Dave Lewis

The Case For A Digital Center For Disease Control For Malware

Blog Post created by Dave Lewis Employee on Jul 3, 2015

The Black Plague ravaged Europe in middle ages and took an untold number of lives in its wake. Centuries later the Spanish Flu was a horrible malady that took millions of lives. With each outbreak of these contagions people learned a little more from the mistakes and missteps of the past.

 

In 1946 we saw the introduction of the Center for Disease Control. From the lessons learned in the past a centralized coordination approach was adopted to not only react to outbreaks but, to better understand where they would flare up before things got out of control.

 

These days we find ourselves dealing with a very different type of virus. Malware has been running rampant across the Internet now for decades. Things have changed significantly since the Morris Worm, Whale and Stoned virii first made themselves known to an unsuspecting Internet. These pieces of software were the forerunners of their far more insidious offspring which have become the stock and trade of a burgeoning underground economy.

 

In the 1998 we saw the code of a lovesick coder who wrote the Melissa virus which spread at an alarming rate across Windows based platforms. There was a response to the issue but, it was fractured and lacked any clear direction for a couple days.

 

The next year I found myself standing in the office of our Chief Scientist for a firm that I was working for at the time. We were discussing a project that he was working on and how he wanted to bring in one of his students to assist. At that point his email application alerted him to the arrival of a new email. He turned his head to the screen and said, “Oh, how nice. I just got a nice note from my student that says they love me”

 

I blurted out “NOOOOOO” as his hand reached forward and clicked the mouse. I had reacted instinctively. Something didn’t seem right about the subject line of the email. Little did I know how correct I was. By this point the I Love You virus had been making the rounds for 20 minutes and was, again, spreading at an alarming rate.

 

This year at RSA I saw numerous anti-malware companies pitching their wares. The problem I have is that these are reactive solutions. In a overly simple summary, the first step is the malware is discovered. Step two involves the analysis the code. Step three the signatures are pushed to their clients. There is a lag from discovery to signature that can be a matter of hours if not days. This is far better than what was available 10 years ago but, not ideal.

 

This begs the question. Where is the centralized coordination mechanism? Where is the CDC for malicious software? Oddly, we don’t appear to have arrived at that stage in the evolution of malware response. I find this rather confusing. In conjunction with a friend of mine, Scot Terban, we had submitted a talk proposal to a couple security conferences to bring this idea forward. In each instance we were rebuffed. Fair enough, I’ll use this as a platform.

 

I ask the question. Why do we not have this function? Why do we have numerous anti-virus companies creating definition files for malware with wildly disparate names? When there is a significant outbreak these companies are helpful in that they quite often release a free tool to help people recover from an infection such as with ransomware. Helpful, but something is missing.

 

While it is a beneficial that they are providing this to help, it is just a stop gap measure. Where is the strategic direction? Only so many times that a band-aid can be applied before we unwittingly arrive at putrefaction. This is not my attempt to shame these companies. Quite to the contrary. I want them and the wider information security to have the hard discussion. Where is our CDC?

 

Originally posted on Forbes, April 2015

Outcomes