Should malicious code be used as a weapon of war? This is not a hypothetical musing but a question that has been under serious discussion in military and diplomatic quarters for some time. We already know from U.S. National Security Agency documents leaked by Edward Snowden that for several years now the NSA has been deploying Computer Network Attack "implants," an agency pseudonym for Trojan code, i.e. malware.
I think it is common knowledge that some people in the armed forces of the United States would like to add malware to their armory, and I'm pretty sure this is true of a wide range of countries. The military appeal of malicious software, with its potential to infiltrate and disrupt digital systems, with no obvious risk to your own troops, is perhaps understandable. However, if you ask the folks who spend every day defending against, and cleaning up after, real world malware attacks, you will hear a lot of reasons why military deployment of malicious code is very risky proposition (a common expression used with respect to this phenomenon is "What could possibly go wrong?").
Thankfully, there are folks in the military who 'get' that deploying malware is very risky. To assist them, and advance the conversation about malware in the context of cyber conflict, I worked with Andrew Lee, CEO of ESET North America, to produce a paper on this topic, titled: Malware is Called Malicious for a Reason: The Risks of Weaponizing Code (PDF).
The paper was recently published in the 6th International Conference on Cyber Conflict (CyCon) Proceedings, P. Brangetto, M. Maybaum, J. Stinissen (Eds.) IEEE, 2014. The full conference proceedings will soon be available online along with the proceedings from previous conferences (which make for great reading if this topic interests you).
Recently, I had the good fortune to present the paper in person at the annual CyCon conference in Estonia. The conference is organized by the NATO Cooperative Cyber Defence Center of Excellence or CCDCoE, which is located in Tallinn, the Estonian capital.
The CCDCoE is the entity responsible for the project that produced The Tallinn Manual on the International Law Applicable to Cyber Warfare (which can be read online here). A quick search for references to malware in that work will give you an idea of how seriously some people have been taking the issue of malicious code deployment in the context of cyber conflict, from a variety of perspectives, including legal, ethical, technical, strategic, economic, military and diplomatic.
The human networking that occurred at CyCon was an opportunity to validate my concerns about a "risk awareness shortfall" in some quarters when it comes to deploying malicious code for "righteous" ends. As we argue in the paper, such deployment carries great risk of unintended consequences, not to mention loss of control over the code. While cyber criminals do not feel restrained by such concerns, and appear undeterred by moral dilemmas like collateral damage and spreading code that can be used by unscrupulous persons for all manner of illegal purposes, we argue that legitimate entities considering the use of malware for “justifiable offense” or "active defense" must fully understand the issues around scope, targeting, control, blowback, and "arming the adversary".
In our paper we researched existing open source literature and commentary on this topic to review the arguments for and against the use of “malicious” code for “righteous” purposes, introducing the term “righteous malware” for this phenomenon. In our research we were pleasantly surprised to find that the antivirus community's longstanding objections to the notion of "a good virus," which Vesselin Bontchev analyzed and published in his 1994 EICAR paper, Are ‘Good’ Computer Viruses Still a Bad Idea?, (Proc. EICAR’94 Conf., pp. 25-47) were not only still valid, but in some instances very prescient.
We hope that our paper will help to inform and advance debate about the use of malicious code in cyber conflicts. If you like, you can download a PDF of the slides I used when presenting the paper. The slides are also available on slideShare. In addition, I highly recommend Andrew Lee's 2012 Virus Bulletin paper: Cyberwar: Reality, Or a of Weapon of Mass Distraction?
BTW, if your are heading to BlackHat next week, you might want to catch Mikko Hypponen's "Governments as Malware Authors: The Next Generation." It's in Mandalay Bay D at 14:15 on Wednesday, and in my diary.
(Big hat tip to all who provided input on this paper, including Lysa Myers, David Harley, Aryeh Goretsky, Cameron Camp, and Righard Zwienenberg).