Should there be an AV industry code of ethics?

2011-09-01

Alex Eckelberry

GFI Software, USA
Editor: Helen Martin

Abstract

‘“Doing good for all is good for business” – helping others protect their users makes all of us stronger.’ Alex Eckelberry, GFI Software


We see it all the time: a major magazine publishes a sensational story about a new nasty which threatens our existence; a researcher presents data at a major conference about a new threat; a company presents the inner workings of a group of black hats. The news machine grinds on it, while at the same time, a flurry of emails passes between researchers who are trying to gain more information on this ‘threat’.

This is how the game is played. But recently, a number of security researchers have been questioning ‘business as usual’, and considering the industry’s responsibility to share threat information with others. In other words, if we see something bad happening, what is our responsibility to do something about it?

It’s worth noting that it is not uncommon for members of various security communities to share data, so at least other companies can protect their own customers, as well as collaborate on garnering further intelligence and even coordinate takedown efforts.

However, it appears that we may still be dealing with a lack of cooperation by a few on some major issues – perhaps due to issues of sharing data with competitors, non-disclosure agreements, or even defeatist ideas such as ‘it doesn’t really matter what we do anyway’.

Perhaps it’s time that the security industry as a whole – not just the AV community – had a frank and open discussion about what our responsibilities are in protecting the community at large, in addition to promoting our own commercial interests. It’s not an argument for ‘malware welfare’ – big, well capitalized companies sharing data with lesser capitalized companies. The fundamental issue is one that revolves around the need to make the Internet safer, rather than just pulling chips off the table.

The issue transcends a moral one that ‘we have some duty to give back to the market if we’re making money from it’. That’s certainly a laudable imperative for many of us in the industry. However, I would argue toward a concept of enlightened self-interest, which could crudely be distilled as ‘doing good for all is good for business’ – helping others protect their users makes all of us stronger.

For example, spreading fear, uncertainty and doubt (FUD) among users, and then not doing what we can to make the Internet safer creates unintended consequences – we strike terror into the minds of users, and they demand solutions. This inevitably leads to politicians frantically trying to ‘solve the problem’. More political action to ‘regulate the dangers’ is certainly not something about which many of us are sanguine.

My concern is that if we don’t do what we reasonably can to keep the Internet clean, we will have regulatory agencies deciding to do it for us. Furthermore, users already distrust the security industry, and not working together to make the Internet safer will only lead to more scepticism. Finally, we know that having even a relatively small number of end-users that are unprotected against a threat can cause plenty of trouble for the rest of us. ‘Every man for himself’ is a losing strategy in the long term.

If we see something really bad, I would venture that it is in our commercial best interests to work with others to ensure their customers are protected, and to work as a community for intelligence sharing and takedown. If one company finds something bad, and wants a ‘scoopable’ news story, they can have it. Just share the data with others, so we can all make sure our customers are protected. We don’t have to get frantic about every possible threat, but we can certainly focus on the major ones.

Is an industry code of ethics warranted? Perhaps, but in my view, we could simply start with promulgating industry best practices (codes of ethics, unless tied to some type of certification, are voluntary in nature anyway). I have found most security researchers to be honest, diligent folks who genuinely care about making the world safer. However, some may not be able to share data with competitors due to corporate policies, and they should not be in that position. Let’s start with an honest, frank discussion about what what’s good for all, and then perhaps what’s good for us will come naturally.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Alternative communication channel over NTP

Nikolaos Tsapakis explores Network Time Protocol (NTP) as an alternative communication channel, providing practical examples, code, and the basic theory behind the idea.

VB2018 paper: Under the hood: the automotive challenge

In an average five-year-old car, there are about 30 different computers on board. In an average new car, there are double that number, and in some cases up to 100. That’s the size of network an average SMB would have, only there’s no CIO/CISO, and…

VB2018 paper: Android app deobfuscation using static-dynamic cooperation

Malicious Android applications are quite common, and can even be found from time to time in the Google Play Store. Thus, a lot of work has been done in both industry and academia on Android app analysis, and in particular, static code analysis. One…

VB2018 paper: Anatomy of an attack: detecting and defeating CRASHOVERRIDE

CRASHOVERRIDE is the first publicly known malware designed to impact electric grid operations. Reviewing previously unavailable data covering logs, forensics, and various incident information, in this paper Joe Slowik outlines the CRASHOVERRIDE…

VB2018 paper: The modality of mortality in domain names

Domains slated for abusive uses are effectively disposable: they are registered, quickly abused for cybercrime, and abandoned. In this paper Paul Vixie describes the first systematic study of domain lifetimes, unravelling their complexities and…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.