The growing harm of
not Teaching Malware
Revisiting the need to educate professionals
to defend against malware in its various guises.
AT The risK of sounding a byte alarmist, may I call to your attention the extreme threat to our world posed by cyberwar, cyberterrorism, and cybercrime? Cyberattacks
are already numerous and intricate,
and the unquestionable trend is up. To
grasp the likelihood of these threats,
consider the similarities between
physical and virtual violence. Before
attacking the U.S. on Sept. 11, 2001,
terrorists rehearsed their assaults on a
smaller scale at the World Trace Center
and in several more distant venues.
Since that infamous date, paralleling physical attacks, cyberstrikes of
increasing severity have been carried
out against many targets. A few small
nations have been temporarily shut
down. These attacks are proofs of concept waiting to be scaled up. I hope cybersecurity is on governments’ front
burners. We ought not wait to react
until a devastating cyber-onslaught is
unleashed upon us.
Six years ago I wrote a
Communications Inside Risks column urging that
viruses, worms, and other malware
be taught (“Not Teaching Viruses and
Worms Is Harmful,” Jan. 2005, p. 144).
The goal of that column was to involve
future generations of computer professionals in the expanding global
malware problem and persuade them
to help curb it. Six years later, malware
is still not being taught. And the problem is now much worse.
During the first decade of the 21st century the malware problem has evolved
in two significant ways. Gone are the
lethal but simplistic payloads, produced by improvised, amateur scripts.
Gone also are the idiots savants who
cut-and-pasted such scripts. Carders,
script kiddies, spammers, identity
thieves, and other low-level miscreants
will probably and deplorably never be
completely gone. Gangs of much better trained programmers have largely
replaced the individual crooks and
nuisance makers. These gangs ply
their trade for or in behalf of political
syndicates, organized crime cartels,
and government-sanctioned but unacknowledged dark ops. Some nation-states covertly train and support them.
What began as gross mischief
evolved into criminal activity. Rather
than erasing a hard disk drive, why not
steal the data stored on it? Or encrypt
the drive and extort a ransom for de-
is a killer app:
crypting it? Or hijack the users’ computers? Today’s malware is a killer
app: obfuscated, often; clumsy, never.
A medley of viruses, worms, trojans,
and rootkits, it is clever, enigmatic—
a sly hybrid. Its bureaucratic components (such as installers and updaters)
are examples of automated elegance.
Identity theft, botnetting, and many
other forms of trespass and larceny
continue. Coupled with negligence by
institutions that are supposed to safeguard our privacy, the picture is bleak.
Malware launchers seem to be always
ahead. And their products are no longer stupid capers but skillful software
packages. These are valuable lessons
that are not being understood by us,
Malware perpetrators have clearly
mastered these lessons. Trading local
pranks for global villainy, the perps
are readying their next steps on the
international political stage, where
cyberspace is a potential war zone
in-the-making. Inadequately capable
of defending ourselves from being
burgled, we are easy targets for evil geniuses plotting fresh hostilities.
We cannot protect ourselves from
what we do not know. We must not remain stuck in a weak, purely reactive,
defensive mode. New malware should
no longer be an unexpected, unpleasant surprise. And we must be embarrassed when anti-malware products
cause more problems than they solve.
As human beings, we have a duty to