First published: 30th September 2011
Allan Dyer
Professor George Ledin of Sonoma State University has a thoughtful article on the need to teach malware published in Communications of the ACM. However, there are some critical comparisons that need to be addressed.
In the article, Professor Ledin makes the valid points that taboos against dissecting cadavers held back medical science for centuries, and life science majors today are all exposed to microbiological theory and laboratory practice. However, these activities are carefully controlled by Ethics and Safety committees. Medical students do not dissect live subjects to learn anatomy. Microbiology students learn how to safely dispose of their experiments by sterilisation, and the categories of work that are permitted to be carried out in different levels of containment.
Professor Ledin links the lack of malware courses in universities to the rise of more complex, sophisticated malware, saying that the reason we have not solved the malware problem is because we do not have a Theory of Malware. True, we do not have a single theory that encompasses everything we consider to be malware, but what is "malware"? A program intended to do bad things? This makes a Theory of Malware the province of psychology, not computer science. For example, both CIH and format can destroy the data on a disc, but we only consider CIH to be malware, it is the intent of the author that makes the difference. A Theory of Malware makes no more sense than a Theory of Passenger Vehicles that encompasses canoes, armoured cars and passenger jet planes, but excludes cargo jet planes.
We do have a theoretical basis for viruses, I am sure Professor Ledin must be aware of the work of Dr. Frederick Cohen, and viruses are the area where we most need a clear understanding of risks and responsibilities, as has been said often before, teaching virus writing is a bad idea. We also have a lot of work on security models and information security management standards. Malware protection is an important part of information security, and should be taught as such. From the point of view of protecting data, whether the attacker is a person or a piece of code written by a person is less important than the capabilities.
I think that we are as likely to see a solution to the "Malware Problem" as we are to see a solution to the "Murder Problem" or the "Robbery Problem". Murder and robbery are serious crimes, but we will not reach a solution by trying to redefine them in simplistic terms. Ordinary people make decisions every day to protect themselves from murder and robbery, and we also have specialists to call on when things go wrong. In cyberspace, every systems administrator (and by that I include smartphone owners and children with administrator accounts on home PCs) needs a basic understanding of malware and how to protect themselves, and we also need specialists who can reverse-engineer complex, obfuscated code for an attack-resistant botnet.