The world of cybersecurity is starting to resemble a paranoid thriller. Shadowy figures plant malicious software, or “malware,” in our computers. They slip it into e-mails. They transmit it over the Internet. They infect us with it through corrupted Web sites. They plant it in other programs. They design it to migrate from device to device—laptops, flash drives, smartphones, servers, copy machines, iPods, gaming consoles—until it’s inside our critical systems. As even the most isolated systems periodically need new instructions, new data or some kind of maintenance, any system can be infected.

The effect could be devastating. After lying dormant for months or years, malware could switch on without any action on the part of those who launched it. It could disable emergency services, cause factories to make defective products, blow up refineries and pipelines, poison drinking water, make medical treatments lethal, wreck electric generators, discredit the banking system, ground airplanes, cause trains to collide, and turn our own military equipment against us.

Many public officials are now aware that something needs to be done. Putting aside worries about privacy and civil liberties, they propose giant government programs to search our critical computer systems and scan everything that goes into them.

But here’s where the plot thickens. We don’t actually know how to scan for malware. We can’t stop it, because we can’t find it. We can’t always recognize it even if we are looking right at it.

Like a thriller character who discovers he doesn’t know whom to trust, cybersecurity experts start running through the options. Can we recognize malware by its identifying characteristics? No, because each piece of malware can be different, and it can keep changing its appearance. Can we recognize it by the tools it needs to spread? No, because the malware might be a payload inserted by someone or something else.

Can we find malware by looking in likely hiding places? No, because it could be in a hiding place we didn’t know was there—an area of memory we can’t see or some component we didn’t even realize had a memory. It could be moving around even as we’re looking for it. It could copy itself into the place we just looked and erase itself from the place we’re about to look.

Can we create a safe area, bit by bit, reading every line of code in each program to make sure it’s innocent? The problem is that we can look directly at a line of malware and not recognize it. Sometimes a tiny modification in a line of code can cause a malicious effect. Malware doesn’t need to be in the individual lines of code. The malicious part of the malware might be the sequence of operations that causes a normal instruction to be carried out at exactly the wrong time.

If all else fails, can we recognize malware by what it does? This won’t work either. Malware can take control of every display, message box, graphic or reading. It can make sure you see only what it wants you to see. If you do manage to catch it doing something bad, it might be too late. If the first time a malicious program operates it turns your missiles back at you, fries your electric generators or blows up your refineries, it won’t do much good to recognize it by that behavior.

We truly can’t trust anything. The very computers we are using to search for malware might be the vehicles delivering it. Our authentication systems could be authenticating programs infected with malware. Our encryption systems could be encrypting malware. Even if we manage to come up with an effective barrier, we will not know which side the malware is on.

This is the world many cybersecurity professionals are currently living in. We are stopping most malware, most of the time. But we don’t have a reliable solution for the cases where it might matter most. America and its allies have always been good at coming up with timely breakthroughs when they are most needed. We need one now.

23 Comments

1. 1. joseph85750 06:51 PM 10/22/11

   A solution which is usually overlooked is Linux. The Linux environment is not a virus/trojan/malware friendly operating system as is Windows. However, just the mention of Linux often causes fear in the hearts of the average user. This is unfortunate, since a default (free) installation of a Linux desktop provides a user with countless more applications than does a Windows installation-- including DVD/Mp3 creating and playing, photo editing comparable to PhotoShop, and an Office suite comparable to MS Office which also allows the user to create PDFs (MS Office does not have this feature). All this for the incredible price of nothing. And as a bonus, no malware.
   In all fairness though, the gaming community has left Linux behind. But this is understandable, since there is not enough support for Linux in the gaming community to justify the game manufacturers to pay their army of developers to develop for Linux. However, for the other 95% of the community, Linux is a great solution.
   So, people DO have a choice; they simply chose to pay hundreds of dollars for a featureless operating system/environment which only includes IE, and a complimentary malware invitation.
   

   Reply | Report Abuse | Link to this

2. 2. FB3636 01:29 AM 10/23/11

   The malware threat can be reduced immensely, if desktop operating systems apply ideas from smartphones.
   For example, in Android operating system each application runs completely isolated from rest of the system. So a malware containing application cannot open any file anywhere on the system and modify it; which is something really easy to do in Windows operating system.

