Written evidence submitted by StopBadware
(Malware 05)
1. Thank you for soliciting input on the effects
of malware and the role of the Government in addressing it. StopBadware
is a not for profit organization, based in the United States,
which aims to protect Internet users from websites that distribute
badware, and to protect owners and hosts of websites from having
their sites turned to this malicious purpose. Where such damage
has already been done to legitimate sites, StopBadware seeks to
facilitate notification and remediation to minimize the risk to
the public.
2. In response to your first question, it is
difficult to quantify the proportion of cyber-crime that is associated
with malware. This is due to the myriad challenges of reaching
common agreement of definitions, gathering reports of losses,
quantifying losses, and associating specific losses with malware.
3. Qualitatively, it is our experience that the
vast majority of cyber-crime content that individual citizens
encounter in their day to day use of the Internetspam,
fake pharmaceutical sales, scareware (eg fake anti-virus), and
unauthorized downloadsare directly or indirectly supported
through the use of malware or other badware. [9]
Malware is used directly to:
steal
money from bank accounts;
capture
credit card numbers and other credentials;
send
or post spam via email, social networks, and blog comments;
spy
on the communications of computer users; and
participate
in distributed denial of service (DDoS) attacks.
4. Indirectly, these behaviors support a broader
criminal ecosystem, in which spam, phishing, malware, counterfeiting,
social engineering (ie con artistry), and illicit financial operations
combine to perpetuate a wide variety of crimes.
5. Further, malware is a frequent tool used to
perpetuate directed attacks against businesses, governments, and
political organizations. Many of the same techniques used by malware
in opportunistic or "mass market" cyber-crimes are deployed
(often in more sophisticated form) in such directed attacks. This
suggests that state-sponsored and other sophisticated actors may
learn from and perhaps even draw directly on the expertise of
the criminal underground, though we have seen no specific evidence
to confirm this theory.
6. The preceding paragraphs begin to answer your
second question regarding the source of, and motivations behind,
malware. Within the economic underground, freelance developers
and specialized groups develop and market malware or e-crime toolkits
that allow other actors to perpetuate their chosen attacks or
scams. The primary motivation in these cases is largely one of
profit, though this is frequently accompanied by an anti-establishment
ethos or a "look what I can do" arrogance. In contrast,
some of the most technically sophisticated malware likely comes
from highly skilled, highly paid individuals and teams working
within or sympathetic to the organizations (governmental, political,
or criminal) responsible for perpetuating targeted attacks.
7. When discussing where malware comes from,
it's also important to consider how malware reaches individual
computers, smartphones, and similar devices. Although the specific
vectors vary, there are two elements common to most malware, especially
the forms targeted a broad audience: malware is opportunistic,
and it abuses user trust. Several years ago, malware frequently
manifested itself as a worm spreading from friend to friend by
email, or a Trojan disguising itself with a Microsoft Word icon.
Today, malicious links spread from friend to friend via Facebook,
and fake antivirus alerts are disguised as Microsoft security
warnings. In our work at StopBadware, we work with website owners
whose otherwise harmless websitesblogs, retail storefronts,
and so onhave been compromised and enlisted in distributing
badware to the sites' unsuspecting visitors.
8. Regarding the cost to individuals, it is again
difficult to quantify. Here in the United States, Consumer
Reports published a study in June 2010 that attributed $3.9
billion in consumer damages to viruses and spyware.[10]
These numbers, however, are at best a rough approximation, as
they were self reported by consumers via survey. Some of the challenges
to accurately measuring the cost to individuals include:
centralizing
information about consumer losses, many of which are unreported
or are reported only to private institutions, such as banks or
credit card issuers
attributing
a loss specifically to malware (eg if a consumer's credit card
number is stolen, s/he may not realize it was because of a Trojan)
distinguishing
between financial losses borne directly by the individual and
those ultimately borne by the financial institution
valuing
lost time, aggravation, and other intangiblebut not insignificantcosts.
9. It can be challenging, as well, to determine
how effectively the security industry is protecting individuals.
After all, how do you measure what you cannot see (ie the malware
that doesn't get detected)? That said, there are some things we
do know. For example, we know that the protection afforded by
consumer security products (eg anti-virus software and comprehensive
security suites) varies dramatically across brands and versions.
We recently reviewed a study that simulated real world conditions
of a user opening attachments, downloading files, and visiting
dangerous websites, while protected by various name brand security
products. The percentage of attacks that succeeded in infecting
the computers ranged from 0% to 35% depending upon the security
product used.
10. Security products, however, are not the only
form of protection for individuals against malware. Here are just
a few examples of other areas in which industry plays a role in
protecting users:
Web
hosting providers can help protect customers' websites from becoming
compromised by malware.
Software
vendors can design sensible security defaults and automatic update
mechanisms into operating systems and applications.
Technology
industry players can collaborate on common messaging and security
standards to reduce end user confusion.
ISPs
can notify customers whose devices exhibit malware behavior and
direct those customers to educational content and support resources.
11. The extent to which malware continues to
proliferate and affect individual Internet users indicates that
industry as a whole is not doing as well as it couldand,
we would argue, shouldto prioritize consumer protection
from malware.
12. While it is reasonable to conclude, then,
that government has a responsibility to address the spread of
malware, more work is needed to determine the best approach. Your
inquiry refers to a human disease metaphor, and indeed there are
efforts underway to identify an Internet health model patterned
after global public health models.[11]
These efforts are still early in their development, and we are
still determining the extent to which the health metaphor applies
to fighting malware, and what this implies for government involvement.
13. What is clear, however, is that government
can and should play a role in aligning incentives and facilitating
industry response to malware. Carefully constructed policies around
liability for spreading malwarewith clear protections for
industry players that take reasonable precautions to prevent itmay
help elevate prevention as a priority. Government can facilitate
valuable data sharing and measurement in a number of ways, including:
institution
of mandatory data reporting;
centralized
collection and collation of data, whether shared voluntarily or
via mandate;
removal
of real or perceived legal barriers to data sharing; and
funding
of existing efforts to collect data and report on trends.
14. Countries like Germany, Japan, and Australia
have demonstrated the value of government-facilitated data sharing
through their efforts to assist ISPs in notifying customers of
compromised devices. Germany and Japan have taken this a step
further with their funding of centralized centers to assist consumers
with the removal of malware from their systems.
15. Collectively, these existing and proposed
government approaches can offer a blueprint for effective response
by government to malware. Combined with the ongoing efforts of
leading industry players and third party organizations like StopBadware,
it should be possible to substantially reduce the threat to the
public of malware and its attendant criminal activity.
Maxim Weinstein
Executive Director, StopBadware
6 September 2011
9 Badware is any software that fails to respect users'
choices about how their computers or network connections are used.
It is a superset of malware that also includes spyware, fake anti-virus
software, drive-by downloads, and other similar threats. Back
10
http://www.consumerreports.org/cro/magazine-archive/2010/june/electronics-computers/social-insecurity/state-of-the-net-2010/index.htm Back
11
See, for example, the East-West Institute's cyber security breakthrough
group on Internet Health. Back
|