Should there be a CDC for Computer Malware?

Great Debates
1

I think there should be a government organization similar to the CDC which would work towards preventing, containing and reacting to computer malware.

Currently, there is the FBI’s cyber crime division which has to deal with a lot more than just malware. Also, as a crime fighting organization, the FBI is poorly positioned to work on prevention, which I think is the most important step. The FBI could continue to handle the investigation and prosecution of the people behind these pieces of software, while the new organization worked with OS and browser vendors and developed removal tools and other methods for removing malware, but ultimately worked towards preventing malware as much as possible. The internet today is like real viruses were before vaccines came about. The best way today to avoid malware is to not go outside (to the internet) at all.

Right now, the internet is basically in the middle of a constant, non-ending breakout of viruses, trojans, spyware and other forms of malicious software. Computers are attacked for use as spam bots, as well as for modifying web browser settings to create fake search results pages, and for many other malicious purposes.

When it comes to infectious diseases and viruses, there’s government research and staff dedicated to trying both preventative and reactive strategies against a potential outbreak. Primarily I’m thinking about this group under the CDC, which seems to fill the roll of the stereotypical CDC in popular culture.

The relevant CDC division

Real viruses and infectious diseases have a very high cost, death and/or major health problems. So there is some argument that making the comparison between infectious diseases and malware is a bad idea. Also, while physical diseases and viruses can be customized or manufactured to some degree, the majority of the threat from these things is outside human control. Viruses and diseases mutate on their own in response to changing circumstances, whereas for the most part, computer malware “mutates” by being changed by real people out there.

However, the current system where commercial entities are the primary fighters against malware seems to be a bad idea. I work in IT and the fight against forms of malware today rarely relies on paid products. We have Symantec installed on every machine but I would guess less than 5% of the malware problems that I ultimately resolve are helped by Symantec, with most of them being solved by free products like Spybot, Adaware and lately Malwarebytes.

Currently information on the latest malware threats is too scattered and too much out of date. There should be a system where people encountering malware can upload their information to a centralized database which could be searched and categorized by things like files created/affected, type of malware (fake virus remover, trojan, etc) and other categories. In addition, the Computer NCPDCID could publish removal tools and review and analyze the threat profiles of operating systems and web browsers.

I think the primary benefit to having such an agency would be to unify the picture of what is going on. If you look at most security sites out there, all of the listed latest threats are given very low threat ratings, while in fact, I have been forced several times to reformat and reinstall to kill off a trojan or virus. Malware also poses security threats to internal networks and with regarding to banking and other kinds of sites used by home users. An additional benefit is that if efforts can be made against the large infection of botnets, the spam problem would be helped to some degree as well.

Malware won’t kill you but more and more it can cause big problems.

2

Common Vulnerabilities and Exposures run by MITRE

US Computer Emergency Response Team run by Carnegie Mellon University

SecurityFocus home of the BugTraq computer security email list.

You should also subscribe to any security notification lists from your vendors (e.g., Microsoft, Apple, Red Hat, Sun).

That’ll get you started.

As far as prevention - get everyone to write better code, with security in mind from the start. Let me know how that works out for you :wink:

3

Interesting stuff. Thanks for the links.

4

In a large IT department it would be doable to keep up with all the vunerabilities in the many products used, but in a small IT department like the one I’m in where I have many different areas of responsibility, only one being security, and in the home, is where the problems come, I suppose. Not a lot can be done to make more hours in the day I guess.

I guess the main disappointed is that the vaunted all-in-one security products are so lackluster, as least the ones I’ve seen and used. Ultimately a lot of my personal dealings with malware come from a policy from my boss that basically the internet is not restricted. The only thing I can think of in way of restrictions is the ban on exe attachments in email but otherwise, this is an open shop in a bad way, when it comes to what people end up doing on the internet, which we try to crack down on.

Also I noticed those sites you linked are primarily about vunerabilities rather than what’s actually out there. on the other hand its hard to say what’s out there because there’s so much and so many variants. I ended up coming up with a link relating to a Java vunerability that’s been killing us, so at least that helped in that way.

5

How would a US agency prevent spyware that originates in China and the former Soviet republics?

6

That’s what I came in to post. When 9/11 happened, I assumed that Flight 93 (the one where crew & passengers fought back and ended up crashing near Shanksville, Pa.) was aiming for Pittsburgh.

7

All I can think about is how enticing the prospect of stumping the US Government’s antivirus division would be for some hackers. They, in general, seem to love a challenge, and that would scare me.