   Reply | Report Abuse | Link to this

3. 3. rjohnstn 07:37 PM 10/24/11

   The reality of today is that malware attacks are occurring in virtually all venues. One must recognize that the primary target is the products of Microsoft and those which deliver services to the Microsoft environment. Anyone asking why when there are some platforms which appear to be less vulnerable simply do not understand the world of business.
   
   Comments one and two observe that there are platforms less often targeted by malware. The simple reason is that they are less lucrative. The world of Windows is the most lucrative and likely will be for a long time to come. Comment 1. notes that “Office suite comparable to MS Office which also allows the user to create PDFs (MS Office does not have this feature)” is incorrect. Microsoft Office 2010 includes the PDF creation feature and many others to match that of Open Office!
   
   The basic article is right on target. Having been working as a malware forensics examiner for two years I can say that the malware of today is steadily keeping ahead of the various malware detection/prevention products. In my daily examination of several malware infected systems it is not uncommon for me to identify malware on the system which malware detection software is not able to detect. A lot of hope was placed upon the introduction of heuristic detection techniques but that has not delivered the nirvana solution that many espoused.
   
   So long as we move forward without the ability to effectively detect and thwart inbound malware we are destined to fighting a losing battle.
   

   Reply | Report Abuse | Link to this

4. 4. RCSEngineer 09:58 PM 10/24/11

   Most of today's news about cybersecurity is disturbing, and given our promiscuous tendency to connect everything to the Internet, is a very valid concern. However, for manufacturing and power generation plants, the quickest safety precaution is obvious: do not connect your control systems to the Internet. The ability to manage your system from your laptop at home is seductive, but is not a realistic piece of risk-taking. Essential control can be managed through dial-up connections, telephone calls, of through having properly-trained personnel on site.

   Reply | Report Abuse | Link to this

5. 5. dfrier 12:20 PM 10/25/11

   I find this kind of scaremongering to be far beneath Scientific American. The author will (presumably) be overjoyed to learn that information technology continues to support commerce at an ever-increasing rate, in many new and interesting ways, and malware is little more than an annoyance.
   
   The level of misinformation put forth in the article above is astonishing to me, and I deal with non-technical business manager and non-security IT managers daily. Apologies for my blunt language, but it speaks of frank ignorance.
   
   Or did someone's laptop get pwned and now he's taking out on the entire security field?
   
   --David C Frier, CISSP, CRISC
   

   Reply | Report Abuse | Link to this

6. 6. RocRizzo 03:55 PM 10/25/11

   I, for one, am glad to see that someone has their eyes open, and is aware of the problem of malware. Far from scaremongering, malware has elevated to the point where people are harvesting identities from these buggers to the tune of many millions of dollars worldwide. It's getting as profitable as selling dangerous illegal drugs, and many of the same nefarious people are involved. In 2009, the total value of this crime was nearly $560 million, more than double the amount in 2008.
   
   As we continue to put more and more commerce on the Internet, we should look for people using the same schemes that they use in the "real" world. Too many non-technical people will believe something because it's on the Internet, that they would not believe in the "real" world. Simple scams work well when people are uninformed.
   
   Though there may not be much that can be done with sophisticated malware, many times this is downloaded by a simple click on a search engine result, opening an unknown e-mail attachment, or downloading software. It is important to keep non-technical people informed, so that they may be on the lookout for such things. A simple stop, think, then connect measure may be all that is needed to stop a majority of malware infestations.
   Check out the Department of Homeland Security's site at http://stopthinkconnect.org . It has some good information, especially for the non-technical person.

   Reply | Report Abuse | Link to this

7. 7. cshapiro 10:49 AM 10/29/11

   Not everyone's security interests always coincide. In particular, the security concerns of the large corporations which control 90% of the computer operating systems running today are not necessarily the same as yours.
   
   UEFI boot is one illustration of this. The idea is to sign all the code that your computer runs to the boot firmware, so in theory no malware can run on the machine. This could also make it impossible to run software not specifically approved by the machine's manufacturer, including your own copy of the linux kernel compiled from source, or even hardware drivers which you personally wrote. Many in the entertainment business love this idea, because they hope to control your ability to consume and share music, movies, and other creative works.
   
