The industry who cried wolf
The industry who cried wolf

Malware is mostly created as a tool for gangsters to steal people's identities or a company's data and to use their computing power to amass a giant army to send emails hocking ‘male enhancement' pills.

Do we really need to concoct stories more fantastic and bizarre than this to get media interest? Evidently we do, judging by an article about a new version of Stuxnet.

While I don't discount the prospect of countries exploring or exploiting the possibility of offensive cyber warfare capabilities, it's simply ridiculous the way these threats are sometimes reported. The moment a writer points the finger at CEOs of major corporations as creators of malware, I just have to roll my eyes.

These insane, conspiratorial claims seem to justify the continued misperception that anti-malware companies are creating threats to pump up demand for their product, rather than accepting that neither CEOs nor security researchers have enough time to create malware.

I understand as well as anyone that reporters will ignore a story if there isn't some sexy, apocalyptic angle or dramatic facts. I also understand that many media outlets prefer a ‘shock and awe' approach to reporting in order to capture readers' attention. But there are technology reporters who manage to make a positive difference by covering sensational and demonstrably factual stories about malware.

I also understand the pressure anti-virus vendors feel to keep customers informed. People can get quite angry if they feel you're holding back information about threats other vendors are calling dangerous. It is a very tricky thing to be perceived as a valuable service or product while not crying wolf about every last threat that crosses your plate. But the best researchers do manage to do walk this tightrope.

In the case of Stuxnet and a new Trojan called Duqu (which were initially considered to be targeting Iranian nuclear facilities),international cyber warfare is one possible explanation, in the same way that any conspiracy theory is a possible explanation. But possible is not the same as likely. Would it not make at least as much sense that the motivation is financial, given the existing infrastructure in the ‘malware industry'?

Malware authors have used targeted attacks to gather companies' financially useful information for years. Some malware just happens to be more common in certain locales, not necessarily by design but due to certain peculiarities of software localisation or dependency on certain local software. Sabotage or espionage could just as easily be explained as blackmail by malware gangs as international cyber warfare.

I don't see the positive gain in spreading these fantastic tales. Beyond sounding ludicrous and conspiratorial, pointing the finger at shadowy government agents directs attention away from the possibility of doing something that might actually curtail the operations of real malware authors. It's unlikely that enough evidence could be gained to stop governments from causing cyber-mayhem, but if it's caused by a group of ordinary citizens, it is theoretically possible they could be arrested. Simply put, spreading unsubstantiated rumours is not ethical journalism.

In the end, I don't expect that this sort of inflammatory article will ever cease, nor do I expect that demand for them will either. I hope only that more readers will view these claims with discernment and scepticism.

Lysa Myers is director of research at West Coast Labs