We think of computer viruses and malware as inconveniences; pesky programs written by hackers and geeks in basements to either steal money or just cause trouble. They’re the online equivalent of pickpockets and opportunist thieves, and installing anti-virus software is the virtual equivalent of putting a lock on your front door. Some intruders, however, have darker motives than others.
Stuxnet is a piece of malware whose goal is to damage centrifuges used by Iran to enrich uranium. It was created by a join US/Israeli project as part of Operation Olympic Games, a wave of cyber-attacks intended to slow or halt Iran’s nuclear project. Stuxnet’s more complex follow-up Flame stole documents and information, and was remotely instructed to self-destruct when it was discovered – it seems almost certain that Flame too was the work of nations targeting other nations.
Which somewhat changes how we should think of malware. Now the guy trying to slip his hand into your pocket might actually be from the CIA or Mossad, with all the resources that implies – so where does that leave anti-virus makers?
Cyber-security companies have a choice to make– if they’ve not silently made it already. Are they neutral watchmen whose job is to stop malicious attacks, whatever their country of origin and intended purpose? Or are they obedient servants of a national government first and cyber-sheriffs second?
Kaspersky is a Russian AV company whose founder is an ex KGB member; ESET is from Slovakia; Symantec are an American company known for working with the FBI. Software from just those three is installed on millions on computers around the world, ostensibly protecting them against all malicious intruders.
What happens if the US government is developing malware designed to steal information that’s protected by a American company’s anti-virus software? It wouldn’t take a stretch of the imagination to think that the government might lean on that company to help out, say by providing a backdoor, or overlooking the signs of infection.
There are interesting consequences either way. If that happens even once – or even if the thought that it might happen is there – would the AV industry change from a global to a national one? Would Chinese users willingly buy into an American company that had shown it was willing to put its own national interest above their security?
And if AV companies don’t submit then they’re indirectly obstructing their government’s ambitions, not to mention putting themselves in the sights of whoever created hugely sophisticated malware like Flame. If, like Stuxnet, Flame was created by the American and Israeli governments then they were the ones who cracked Microsoft’s precious update process in order to spread their malware and sneaked past every AV product out there.
Flame and Stuxnet got through because they had enormous amounts of resources spent to make them that way. Most viruses and malware are simple, in relative terms; creating Flame would have required “world-class cryptographers who have broken new ground in their field”.
I certainly wouldn’t like to be the cyber-security company who has to be constantly on the lookout for the next attack of that magnitude, without any idea where or when it might happen. Is the only alternative to sell your loyalty to a government? Who knows.
It must be a difficult choice to face; but I think what’s going to be more difficult is telling who’s already made that decision and which way they’ve gone. Who’s standing up for your rights, and who sold out your security in exchange for their own?