Should there be an AV industry code of ethics?

2011-09-01

Alex Eckelberry

GFI Software, USA
Editor: Helen Martin

Abstract

‘“Doing good for all is good for business” – helping others protect their users makes all of us stronger.’ Alex Eckelberry, GFI Software


We see it all the time: a major magazine publishes a sensational story about a new nasty which threatens our existence; a researcher presents data at a major conference about a new threat; a company presents the inner workings of a group of black hats. The news machine grinds on it, while at the same time, a flurry of emails passes between researchers who are trying to gain more information on this ‘threat’.

This is how the game is played. But recently, a number of security researchers have been questioning ‘business as usual’, and considering the industry’s responsibility to share threat information with others. In other words, if we see something bad happening, what is our responsibility to do something about it?

It’s worth noting that it is not uncommon for members of various security communities to share data, so at least other companies can protect their own customers, as well as collaborate on garnering further intelligence and even coordinate takedown efforts.

However, it appears that we may still be dealing with a lack of cooperation by a few on some major issues – perhaps due to issues of sharing data with competitors, non-disclosure agreements, or even defeatist ideas such as ‘it doesn’t really matter what we do anyway’.

Perhaps it’s time that the security industry as a whole – not just the AV community – had a frank and open discussion about what our responsibilities are in protecting the community at large, in addition to promoting our own commercial interests. It’s not an argument for ‘malware welfare’ – big, well capitalized companies sharing data with lesser capitalized companies. The fundamental issue is one that revolves around the need to make the Internet safer, rather than just pulling chips off the table.

The issue transcends a moral one that ‘we have some duty to give back to the market if we’re making money from it’. That’s certainly a laudable imperative for many of us in the industry. However, I would argue toward a concept of enlightened self-interest, which could crudely be distilled as ‘doing good for all is good for business’ – helping others protect their users makes all of us stronger.

For example, spreading fear, uncertainty and doubt (FUD) among users, and then not doing what we can to make the Internet safer creates unintended consequences – we strike terror into the minds of users, and they demand solutions. This inevitably leads to politicians frantically trying to ‘solve the problem’. More political action to ‘regulate the dangers’ is certainly not something about which many of us are sanguine.

My concern is that if we don’t do what we reasonably can to keep the Internet clean, we will have regulatory agencies deciding to do it for us. Furthermore, users already distrust the security industry, and not working together to make the Internet safer will only lead to more scepticism. Finally, we know that having even a relatively small number of end-users that are unprotected against a threat can cause plenty of trouble for the rest of us. ‘Every man for himself’ is a losing strategy in the long term.

If we see something really bad, I would venture that it is in our commercial best interests to work with others to ensure their customers are protected, and to work as a community for intelligence sharing and takedown. If one company finds something bad, and wants a ‘scoopable’ news story, they can have it. Just share the data with others, so we can all make sure our customers are protected. We don’t have to get frantic about every possible threat, but we can certainly focus on the major ones.

Is an industry code of ethics warranted? Perhaps, but in my view, we could simply start with promulgating industry best practices (codes of ethics, unless tied to some type of certification, are voluntary in nature anyway). I have found most security researchers to be honest, diligent folks who genuinely care about making the world safer. However, some may not be able to share data with competitors due to corporate policies, and they should not be in that position. Let’s start with an honest, frank discussion about what what’s good for all, and then perhaps what’s good for us will come naturally.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

VB2018 paper: Office bugs on the rise

It has never been easier to attack Office vulnerabilities than it is nowadays. In this paper Gabor Szappanos looks more deeply into the dramatic changes that have happened in the past 12 months in the Office exploit scene.

VB2018 paper: Tracking Mirai variants

Mirai, the infamous DDoS botnet family known for its great destructive power, was made open source soon after being found by MalwareMustDie in August 2016, which led to a proliferation of Mirai variant botnets. This paper presents a set of Mirai…

VB2018 paper: Hide’n’Seek: an adaptive peer-to-peer IoT botnet

This paper presents a thorough analysis of the inner workings of Hide’n’Seek, a peer-to-peer IoT botnet discovered in January 2018. With an exploit table that can be updated in memory and modular in its approach, Hide’n’Seek gives us a glimpse of…

Botception: botnet distributes script with bot capabilities

Researchers Jan Sirmer and Adolf Streda describe the branch of the Necurs botnet that they have been monitoring, the changes it has undergone in the course of a year, and present an analysis of the next stage of the attack: Flawed Ammy.

VB2018 paper: Since the hacking of Sony Pictures

Minseok (Jacky) Cha describes various attacks in Korea which occurred after the Sony Pictures hacking incident and which are suspected to be the work of the same group, the Lazarus Group.


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.