Maxim Weinstein’s blog

Last post related to Epidemic!: The World of Infectious Disease edited by Rob DeSalle.

• “Different cultures perceive disease differently,” and “Successful control of that disease requires understanding these differences.” [p. 155] At StopBadware.org, we’re seeing this as we try to understand how and why malware is perceived differently in China than in the U.S. and Europe.
• The only way to control global epidemics is to integrate public health concepts into every aspect of society (health delivery, education, urban planning, agriculture, industry, etc.) and for nations, industries, etc., to coordinate their efforts with each other for surveillance, monitoring, and response. [p. 168] There are definitely some aspects of this happening in the IT security world, such as the recent coordinated DNS patch response, but far more needs to be done.
• At a more local level, an essay in the book describes New York City’s efforts to combat TB and AIDS via a coordinated local response including public education campaigns, free clinics, needle exchanges, etc. [p. 171-175] Can we learn from this? What about free “get your PC checked for up-to-date patches and security software” clinics? Coordinated, extensive public awareness campaigns? Free anti-malware software provided by government agencies?

This entry is part of a series. See the introduction for more information.

• Assembling the flu vaccine is an international effort, coordinated by the World Health Organization. [p. 106] Should there be a World Health Organization for malware to coordinate research efforts across countries/vendors? In a sense, that’s one of the reasons StopBadware.org is here, to help address at an international level something that doesn’t really work within borders, but we aren’t currently in a hands-on coordination role. Should we be?
• On a similar note, the Epidemic Intelligence Service (part of the U.S. Public Health Service), in which my father served during Vietnam, was built to be a rapid response team for biological warfare attacks. While it fortunately didn’t have to be used for that purpose, the government did a great job of building an aura of intrigue and excitement around these “medical detectives” and sent them out in teams to help with local public health issues. [p. 120] I guess US-CERT is the cyber security equivalent, but I’m not convinced that the Dept. of Homeland Security, which runs US-CERT, has been as successful in building the team’s reputation or making it a “best of the best” team like the EIS was.

This entry is part of a series. See the introduction for more information.

• Clinical trials are critical to understanding diseases and effects of immunizations. [p. 95] How cool (albeit expensive) would it be if we could do clinical trials of new anti-malware software? I could imagine a third-party company enlisting a bunch of computer techs/consultants to install the software and then check back with the user and computer a few times to look for signs (observable evidence) and symptoms (user-reported evidence) of malware infection and “adverse events.” The hard part would be making it controlled and double blind, though having some sort of control (e.g., the free Microsoft protection or an older, established product) might be possible.

This entry is part of a series. See the introduction for more information.

• The term “portals of entry” refers to the means in which a microbe enters the body. [p. 79] Malware researchers tend to use the term “vulnerability.”
• A big difference between epidemiology and malware research is that in epidemiology, a pathogen is defined as something harmful to the host. In contrast, malware may be harmful to the host PC, to the PC’s user, and/or to remote PC or network systems. And, for that matter, it’s not clear that something like a spam bot would even be considered “harmful,” at least not in the form of creating symptoms or damage.
• Some viruses attack specific target cells, much as malware attacks specific software [p. 85]

This entry is part of a series. See the introduction for more information.

I just noticed that Google.org, the philanthropic offshoot of Google, has as one if its initiatives “Predict and Prevent.” Currently focused on emerging infectious disease, it’s more generally intended to “use information and technology to empower communities to predict and prevent emerging threats before they become local, regional, or global crises.” Hmm, maybe if I develop this Internet public healthy analogy a bit more, I can get them to fund some research.

More thoughts while reading Epidemic!:

• The public health field uses the term “non-vector-borne diseases” to refer to those that spread directly from infected host to infected host, such as HIV/AIDS, and “vector-borne diseases” to those that are carried by mosquitoes or other “vectors.” [p. 60] In contrast, the malware world always refers to the mechanism of infection (e.g., e-mail, IM, web, network) as the vector.
• Virulent pathogens (those that kill their hosts) have to use techniques to enhance their survival, since their hosts won’t be around to continue harboring them. These include multiplying faster within the host, spreading faster to other hosts, and infecting as many hosts as possible. [p. 61] The same would have to be true for a computer-based infection to survive if it was cannibalizing its own host machines.
• How common are “infectious” malware diseases? How exactly do we define “infectious?”
• Patient history is the most important diagnostic criterion. How do we collect accurate PC or user history? [p. 69]
• PCs to a large extent are not self healing and do not produce antibodies like the human body. This is a significant difference in thinking about how we treat malware.
• In fighting infectious disease, prevention and making preventative care affordable are key. [p. 73] In fighting malware, the issue is less about affordability and more about education and making the right tools available to users in an easy-to-use way.
• Mary Wilson is a researcher at the Harvard School of Public Health who focuses on global patterns of infectious disease. [p. 74] It might be interesting to see if she has any perspective on the parallels and contrasts between infectious disease and malware.

