There must be a change in the attitude that end users are solely responsible for their systems’ security. Customers are not to blame that systems
are shipped without appropriate safeguards, nor should they be forced to
buy and maintain a large (and growing) set of additional protections to
use their systems safely. Additionally,
everyone should learn that patching
a system is not security, and penetration testing is no substitute for proper
design and development.
Technology. As a field, we should
reexamine construction of smaller,
more protected systems and applications. Known, effective techniques
such as putting code in read-only
devices, code whitelisting, integrity
monitoring, and better separation
of privileges could all play a role if
used integrally rather than as add-ons. Tools, programming languages,
and platforms in use should also be
reexamined from the perspective of
how to build functional, safe systems
cost-effectively rather as instruments
perpetuating legacy decisions. Test
methods, including some that were
previously considered to be too complex to be practical, should be reconsidered given our continually advancing capabilities.g
Law. Most malware is a law enforcement issue, not a military one;
it is cybercrime, not cyberwar. Police need tools, trained personnel,
authority, and a clear mandate to
pursue the authors and operators
of malware. This will require a concerted international effort—but the
trends are clear that people in every
country are at risk if effective actions
are not taken. Perhaps, with some
creativity, approaches other than traditional criminal statues might be
employed, akin to using tax law violations to convict Al Capone. Authors
and operators of malware presented
with a significant risk of substantial
penalties might instead choose to
pursue more legitimate professions.
conclusion
It has taken decades for computing to
g This is a special case of what I described in
“Rethinking computing insanity, practice and
research” available at http://snipurl.com/re-thinking.
current and
past methods
employed against
malware have
perhaps slowed
the growth of
the problem but
certainly have
not stopped it.
evolve into the current worldwide infrastructure. Malware and automated attacks have also been evolving, and the
result is an increasing, usually unnoticed drag on our innovation and economy. We are now at a point where it is
becoming an existential issue for some
companies and even governments.
Current and past methods employed against malware have perhaps
slowed the growth of the problem
but certainly have not stopped it. If
we simply continue to do more of the
same we will continue to be victimized, and the problem will get worse.
The longer we wait, hoping that piecemeal and uncoordinated responses
will be enough, the more difficult (and
expensive) it will be to address the
problems when we finally attempt to
do so.
Change requires resources, will,
and time. We do not need to do everything everywhere at once—but we do
need to start. Unfortunately, some of
those who are in the best positions to
make changes are also under the most
pressure to defer change precisely because it requires resources and disruption of the status quo. It is up to all
of us to facilitate the changes that are
needed—before too many more anniversaries pass us by.
Eugene h. Spafford ( spaf@cerias.purdue.edu) is a
professor of computer science and the executive director
of the Center for education and research in Information
assurance and security (CerIas) at Purdue university.
Copyright held by author.
Calendar
of Events
August 16–17
creativity and Innovation
in design,
Aarhus, denmark,
contact: christensen Bo,
email: bc.marktg@cbs.dk
August 16–20
designing Interactive systems
conference 2010,
Aarhus, denmark,
contact: olav W. Bertelsen,
email: olavb@cs.au.dk
August 18–20
International symposium
on Low power electronics and
design,
Austin, tX,
sponsored: sIgdA,
contact: Vojin g. oklobdzjia,
email: vojin@ece.ucdavis.edu
August 19–20
International conference
on Intercultural collaboration
2010,
copenhagen, denmark,
sponsored: sIgchI,
contact: Anne-marie
soederberg,
email: ams.ikl@cbs.dk
August 25–27
european conference on
cognitive ergonomics,
delft, netherlands,
contact: neerincx mark,
email: mark.neerincx@tno.nl
August 30–september 3
Acm sIgcomm 2010
conference,
new delhi,
sponsored: sIgcomm,
contact: shivkumar
Kalyanaraman,
phone: 518-782-7875,
email: shivkuma@gmail.com
August 31–september 4
International conference on
distributed smart cameras,
Atlanta, gA,
sponsored: sIgmm, sIgBed,
contact: marilyn claire Wolfe,
phone: 404-894-5933,
email: wolf@ece.gatech.edu
september 1–3
symposium on solid and
physical modeling,
haifa, Israel,
contact: Anath Fischer,
phone: 972-482-93260,
email: mereanath
technion.ac.il