   The basis of all computer security is control of your software. I am not interested in buying or using a machine -- computer, smartphone, or even music player -- which runs code that works against me, whether it was put there by shadowy thieves or suit-jacketed coders in corporate cubicles. ( Yes of course I run desktop linux)

   Reply | Report Abuse | Link to this

8. 8. waltinator 01:28 AM 11/5/11

   Consider the MagicMoment when a piece of malware converts from Data (as it is transferred to one's machine) to Program, with all the rights conferred to a Program run by the User. How easy is it for the malware to achieve an illicit MagicMoment? What environment does the malware find itself in after the MagicMoment? I assert that the answers to these questions for Windows and Linux (and other Operating systems that don't share Windows' design flaws) are significantly different. For both, the malware would have to confuse an application that I'm running into performing the MagicMoment. Linux applications are open source, easily inspectable, and quickly fixed by the community. Windows applications are closed-source, uninspectable (unless you break the law), fixed only by the company on their schedule.
   
   If the malware subverts my application on Linux, it can do what I can do - ship out all MY data over the net, then trash all MY data. It can't do System Things any more than I, a regular user can. A subverted Windows application has many ways to escalate its privilege level, and do System Things in addition to shipping out and trashing all MY data.
   
   Things are as bad as they seem only if you think that Computers only run Windows.
   
   Consider the Cyber-victimology. What OS most falls victim to malware? Windows. What OS lets its users participate in Botnets? Windows. What OS runs on the computers of the companies that let credit card data run free?
   
   

   Reply | Report Abuse | Link to this

9. 9. philipmcevoy 01:45 PM 11/6/11

   Almost all cybersecurity is completely defensive and left completely to the individual. The Federal government may try to locate and punish hackers who attack some federal computers, but as far as I know neither the Feds, nor the States, nor the local police will do anything to protect my computer. In the absence of government protection I suggest that we, in our millions, should have the power to counter-attack if our software detects what seems to be an attempt to download malware.
   
   "If there should follow a thousand swords to carry my bones away,
   Belike the price of a jackel's meal were more than a thief could pay"
   Kipling

   Reply | Report Abuse | Link to this

10. 10. m 08:18 AM 11/8/11

    Yes lots of scare-mongering.
    
    Problem cannot be solved where foreign government wish to insert code, for for all other companies solutions already exist. They just dont want to pay for it or cant.

    Reply | Report Abuse | Link to this

11. 11. lamorpa 09:43 AM 11/8/11

    If people would stop trying to get that iPad for free, at least half of the problems would disappear.

    Reply | Report Abuse | Link to this

12. 12. tex78132 04:59 PM 11/8/11

    How many times do you read an newspaper or magazine article about something labeled a computer virus, or trojan or worm? Reporters (being reporters) hardly ever correctly describe it as a Windows virus. Unlike other evangelical Linux users I am very,very happy about this. I hope most computer users continue to rely on Windows - for the obvious reason. The funniest example of this was the Stuxnet malware used to attack the Iranian nuclear industry. Yup - you guessed it, Windows. You just can't make this stuff up.

    Reply | Report Abuse | Link to this

13. 13. tex78132 05:03 PM 11/8/11

    How many times do you read an newspaper or magazine article about something labeled a computer virus, or trojan or worm? Reporters (being reporters) hardly ever correctly describe it as a Windows virus. Unlike other evangelical Linux users I am very,very happy about this. I hope most computer users continue to rely on Windows - for the obvious reason. The funniest example of this was the Stuxnet malware used to attack the Iranian nuclear industry. Yup - you guessed it, Windows. You just can't make this stuff up.

    Reply | Report Abuse | Link to this

14. 14. jgrosay 05:24 PM 11/8/11

    You can build a system able to resist, one, two three mechanical or electronic failures, you can add double or triple backup or replacement units, but nobody will probably ever be able to build a system that can resist the deliberate attempt of a human being, or a group of them, to enter, stop or damage a system of any kind. The ones who prepare the defense mechanisms and those that build the attacks do belong to the same species, thus have similar abilities and powers, just it's expected that police has more facilities and more abundant and more advamced means than criminals. Probably, no whole or perfect solution or firewall against every kind of attack will be ever found, but we are forced to keep on trying, it will be stupid to abandon and leave the field to the enemy. At least, this builds an industry, creates jobs, and stimulates scientific and technical progress.