This entry is part of a series. See the introduction for more information.

To begin my exploration of the public health field, I headed to my local library and picked up Epidemic! – The World of Infections Disease, edited by Rob DeSalle. This collection of essays by epidemiology researchers is intended to introduce the layperson to the field. Here’s what I’ve learned and asked myself through the first 60 pages:

• Infectious diseases often depend upon their host remaining alive in order to spread. The same is true for “infectious” malware (which probably refers more to worms and other self-replicating code than to drive-by downloads, which seem more like chemical weapons). After all, if a worm causes its host machine to stop functioning (or for someone to shut it down), it won’t spread.
• The malware world already uses some terminology from epidemiology: hosts, vectors, infections, viruses, etc. One term that we don’t use is “reservoir,” which refers to the location where an organism lives (and in some cases multiplies) before infecting a host. This seems like it could be a good way to describe websites that have bad code residing on them but are not actually infected with the malware themselves.
• A given infectious disease exists in a particular cultural & ecological context. [p. 33] In other words, disease is dependent upon favorable conditions. This applies to malware, too. The mass mailing worms earlier this decade, for example, were only successful due to the large, interconnected population of Outlook users willing to open unknown messages.
• Some of the conditions that make us susceptible to infectious disease include our internal balance being of, our ecosystem changing, and traveling to a different ecosystem. [p. 40] Many parallels there, and it raises the question: what are the conditions that make us susceptible to malware infection?
• Diversity within an infectious species helps it to adapt and survive [p. 49], much like a mutating computer exploit is able to evade many traditional defenses.
• “Motivating appropriate human individual behavior and constructive action, both locally and on a larger scale, is essential for controlling emerging infections. Ironically, as AIDS prevention efforts have shown, our knowledge of human behavior remains one of the weakest links in our scientific knowledge.” –Steven S. Morse [p.55] There’s no question that understanding the human behavior side of things (esp. with regard to social engineering, but also to protecting systems, etc.] is critical to solving the malware problem.
• It’s not uncommon in epidemiology for a previously undetected infectious agent, once it is detected, to be viewed as an “emerging threat,” when in reality, it may have been there a lot longer than we realized. [p. 55] I wonder how true this is in the malware world. My inclination is to think it doesn’t apply all that much. (It does for vulnerabilities, but I’m not sure it does for the malware itself.)
• Diseases sometimes reemerge due to lax controls once the previous outbreak seemed controlled. [p. 56] We’ve seen this at times in the malware world, but one of the common solutions to an “infectious outbreak” of malware is “immunizing” the systems to that malware through patching or definition updates, so we don’t often see the same malware attack again in the same way.

Note: I’ve included page numbers from the book for my own ability to refer back and for the benefit of anyone else who might pick it up. These references do not include the author and essay title, so I wouldn’t suggest using these as citations in school papers or published works.

This entry is part of a series. See the introduction for more information.

As manager of StopBadware.org, a project of Harvard’s Berkman Center for Internet & Society, I spend a lot of time thinking about malware: viruses, trojans, drive-by downloads, and the like. I’ve recently been interested in the idea of applying lessons from the public health arena to the malware world. It turns out that this is not a new idea. Back in 1993, researchers from IBM published a paper called “Computers and Epidemiology.” In 2004, Kim Zelonis at Carnegie Mellon presented a master’s thesis on the topic. At UCSD, there is an entire research center called “The Collaborative Center for Internet Epidemiology and Defenses.” And StopBadware’s own principal investigator, Jonathan Zittrain, uses language like “understanding the health of the network” when describing the goal of our work.

OK, so I’m not a revolutionary. But it does seem like this is an area with a lot of unrealized potential. So, I’ve decided to start reading up about public health. I’ll start with really basic primers and try to focus especially on epidemiology, community health education, and biowarfare, as these seem like obvious areas with overlap into the malware realm. I’ll blog my progress here, so if you’re interested, feel free to learn along with me as I delve into what one might call “Internet public health.”