The world of cybersecurity is starting to resemble a paranoid thriller. Shadowy figures plant malicious software, or “malware,” in our computers. They slip it into e-mails. They transmit it over the Internet. They infect us with it through corrupted Web sites. They plant it in other programs. They design it to migrate from device to device—laptops, flash drives, smartphones, servers, copy machines, iPods, gaming consoles—until it’s inside our critical systems. As even the most isolated systems periodically need new instructions, new data or some kind of maintenance, any system can be infected.
The effect could be devastating. After lying dormant for months or years, malware could switch on without any action on the part of those who launched it. It could disable emergency services, cause factories to make defective products, blow up refineries and pipelines, poison drinking water, make medical treatments lethal, wreck electric generators, discredit the banking system, ground airplanes, cause trains to collide, and turn our own military equipment against us.
Many public officials are now aware that something needs to be done. Putting aside worries about privacy and civil liberties, they propose giant government programs to search our critical computer systems and scan everything that goes into them.
But here’s where the plot thickens. We don’t actually know how to scan for malware. We can’t stop it, because we can’t find it. We can’t always recognize it even if we are looking right at it.
Like a thriller character who discovers he doesn’t know whom to trust, cybersecurity experts start running through the options. Can we recognize malware by its identifying characteristics? No, because each piece of malware can be different, and it can keep changing its appearance. Can we recognize it by the tools it needs to spread? No, because the malware might be a payload inserted by someone or something else.
Can we find malware by looking in likely hiding places? No, because it could be in a hiding place we didn’t know was there—an area of memory we can’t see or some component we didn’t even realize had a memory. It could be moving around even as we’re looking for it. It could copy itself into the place we just looked and erase itself from the place we’re about to look.
Can we create a safe area, bit by bit, reading every line of code in each program to make sure it’s innocent? The problem is that we can look directly at a line of malware and not recognize it. Sometimes a tiny modification in a line of code can cause a malicious effect. Malware doesn’t need to be in the individual lines of code. The malicious part of the malware might be the sequence of operations that causes a normal instruction to be carried out at exactly the wrong time.
If all else fails, can we recognize malware by what it does? This won’t work either. Malware can take control of every display, message box, graphic or reading. It can make sure you see only what it wants you to see. If you do manage to catch it doing something bad, it might be too late. If the first time a malicious program operates it turns your missiles back at you, fries your electric generators or blows up your refineries, it won’t do much good to recognize it by that behavior.
We truly can’t trust anything. The very computers we are using to search for malware might be the vehicles delivering it. Our authentication systems could be authenticating programs infected with malware. Our encryption systems could be encrypting malware. Even if we manage to come up with an effective barrier, we will not know which side the malware is on.
This is the world many cybersecurity professionals are currently living in. We are stopping most malware, most of the time. But we don’t have a reliable solution for the cases where it might matter most. America and its allies have always been good at coming up with timely breakthroughs when they are most needed. We need one now.