    Reply | Report Abuse | Link to this

15. 15. fixerdave in reply to RCSEngineer 07:54 PM 11/8/11

    "However, for manufacturing and power generation plants, the quickest safety precaution is obvious: do not connect your control systems to the Internet."
    
    Well, that didn't quite work for the Iranian centrifuge controllers wrecked by Stuxnet. As this article pointed out, every system, sooner or later, needs some kind of updating. There is a way in. Even if you can't see it, somebody else will.

    Reply | Report Abuse | Link to this

16. 16. fixerdave 08:33 PM 11/8/11

    Security is rated in seconds to defeat, be it physical locks or digital codes. You can't make an invulnerable system without some form of intelligence monitoring and adapting to the threats. With computing, the best you can hope for is that a mission-critical system's security "time to defeat" is long enough for the watchers to notice, and that they do notice.
    
    Other than that, well, nothing is perfect. We deal with tens of thousands of automotive deaths per year and orders of magnitude greater injuries. We still drive, we can still buy massively powerful machines to drive if we want, and those machines still let us be as stupid as we want. These machines can cause a lot of damage to other people, no matter how safely those people drive. The machines can still be stolen and used for crime. We don't demand that cars, or roads for that matter, be specifically built to limit criminal or reckless activity. You could say roughly the same thing about woodworking tools, kitchen appliances, just about anything. Why should computers be any different? Why the double-standard? The only other thing we seem to treat like computers is baby-gear, with a near-insane demand for safety. What, are all us computer users a bunch of babies?

    Reply | Report Abuse | Link to this

17. 17. as3thab3 01:27 AM 11/9/11

    Your malware article is poorly thought out, one sided. If you are relying on computer assistance to naviagate a plane, all you need to do is take the computer off line to land the aircraft. Any idiot who make an aircraft that cannot land without computer assistance should be strapped to the nose of the plane. We got along without computers quite nicely for quite a while. We can also make a policy of whiping the memory and reasserting the original software with a one way overwrite. Malware is only an annoyance for those who cannot think anymore.

    Reply | Report Abuse | Link to this

18. 18. billsincl 10:11 AM 11/9/11

    One way to generate a warning is to CHECKSUM the software every night. For example, a 32 bit Xor.
    
    If anyone has modified the software, the checksum will be different.
    
    It is virtually impossible to put malware into a system without altering its checksum. At least they would have to know HOW the checksum was derived.

    Reply | Report Abuse | Link to this

19. 19. billsincl 10:40 AM 11/9/11

    What happens when the machine intelligence EXCEEDS ours?
    
    We'll probably see that in 25-30 years or so. They might even be running our governments.....
    
    I see no harm in putting a machine in charge of garbage collection, road building, sewers, etc.
    
    Or even extra terrestrial exploration. It make more sense to put robots on long voyages, like to Jupiter, Saturn, or beyond.

    Reply | Report Abuse | Link to this

20. 20. mjacks2 in reply to joseph85750 05:38 PM 11/9/11

    Windows is the target of chose for malware because it is most widely used, if Linux became the os of chose you would see a lot more linux based malware

    Reply | Report Abuse | Link to this

21. 21. Quinn the Eskimo 12:31 AM 11/14/11

    Stop malware?
    
    1. Fire Ballmers
    2. Ban Windows
    3. Rinse, Repeat.
    
    
    
    .

    Reply | Report Abuse | Link to this

22. 22. GlendaRig 02:17 PM 11/24/11

    Forgive me if I'm a little jaded on this subject, but if you ask me we would have FAR less malware if there was no anti-malware software! Where do you think all these "new" viruses and worms and spyware come from?! Granted a few indeed come from the occasional hacker that just out to ruin someone's day, but my bet is a majority of the malware today is created by the same companies that sell you the software to protect you from it!
    <a href="http://legalshieldelite.com">Legal Shield</a>

    Reply | Report Abuse | Link to this

23. 23. waltinator in reply to philipmcevoy 06:47 PM 11/28/11

    Yes, and to whom will you complain when MY software detects YOUR system and attacks? I could be wrong, you could have been subverted, you could have gotten on my list through malice, ...
    
    When everybody is armed with cyber-nukes, nobody better sneeze.

    Reply | Report Abuse | Link to this