In the Nineties I set out in my book Virus Creation Labs to tell some of the story of the anti-virus industry. As part of the job Its programmers were always keen to discover the identity of virus-writers and they became good at it. Now they have hard news the US government, one of their clients, has been writing computer viruses they have to treat.
From the New York Times today: (Google it)
Told it was unclear how much the Iranians knew about the code, and offered evidence that it was still causing havoc, Mr. Obama decided that the [Stuxnet] cyberattacks should proceed. In the following weeks, the Natanz plant was hit by a newer version of the computer worm, and then another after that.
The old anti-virus industry found that tracking down some of the virus writers was easy work. The original hackers who wrote them often revealed themselves, anyway. They liked to brag about it. There was no thrill in the activity if people who knew about viruses didn't know they were yours. Since there was no money in it back then it's easy to grasp the motivation.
Sometimes it took more analysis of code on the part of the industry to narrow it down to one individual, perhaps unnamed but recognized as the programmer.
With the US government now exposed as involved in virus-writing there are different pullers at work in exposing the perpetrators of the operation.
An anti-virus company may depend a great deal on government contracts. So what to do, what to do, when malware inevitably crawls into non-target computers in non-designated-enemy nations and your analysts and coders have a good idea of who's behind it?
You develop an antidote and distribute it to everyone. But do you spill the beans? You have a conflict of interest, moral and ethical hazard. Doing the right thing might cost business.
Or if you're a security company not in the US does it matter at all? You know who's behind the attacks and you have a nice story to tell based on your pulling apart viruses. Lots of people might want to hear it.
Be the whistleblower.
Virus-writers, professional or amateur, criminal or state-operated, don't operate in a vacuum. No matter how classified or expert they think they are, they make mistakes. The code is never perfect. As the complexity of an operation rises so does the potential for error.
Do the state's virus writers go to anti-virus conventions? Do they chat it up with the industry as virus-writers from many many years ago did?
The anti-virus industry knows. Perhaps some have held their tongues even though they don't wish to.
Is American virus-writing outsourced, in part or in toto, to arms developers or other small businesses doubling as cybersecurity vendors?
When I wrote Virus Creation Labs there was always a small but hard-headed segment of people in information technology (and the computer savvy public) who believed anti-virus companies wrote viruses to help their businesses.
There was never any evidence of it. In fact, it was a ludicrous idea as their was never a shortage of virus writing and distribution.
In the late Eighties a small operation of the US Army made an offer looking for virus-writers. It was met with opprobrium in the industry as well as general computer security circles. Nothing appeared to come of it although the publisher of my book claimed he had worked for a US military operation in NATO on the production of viruses. (He wrote many viruses for all his books on the subject, too.)
There is much more money in virus-writing now. And there is no reason to believe the national security companies, particularly those with government contracts in defending against cyberwar, don't also want to be in the offensive side of the business.
They would love to write malware for Uncle Sam for taxpayer moolah. Some would view it as fun, too, just like the old timey amateur virus-writers.
And the opportunity for early sales pitching is there. The cyberwar hype machine has been operating for so long the pump is primed in national leaders who don't delve very deeply into these things. Many believe all the wild claims about cyberwar. If someone offers them malware options in attacking an enemy they will take it. And now it is known they have done so.
So when your secret war using malware is no longer secret, what is to be done? Is malware just like lobbing tear gas rounds or random cluster bombs with made in some company in the USA clearly embossed on some of the parts, only much less violent and directly hazardous to civilians?
If political leaders openly speak about how cyberwar threats can put lives at risk in the US what's the difference when we're caught doing it to someone else? Shouldn't the president appear to be more thoughtful in such affairs rather than someone giving the OK to screw up trust on the Internet even more for the sake of harassing a pariah country? Do you think it might have been better if someone not in government or the military or intelligence had explained to him how computer viruses work?
Will the worldwide computer security industry work to expose and defeat, say, US cyberwar operations even more vigorously just as it pursues botnets and the work of cybercriminals? Will they now begin to spill the beans when the trail leads right back to a western government office?
Will they let us know when they have suspicions that some employees who've either worked for them or become 'friends' appear to have advanced the next step of their career in state-sponsored virus-writing?
Will diminishing returns now be a part of state-sponsored virus-writing? That is, is the US government's virus-writing operation impeded now that the cat's out of the bag and everyone knows it's doing it?
Or do people not care? Just another day of bad business as usual on the Internet. And so what if it was against Iran? They had it coming and it's better than bombing. And we always trust our guys, anyway. Not a chance of a reliability problem or a crazy Bruce Ivins among 'em.
Just don't be in the wrong country or line of work. And if it splattered onto you in ... Hungary? Well, ha-ha, oops! Sorry 'bout that. Couldn't be helped. Contact the American consulate.