advantages for cyber security, such as preventative protection against zero day attacks. However, whitelisting is not a holistic cyber security solution and is particularly ineffective at dealing with grey areas such as spyware and adware. A centralized whitelist can slow efficiency and stifle innovation. Whitelisting is an important layer of a holistic cyber security solution and complements and augments existing defences.
Whitelisting currently lends itself well to deployment in the enterprise environment, particularly closed environments where network resources and assets need to be protected.
“Whitelisting does not work for consumers yet because it requires a level of technical sophistication and time to set up and manage that most consumers do not have,” said Janet Lo, Legal Counsel for PIAC. “As whitelisting continues to develop in the enterprise space, pure-play vendors and holistic security vendors will likely look to innovate for deployment in the consumer space. The successful adoption of whitelisting will depend on innovation that makes it easier for consumers to implement and administer whitelisting.” Some small whitelisting solution companies suggest that even though traditional anti-virus solutions are becoming less effective, there is no incentive for big player anti-virus companies to offer better protection using whitelisting because they continue to earn most of their revenue from consumers using blacklisting.
The report calls for greater government leadership in cyber security to protect critical infrastructure and help consumers deal with online safety challenges. The Government of Canada Cyber Security Strategy announcement is an important first step in the right direction. PIAC warns that whitelisting could be deployed in an overly broad manner by governments and ISPs that would compromise the historical values of the internet such as openness and network neutrality. This would stifle the generative qualities of the internet to the detriment of the public interest. Consumer education about cyber security will help consumers understand the benefits that whitelisting can offer and how to properly use whitelisting in conjunction with other mechanisms such as blacklisting and firewalls.
The Executive Summary is available here:

thumb_pdfDownload File: whitelistingexec.pdf [size: 0.05 mb]

Le Centre pour la défense de l’intérêt public a entrepris d’examiner une nouvelle technique, les listes blanches et de fournir des exemples sur la manière dont ces dernières sont utilisées par les entreprises de sécurité au Canada. Un résumé est disponible ici:

thumb_pdfDownload File: leslistesblanches.pdf  [size: 0.06 mb]

The full version of “Whitelisting for Cyber Security: What It Means for Consumer” is available here:

thumb_pdfDownload File: whitelisting_final_nov2010.pdf [size: 0.25 mb]

PIAC received funding from Industry Canada’s Contributions Program for Non-Profit Consumer and Voluntary Organizations. The views expressed in the report are not necessarily those of Industry Canada or the Government of Canada.