Targeted Malware

Panel Proposal

Malware undermines trust in information systems. To a certain extent, our success as information system engineers can be measured in terms of the amount of trust that society puts in the systems we have built. Malware, therefore, threatens our success, hinders the acceptance of technologies, and could even potentially reverse the progress that has already been made. The situation is not purely technical. Improved technology can sometimes help (e.g., better software quality), but practical solutions to current and future problems with malware will likely involve a mixture of techniques from multiple areas.

For an example of successful deployment of new technologies despite the threats posed by malware, recall the rapid and successful proliferation of e-commerce and electronic banking in the 1990's. Personal computer platform security was worse in the 1990's than it is now, but nevertheless, PC's were pervasive and their presence in every home made them the obvious interface between people and the World Wide Web. The technology was by no means flawless and security incidents did arise. Success came for the businesses that understood the risks and managed them. Malware logged keystrokes and harvested passwords and sent them to criminals who exploited and/or sold this information. Banks took losses. Credit card companies took losses. Nevertheless, fortunes were made. A key realization was that we cannot afford to limit ourselves to scenarios that are completely securable. To do business online, somebody must accept some risk. The winning strategy did not come from pure tech people or from law enforcement or from financial managers or from marketing people. Success came from a harmony of all of these parts.

Today, the malware landscape is different. One new malware threat has emerged as a definite concern, namely, targeted malware. Instead of blanketing the Internet with a worm, targeted attacks concentrate on a single high-value target. Targeted malware presents new challenges. By introducing an element of social engineering, phishing and trojans have become very difficult for even sophisticated users to avoid. By employing zero-day exploits, targeted attacks on high-value targets can be undetectable even in closely monitored environments. What technological advances are needed to detect and prevent targeted attacks. How will a better understanding of user behavior, and more effective legal mechanisms contribute to the development and deployment of such technologies?

The targeted threat exploits the reactive nature of most real-world security. Reactive prevention and reactive detection are useful for the masses, but fail to protect high-value targets. In this context, a case can be made for proactive techniques. What sort of proactive techniques need to be developed? What legal or economic changes would make proactive security more popular? Information sharing between untrusted sites is a proactive mechanisms that can help each of the sites detect stealthy infections, such as those used in targeted attacks on high- value targets. What obstacles exist for such information sharing? What economic incentives, legal protection can be put in place to make facilitate information sharing?

These are some of the questions that this panel will try to address. The panelists are a mix of representatives from industry, civil society and as well as academics. The panel will also reflect on the need to consider these questions from an interdisciplinary perspective, including law, policy, technology, psychology and economics. Finally, the panelists will also be asked to reflect on current and future research priorities in the area of privacy and security.