Glenn Watt
Proceedings of 12th National Computer Security Conf., Baltimore, October 12, 1989, pp.542-546
October 1989
In the early 1980s, the city of Cambridge, Massachusetts, voted to petition Harvard University to temporarily halt the construction of a very expensive laboratory for specialized genetics research. This action, initiated and supported by distinguished members of the faculty, recognized the potentially dangerous situation at hand. This example is typical of what professionals usually do when they encounter an immature technology. The information about the atomic bomb and other such devices also was tightly controlled by military professionals with an ethical standard that demanded control to assure the protection of the larger community. A technology equally dangerous to the national compuler security community is malicious code. It is a problem that has crossed international borders, and threatens the integrity of every type of system from personal computers to super computers. In 1985 J.M. Carroll and H. Juergensen performed mathematicai proofs showing that any current state-of-the-art time sharing, multiprogramming environment could not simultaneously support security and integrity without compromising protection, efficiency or both [1]. The National Computer Security Center's (NCSC) Trusted Computer System Evaluation Criteria (TCSEC) and Trusted Network Interpretation (TNI) guidelines do not specifically address viruses. In fact, the Internet Virus of 1988 might have propagated on a B2 system and perhaps even on an A1. Will technology alone solve the problem of malicious code? If not, how should we then compute?
Malicious'code can take the form of a virus, worm, Trojan horse, logic bomb or time bomb. No matter what the form, each pice of code needs a transport mechanism to move from one system to the next. In the past, most malicious code resided on bulletin board systems (BBS) or portable magnetic media. This would require an explicit download from a BBS or insertion of a previously contaminated floppy disk. Computer networks, however, have made this form of transportation obsolete. Malicious code now can be written and injected into the mainstream of computing without any human action required. The perception of the threat from malicious code is somewhat analogous to the, past development history of the atomic bomb. Originally the atomic bomb needed a rather large bomber and bombers could be shot down before they reached their targets. In 1957 the Soviets proposed the idea that guided missiles could be used instead of bombers. Then they launched Sputnik and demonstrated the potential capability. Now the world had a much more difficult situation because delivering the bomb had suddenly become easier and faster. Similarly, there was a period of time when computer professionals did not consider malicious code as serious a threat because the available transport mechanisms limited the speed and to some extent the amount of damage. In the computer security world now, however, malicious code is our atomic bomb and networks our guided missiles.
Should we freely and openly research this area in order to solve the problems of today, or limit open research until we better understand the situation and produce effective countermeasures. Perhaps a part of the answer lies outside of a technological framework and in an ethical one. Let's examine the issue of malicious code and what can be done to solve the problem.
Three fundamental effects - econumic, technological and psychological - form the foundation for a discussion on the results of executing malicious code.
Economic Effect: Thc economic influence of malicious code can be broken down into three basic components: checking for damage, analyzing the malicious code, and developinog or installing fixes. Checking for damage can be no small chore. All systems software and associated data must be checked immediately. On a typical system that coud take anywherw from hours to days, with eight hour, being a good average. After sanitizing the system software, verification cf user programs begins. Although usually accomplished by the end user, the effect is still the same - wasted time. After damage assessment, analysis of the code and installation of new safeguards begins. During a post mortem meeting on the effects of the Internet Virus of 1988, attended by government and academia, the cost of that malicious code incident alone was estimated at $2,000,000. Congressman Wally Herger, coauthor of H.R. 5061 "Computer Virus Eradication Act of 1988", sent a letter to the Information System Security Association stating there may have been 2500 malicious code attacks to date at a cost of $20 million.[2] The economic effect is real and is not cheap!
Technological Effect: Malicious code also affects technology in terms of software. Software such as the UNIX operating system grew to its current state largely because of the availability of source code in the early days. Source code was readily available throughout the V6, V7 and PWB UNIX releases. Many universities and research organizations modified it, shared it, and in a sense became responsible for its debugging and maturation. Along with the benefits of having open software came the requirement, to use the information responsibly. Unfortunately ever since it's inception people have been trying to break UNIX systems. The reason is largely due to the fact that source code to the operating system was readily available and used in numerous universities to teach systems fundamentals. With an intimate knowledge of the operating system security attacks are greatly simplified. In response the UNIX community made the operating system more secure by controlling the distribution of source code, and by implementing security features such as limited "root" login access. To some degree, control is due to the vendors' desire to standardize; however, security is playing a major role. However, it is distressing that future computer scientists may not have the learning experience of pouring over the source code to a functicning operating system while in school. Perhaps the cost of training our next generation of systems software gurus will have to be born by industry and government after hiring.
On the positive side, the technology of state-machine models is actually improving because of the threat of malicious code. The partial ordering known as simple security and the confinement property, set forth by Bell & Lapadula, established a provably secure mathematical model in 1973. Although still used as one model from which to develop secure systems, malicious virus code is promoting fresh looks at the model. The question must be asked if A≥B "A dominates B" doesn't actually promote the spread of viruses from lower security levels to higher ones. Malicious code is not only forcing this question to be asked, but also the correction of the security model if it is found to be flawed.
