Should there be an AV industry code of ethics?


Alex Eckelberry

GFI Software, USA
Editor: Helen Martin


‘“Doing good for all is good for business” – helping others protect their users makes all of us stronger.’ Alex Eckelberry, GFI Software

We see it all the time: a major magazine publishes a sensational story about a new nasty which threatens our existence; a researcher presents data at a major conference about a new threat; a company presents the inner workings of a group of black hats. The news machine grinds on it, while at the same time, a flurry of emails passes between researchers who are trying to gain more information on this ‘threat’.

This is how the game is played. But recently, a number of security researchers have been questioning ‘business as usual’, and considering the industry’s responsibility to share threat information with others. In other words, if we see something bad happening, what is our responsibility to do something about it?

It’s worth noting that it is not uncommon for members of various security communities to share data, so at least other companies can protect their own customers, as well as collaborate on garnering further intelligence and even coordinate takedown efforts.

However, it appears that we may still be dealing with a lack of cooperation by a few on some major issues – perhaps due to issues of sharing data with competitors, non-disclosure agreements, or even defeatist ideas such as ‘it doesn’t really matter what we do anyway’.

Perhaps it’s time that the security industry as a whole – not just the AV community – had a frank and open discussion about what our responsibilities are in protecting the community at large, in addition to promoting our own commercial interests. It’s not an argument for ‘malware welfare’ – big, well capitalized companies sharing data with lesser capitalized companies. The fundamental issue is one that revolves around the need to make the Internet safer, rather than just pulling chips off the table.

The issue transcends a moral one that ‘we have some duty to give back to the market if we’re making money from it’. That’s certainly a laudable imperative for many of us in the industry. However, I would argue toward a concept of enlightened self-interest, which could crudely be distilled as ‘doing good for all is good for business’ – helping others protect their users makes all of us stronger.

For example, spreading fear, uncertainty and doubt (FUD) among users, and then not doing what we can to make the Internet safer creates unintended consequences – we strike terror into the minds of users, and they demand solutions. This inevitably leads to politicians frantically trying to ‘solve the problem’. More political action to ‘regulate the dangers’ is certainly not something about which many of us are sanguine.

My concern is that if we don’t do what we reasonably can to keep the Internet clean, we will have regulatory agencies deciding to do it for us. Furthermore, users already distrust the security industry, and not working together to make the Internet safer will only lead to more scepticism. Finally, we know that having even a relatively small number of end-users that are unprotected against a threat can cause plenty of trouble for the rest of us. ‘Every man for himself’ is a losing strategy in the long term.

If we see something really bad, I would venture that it is in our commercial best interests to work with others to ensure their customers are protected, and to work as a community for intelligence sharing and takedown. If one company finds something bad, and wants a ‘scoopable’ news story, they can have it. Just share the data with others, so we can all make sure our customers are protected. We don’t have to get frantic about every possible threat, but we can certainly focus on the major ones.

Is an industry code of ethics warranted? Perhaps, but in my view, we could simply start with promulgating industry best practices (codes of ethics, unless tied to some type of certification, are voluntary in nature anyway). I have found most security researchers to be honest, diligent folks who genuinely care about making the world safer. However, some may not be able to share data with competitors due to corporate policies, and they should not be in that position. Let’s start with an honest, frank discussion about what what’s good for all, and then perhaps what’s good for us will come naturally.



Latest articles:

Does malware based on Spectre exist?

It is likely that, by now, everyone in computer science has at least heard of the Spectre attack. Since many excellent explanations of the attack already exist, this article focuses on the probability of finding Spectre being exploited on Android…

EternalBlue: a prominent threat actor of 2017–2018

At the centre of last year's infamous WannaCry ransomware attack was an NSA exploit leaked by the Shadow Brokers hacker group, known as ‘EternalBlue’. The worm-like functionality of the exploit made a deadly impact by propagating to interconnected…

VB99 paper: Giving the EICAR test file some teeth

There are situations that warrant the use of live viruses. There are also situations where the use of live viruses is unwarranted. Specifically, live viruses should not be used when safer and equally effective methods can be used to obtain the…

Powering the distribution of Tesla stealer with PowerShell and VBA macros

Since their return more than four years ago, Office macros have been one of the most common ways to spread malware. In this paper, Aditya K Sood and Rohit Bansal analyse a campaign in which VBA macros are used to execute PowerShell code, which in…

VB2017 paper: Android reverse engineering tools: not the usual suspects

In the Android security field, all reverse engineers will probably have used some of the most well-known analysis tools such as apktool, smali, baksmali, dex2jar, etc. These tools are indeed must‑haves for Android application analysis. However, there…

Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.