The Virtue and Vice of Malware: A Prediction

I’m frustrated. There is so much cool stuff happening in the world right now, and almost none of it involves the law. Let me preach on it.

As I was looking for inspiration for this week’s post, I came across a fascinating website: www.phys.org. It’s a newsfeed for breaking information on the advancement of scientific knowledge. Now, because I’m a nerd, I love science-y things. However, in the interest of fair disclosure and embarrassing myself, I must admit that most of my scientific knowledge—at least these days—comes mainly from two sources. One of those sources is Morgan Freeman, courtesy of his show TV show, “Through the Wormhole.” The other is Dr. Sheldon Cooper, courtesy of his TV show, “The Big Bang Theory.” You may now color me ashamed.

Phys.org is a great resource because it not only posts information about real scientific achievement, but more importantly, it’s written in such a way that even a scientific tyro like myself can understand the significance of the work that’s being done. Which is an incredible achievement in its own right. Let me give you a taste of its content. As I’m writing this post, the articles on Phys.org include “Scientists watch proteins self-assemble,” “Revealed: Secret of HIV’s natural born killers,” and “Nanotechnologists develop a ‘time bomb’ to fight cardiovascular disease.” Wow. And those are a selection of articles from just today. So like I said, in the scientific world, there are brilliant, beautiful minds making significant contributions in furtherance of alleviating the human condition. And that is truly inspiring.

And then there’s the law. Regrettably, it seems that the only interesting thing happening in my world is that Zach Morris just started Season 2 of “Franklin & Bash.” So take that, science.

Anyway, there’s one story trending right now in the scientific world which is not only utterly fascinating, but also has real-world implications for the law, litigation, and the integrity of the judicial process. You may recall that last year, the Republic of Iran discovered that its nuclear weapons facilities had been infiltrated by “Stuxnet.” Stuxnet is computer malware designed to subvert industrial systems, particularly, certain data systems that control and monitor uranium enrichment infrastructure. Essentially, Stuxnet was destroying Iran’s efforts to enrich uranium, which is necessary for developing nuclear weapons, all while reporting that everything was a-ok.

And it had been doing this for years.

I don’t care who you are. That’s really, really cool.

No one’s really sure who conjured up Stuxnet. But whoever did it decided that the only thing better than planting one insanely complex malware application with the Iranians was planting three of them. Stuxnet was followed up by Duqu, awesomely named after a dark Jedi master from the Star Wars universe. Whereas Stuxnet thwarted industrial processes, Duqu captured data—such as keystrokes—and secretly transmitted it back to whatever third party was listening.

Then, at the beginning of June, the world learned about Flame, yet a third malware application targeting Iran’s nuclear ambitions. Flame was Duqu’s more aggressive younger brother. Like Duqu, Flame was designed to collect and transmit data about Iran’s industrial processes, but was apparently also able to collect a vast amount of electronically stored information, such as email and voice messages. Then, once Flame was discovered, a “suicide” command was sent out which caused Flame to not only erase itself from every computer it had attached itself to, it also bombed those computers in such a way as to make impossible any forensic analysis about what data was transmitted and to whom it was sent.

If you’re not impressed by any of this, then you need to stop reading this blog immediately and check your pulse, because you are, in fact, clinically dead.

The folks who are reporting about the awesome triumvirate of Stuxnet, Duqu, and Flame insist that, due to their level of sophistication (and the expense associated with development and deployment), only a government would have the resources to craft such powerful cyber-weapons. And that’s probably true. But there’s two things to keep in mind. First, in our technologically empowered world, both the virtue and vice of cybernetics are the relatively low barriers to entry. Theoretically, anyone with a talent for programming and access to a computer can play the game. Second, the circumstance with Iran provides proof of concept for what malware like Stuxnet, Duqu, and Flame can do.

Now let’s bring that malware to the legal world. The implications are alarming. Although the resources necessary to craft Stuxnet, Duqu, and Flame were significant, we must anticipate that the cost to reproduce them will be substantially cheaper. Indisputably, there’s tremendous incentive to use these types of malware in civilian contexts. The information that could be covertly discovered would be invaluable. Maybe it comes in the form of corporate espionage between business competitors. Maybe it comes in the form of law firms, locked in contentious, high-stakes litigation, trying to discover information in another’s possession that would otherwise be protected from disclosure by privilege. Maybe it comes in the form of a litigant with a case pending before the Supreme Court, anxious to learn about the course of discussions among Justices and what decision may ultimately be issued. The possibilities are endless, but the market value of the inside information is undeniable.

Historically, the disincentive to attempting such espionage has been the risk of capture. As you might expect, the law frowns upon the use of electronic means to commit fraud, and usually rewards such efforts with the imposition of stiff fines and a lengthy stay in one of the nation’s finest federal penitentiaries. I hear Atlanta has a nice SuperMax.

But bear Flame in mind. Once discovered, a suicide command was executed that erased—permanently—any ability to trace its fingerprints. This sets up the possibility that the integrity of a corporation’s or government’s confidential information could be stolen, and there would be no way to track down the identity of the thief. It’s the perfect crime, in the sense that the perpetrator could get away scot-free.

Oh, well. Like I said, lots of cool stuff happening in the world. In the meantime, me and Zach Morris will be keeping it real down in the legal trenches. I’ll be the one fighting for truth and justice. He’ll be the one with hair.

Comments are closed.