Psychological Effect: The psychological effect is perhaps the most profound and yet the least addressed. According university reports and this authors own experience, systems administrators, computer center directors and end users all become paranoid after a malicious code attack. Systems that may have gone for months without a backup suddenly receive undivided attention. Administrators who reveled in living dangerously become the vanguards of security. It has been said, "In order to assure a person gets the message, advertising has to be memorable."[3] Is there any more memorable way to get the security message across than to be the victim of a malicious code attack.
The use of an attack can best be described by the analogy of having a home broken into and robbed. Before the event, the residents feel safe and secure behind the locked doors and windows. After the event, shock sets in. The security factor vanishes in the stark reality that locks can be broken and windows opened. Most will install better security devices and fix the holes that are now apparent, but some, albeit a small percentage, will leave the area never feeling safe there again. In the computer security arena the same attitudes surface.
Most computer sites will recover from a malicious code attack, implement tighter security features and press on. Some, however, will not recover. They will restore their systems and decide that it just isn't worth being on a network, or using software of unverifiable origin. Although the cost, intellectually and financially, may be great they will not risk another attack. In this case the perpetrator has inflicted psychological damage.
The Internet VIRUS of 1988 provided an excellent example of the psychological effect. Soon after the detection of the virus major sites throughout the net dropped off. Some managers went so far as to shut down the servers and actually pull the plugs! The result was devastating, but continued for an extended period of time. Even after many of the sites did return, many gateways were off. Now, managers should not be saying "damn the torpedoes (or viruses) full steam ahead." Quite the contrary, quarantine is a good approach to stop a virus. The psychological problem arises with sites that choose never to return, cancel plans to connect, or severely modify their functionality within the system. For example, one site has stopped receiving mail as a security precaution. In another situation, system managers implemented extreme measures to make sure their software was virus free.
These varied and far reaching influences are also steering the computer community toward a more permanent solution. That solution will involve both technology and ethics.
A former Director of the National Security Agency, Lieutenant General USAF (Ret) Lincoln Faurer recently stated that "Only recently, with the advent of media reports about computer viruses and program tapeworms, have computer security issues taken on a higher and more appropriate visibility."[4] The Computer Security Act, signed by President Reagan early in 1988 provides another example of our society's growing demand for professional protection. The millions of computer users, growing at a rate of roughly 70% annually, are rapidly demanding protection. Admittedly, legislation, when used in conjunction with ethical leadership, supports an effective part of the answer, but not the entire answer. Secure computers and computer networks will play an important role in solving the malicious code security problem. Government and private industry are looking into secure network components for both local and long-haul networks. Research and development in this area must not only continue, but increase. New technologies that are developed and manufactured as a direct result of research, alongside well established data encryption, will provide a broad base of protection. The problem of the next decade, systems integrity and denial of service, will require systems that are secure both in data confidentiality and operation. Applying systems integrity and denial ot service to computer networks turns a two dimensional problem into a three dimensional one. The problem has been portrayed as a bucket brigade trying to put out fires in sevcral modern high-rise buildings. Fortunately, a great deal of work is currently being done in this area. A quick review of the proceedings of any security conference will verify just how much is being done in the technological part of the solution.
According to a 1977 issue of the Harvard Business Review, legislation is an important part of influencing business practices, but ethical codes would have a greater impact on executives and corporations.[5] This is the other side of the issue. As professionals we must take an ethical stand and set an example for others to follow. Since the world is becoming increasingly dependent on computers and computer networks, we need to help in the establishment of a workable standard of ethics. Mr. Harry B. DeMaio, Information Security Products Manager for Deloitte Haskins & Sells, recently said, "The organizations to which we normally look for ethical leadership - church, school, government, home, the media - lack the technical knowledge, the budget, and even the awareness to deal with this subject in the electronic world of today and tomorrow." [6] Perhaps, because so few professionals have tried to combine both computer science and philosophical ethics, so little work has been done in this area. Nevertheless, it is imperative to develop a workable, consistent standard from which to operate. There are several steps that should be taken. First, if we are serious about the need for computer security, educating young engineers and scientists about the unacceptable ethics of exploiting weaknesses in computer systems or networks for financial gain or personal satisfaction must be a priority. College, and perhaps even high school, is an appropriate place to start educating our future engineers. Harvard Business School already has adopted this priority by announcing that all MBA students must take a 3 week course in ethics,[7] Most universities are requiring students to take some form of a computer course as a graduation requirement. Computer literacy is the desired goal, with some schools requiring a beginner's knowledge of programming. If a university devoted several classes during the course to computer ethics, perhaps the "wily hackers" of the campus crowd would be reduced. Having students simply study several existing codes, such as the ones included in this paper, would provide a basic framework about the behavior expected of computer professionals. For computer science and engineering majors, most universities encourage the students to experiment and expand their understanding on the hardware and software. There is nothing inherently wrong with this, unless encouraged without an ethical ramnework by which to judge what is right and what is wrong. Without that framework, the student soon discovers that non destructive malicious code can be a vehicle to personal recognition. The perpetrator, neither intending to nor actually destroying data, assumes no harm is done; however, because of the previously mentioned effects, that is simply not true. The cost is non zero and is indeed higher than most people, and some professionals would expect. Aportion of these costs are a direct result of inadequate standards of conduct.
