Threat Management, Threat Intelligence, Security Strategy, Plan, Budget

The security industry that cried wolf


Malware is mostly created as a tool for gangsters to steal peoples' identities or companies' data, and to use its computing power to amass a giant army to send emails hawking "male enhancement" pills.

Do we really need to concoct stories more fantastic and bizarre than this to get media interest? Evidently we do, judging by an article about a new version of Stuxnet.

While I don't discount the prospect of countries exploring or exploiting the possibility of offensive cyber warfare capabilities, it's simply ridiculous the way these threats are sometimes reported. The moment a writer points the finger at CEOs of major corporations as creators of malware, I just have to roll my eyes.

These insane, conspiratorial claims seem to justify the continued misperception that anti-malware companies are creating threats to pump up demand for their product, rather than accepting that neither CEOs nor security researchers have enough time to create malware.

I understand as well as anyone that reporters willingly ignore a story if there isn't some sexy, apocalyptic angle or dramatic facts. I also understand that many media outlets prefer a "shock-and-awe" approach to reporting in order to capture readers' attention. But there are technology reporters who manage to make a positive difference by covering sensational and demonstrably factual stories about malware.

I also understand the pressure anti-virus vendors feel to keep customers informed. People can get quite angry if they believe you're holding back information about threats other vendors are calling dangerous. It is a very tricky thing to be perceived as a valuable service or product while not crying wolf about every last threat that crosses your plate. But the best researchers do manage to do walk this tightrope.

In the case of a new trojan called Duqu, international cyber warfare is one possible explanation, in the same way that any conspiracy theory is a possible explanation. But possible is not the same as likely.

Would it not make at least as much sense that the motivation is financial, given the existing infrastructure in the "malware industry"?

Malware authors have used targeted attacks to gather companies' financially useful information for years. Some malware just happens to be more common in certain locales, not necessarily by design but due to certain peculiarities of software localization or dependency on certain local software. Sabotage or espionage could just as easily be explained as blackmail by malware gangs as international cyber warfare.

I don't see the positive gain in spreading these fantastic tales.

Beyond sounding ludicrous and conspiratorial, pointing the finger at shadowy government agents directs attention away from the possibility of doing something that might actually curtail the operations of real malware authors.

It's unlikely that enough evidence could be gained to stop governments from causing cyber mayhem, but if it's caused by a group of ordinary citizens, it is theoretically possible they could be arrested. And simply put, spreading unsubstantiated rumors is not ethical journalism.

In the end, I don't expect that this sort of inflammatory article will ever cease, nor do I expect that demand for them will either. I hope only that more readers will view these claims with discernment and skepticism.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.