Fact, fiction and authoring malware
When I wrote recently for ESET about new(-ish) legislation in Japan that criminalizes the writing of viruses, I didn't think it was particularly contentious to remark that there wasn't actually much legislation that took that tack worldwide. By that I meant that most legislation addresses unauthorized access and/or modification, rather than specifying that the act of authoring malware (self-replicating or otherwise). I thought (and still think) that it will be interesting to see whether this is any more successful in suppressing malware authoring than previous attempts have been. (Since there have already been arrests under this law, I guess it is making an impact, but its long-term impact remains unproven.)
However, I received a flurry of comments criticizing my “espousing” legislation that outlawed the writing of attack code by security researchers for research purposes. Well, I didn't actually say whether I “supported” the act. If you really want to know whether I do, you'll have to wait till I've seen how well it works in practice. It is quite far-ranging – criminalizing the creation, distribution, acquisition and storage of malware without reasonable cause. But that italicized “get-out-of-jail” card strikes me as critical to that assessment of efficacy. Obviously, as someone who works in the anti-malware industry, I'd be a little concerned to see the Japanese security industry disappear because it couldn't even acquire and store samples. However, the criticism I experienced seemed to be quite specifically about the creation of malcode. It's not a topic I ever intended to address in that blog, but it is worth clarifying.
Once upon a time, malware was easy to define because, generally, it was self-replicating (viruses, worms). At that time, when I was in more direct contact with virus writers than I am today, my position was fairly laissez-faire: “I don't care how many viruses you write as long as you keep them to yourself (and as long as it's legal where you are).”
Nowadays, it's not nearly so easy, because most malware doesn't replicate. But malware is a question of intent rather than (just) technology, some arcane occasional discussion in the industry about “unintended trojans” notwithstanding. If it isn't intended for a malicious purpose, it isn't malware. (It might still be used maliciously, but that's a whole different discussion.) That's what malware is: malicious software.
I am not, you'll be surprised to hear, involved in the creation of Japanese legislation. But I don't have a problem in principle with legitimate researchers using malware-like code for legitimate purposes, as long as their code doesn't somehow leak out of the lab and into the real world. While I don't think that researchers should consider themselves above the law, I'm not saying that a legitimate researcher should automatically be put on trial if an experiment with pseudo-malware goes wrong and affects other people, of course. On the other hand, it's not unreasonable to expect them to be held accountable in some way in such a situation. However, that's a hypothetical scenario that doesn't seem to lend itself to any off-the-peg legal remedies. Certainly none that I'm about to suggest.