Second, an ethical standard of conduct must start with ethical leadership. It begins with management and works its way down to the grass root engineer by enforcing what we already know to be proper. For example, how many sites do you know of that have illegal copies of software. If we can't even keep our own shops honest, why should we expect that of anyone else? In this example, a law governs what is right and what is wrong. Laws are a gocd place to start, but they only provide a minimum standard that must be adhered to. An ethical standard of conduct must go beyond the law. For example, considering it unethical, a surgeon will usually not operate on a family member. Under the law, both relative and non relative are equal, but the ethical standards by which the surgeon operates requires the physician to restrict practice when it comes to family members. As a medical student, the future physician attends classes on medical ethics. As an intern, he gets on-the-job reinforcement of those ethics from older doctors. At some point the physician will, in turn, influence younger interns to adopt the medical ethics also. As computer scientists, we seem to avoid such non scientific issues. The computer science community has taken the time to write down codes of ethics. Now it is time to emphasize these codes in the workplace. Since disobeying an ethical code is not important until people accept that code as a standard by which to live, we need leaders who will teach and reinforce standards of conduct for computer professionals.
Third, professional societies, universities, government, industry, and religious institutions need to help in reviewing, and upgrading existing codes to make them applicabie and workable today. Over the years several good codes have been established[8], however, when they were drawn up, malicious code was for the most part non existent. The Data Processing Management Association Code of ethics (Appendix A), provides sonic of the strongest standards anywhere. Its members are encouraged by their obligation to society to protect the privacy and confidentiality of all information, insure that products are used in a socially responsible way, support, respect and abide, by the appropriate local, state, provincial and federal laws, not use knowledge of a confidential or personal nature in any unauthorized manner or to achieve personal gain. As an obligation to the employer, the member should not exploit the weakness of a computer system for personal gain or personal satisfaction. This code was endorsed in January of 1983. Some older codes of ethics, like the ACM and the IEEE standards aren't as strong in the area of maliciois code. This is not to say that their codes don't promote ethical computing. Both the ACM and the IEEE codes of ethics encourage their members to practice computer science and engineering in a dignified, professional manner. A review of these codes will show that the primary concern of each code of ethics was misrepresentation by its members to their employers and clients. Some preventative maintenance on these codes of ethics could bolster a professioral attitude towards malicious code in a world that now encompasses personal computers, supercomputers and networks of computers.
Professional societies can develop stronger standards to encourage the regulation of a computer's use. They need to emphasize that research and experimentation is good, but doing it for the purpose of breaking security codes, denying service to other users, or somehow compromising system integrity should be strongly discouraged. Establishing a code will not assure compliance nor acceptance by every member but the society in general will need to accept and promote the code before peer pressure will make it effective. "An ethic is esoteric until it is put into practice."[9] The Data Processing Management Association, ACM, and IEEE all have a good base from which to work, but developing an ethic is not the sole task of any one professvonal society. Ideas, suggestions and guidance must also come from universities, govermnent, industry and religious institutions.
Government and industry can begin to promote the development of specific ethical standards for their computing employees. These ethical standards could be periodically emphasized in much the same way as EEO and sexual discrimination ethics are today. Government and industry also might follow the lead of Arthur Anderson & Co.[10] who is funding a five year $5 million effort to promote and assist in getting ethics courses into graduate and undergraduate business schools. If government and industry could promote similar programs for science and engineering students schools would more amenable to offering computer ethics as part of a curriculum.
Churches can provide a source of direction not usually considered. Throughout history religious institutions have dealt with ethics and society. A study of history will show that religious leaders had answers to societal problems derived from a totally different source. Often they had the answers to injustices when no one else did. Unfortunately society had and has a tendency not to listen to them, because social problems aren't religious in nature. In retrospect, today we see that they really did understand the implications of a society's code of ethics. Church leaders have dealt with numerous ethical issues and should be consulted to examine the issues and provide input for computer ethics. An understanding of how malicious code affects the psychological aspects of another human being would be a good start for this institution. From an understanding of the effects, ethical codes could be written to deal with the cause. There can be no doubt that computer-based information is the new raw material of our present and future society. We must involve all elements of society in its safeguarding.
In the final analysis computer professionals should recognize that ethical standards are equally important as technology when it comes to computer security and malicious code. An attack must be waged on two fronts. An interdictive ethical attack needs to mounted as soon as possible to change attitudes. A change in computing ethics would weaken the supply line of new malicious code writers. In parallel the technological efforts, which have been ongoing for some time now, must be fortified. A Pentagon commission report stated that research in the area of security was in a deplorable state, while at the same time others like Dr. Cliff Stoll emphasis that effective security must rest on a foundation of research.[ll] In a broader sense if research is the foundation of security, than ethical computing is the mortar that holds it all together.