More about malware ethics and AMTSO

So if you don’t keep up with this stuff, there’s been some interesting discussion going on in the blogosphere having to do with the AMTSO, malware testing, and so forth.  The interwebs are all a-twitter with hot debate.

As some background and context, I recommend checking out NSS Labs’ excellent post,  David Harley’s responses to the crazy ranting of yours truly, Kevin Townsend’s well-articulated viewpoint, and Kurt Wismer’s reasoned rebuttal.

Whew.  That’s a lot of text about this humble topic!  Anyway, for today (since it’s a Friday), I’m not going to get all down into the nitty-gritty of all of the excellent points made by others (on both sides of the issue), but I do want to spend just a minute or two on the ethical question of malware creation.  Given all the discussion going on, I feel it valuable to add the proverbial two-cents.

Namely, is it ethical (big word, that) to create new malware for the purposes of testing?  Or, more relevantly, is it ethical to create new malware for any research purpose. I argue that it is.  Others argue that it is not.

Now before we get into the pros/cons, let me say that all of the folks debating this are all on the same team – nobody is advocating that bad guys should have free reign to create malware for nefarious purposes like h4x0ring the Interwebs  - everybody agrees that’s not good.  Instead, the issue centers around whether it’s ethical for a scientific institution (be it education, public sector, or industry) to create malware for testing, education, or research under defined, “safe”(r)  parameters.  Those on the “don’t do it” side of the argument argue that the risks outweigh the benefit; those on the other side argue that the benefits outweigh the risks.

Clearly there are risks associated with malware created for research purposes.  We know, for example, that creating malware, even with the best of intents, can have undesirable impacts when it escapes the confines of the lab.  So that’s not good.  But what about if safety measures are put in place so that it doesn’t escape?  Of so that – if it does escape – nothing bad happens (to the extent that we can control that).  Is that bad?  Kurt Wismer says it is:

For starters i can’t believe that after all these years people are still getting bent out of shape or trying to read ulterior motives into the ‘no malware creation’ rule. it’s one of the oldest and most fundamental ethical principles in the anti-malware community. if people found out that the CDC was creating new diseases they’d be up in arms – worse still if one of those new diseases got out (something whichhas happened in the malware world) – but in the case of the anti-malware community outsiders assume it’s because everyone in the anti-malware community has vendor ties and the vendors don’t want to look bad in tests. we’re not talking about the ‘we mostly frown on malware except when it’s useful to us’ community, it’s the ANTI-malware community. you can’t really call yourself anti-X if you go around making X’s. that would just make you a hypocrite.

Kurt makes good points.  But I don’t think that creating of malware for research purposes necessarily has to contradict what Kurt says here.  There are two reasons – one is pragmatic, the other philosophical.  The pragmatic counter-argument has to do with the analogy to real-world diseases.  And it turns out that biologists do, in fact, create new diseases for the purposes of forwarding research.  For example, biologist Craig Venter (funded by the DoE) created a bacteriophage (a virus that infects bacteria).   In that case, bioethicists argued in that case that the benefits outweighed the risks:

Does the potential for good that new life forms may have outweigh the harm they could do?  Arthur Caplan, who heads the University of Pennsylvania’s Center for Bioethics, says yes. This technology “is impressive. It’s powerful and it should be treated with humility and caution,” Caplan says, “But we should do it.”

So this is OK in the physical world according to (some) bioethicists.  I’m sure some would disagree, but it’s clearly not universal outrage.  As for me, I’d argue that the risks of creating actual physical pathogens in the lab is more risky than the digital counterpart.

The second argument is a philosophical one based on Kierkegaard’s Fear and Trembling.  Kierkegaard suggested what he calls a Teleological Suspension of the Ethical – the argument basically boils down to ethics being relative; a “bigger” win ethically trumps a smaller questionable action:

Let us imagine that a man named Bob walks into a bank to make a deposit.  While he is at the counter five robbers rush into the bank and overtake all the people.  As this hustle and bustle goes on, Bob spies that a young girl has ducked into a broom closet for safety.  The robbers, unfortunately, have killed everyone in the bank except Bob and the small girl.  The head robber approaches Bob and puts this question to him, “Is there anyone else alive in the bank, because if there is we are going to kill them?”  Bob answers swiftly with an “ethical” “No.”  The robbers loot the vault and escape.  Now we ask, was Bob’s statement breaking any commands of God? Norman Geisler answers this in his “Christian Ethics” with a profound “No”.  He directs us to say that the situation, Bob having to answer a murderer, does not oblige us to tell the truth.  Thus, Bob did the right thing and saved a life, and the lie “did not count.”

In the example, lying is unethical, but because it was done to save a life, the unethicalness of it was “suspended” because of the bigger win.  I think malware creation is similar: creating malware could be unethical in some circumstances.  But the unethicalness of it is “trumped” in a research context because of the interests being served: better security for the industry.