Unintended Consequences of Computer Viruses

The Spanish newspaper elpais.com  last week reported that the crash two years ago of Flight JK 5022, killing 154 of 172 on board, was indirectly caused by malicious software.

A computer, located at the airline’s headquarters, was responsible for sounding an alarm if the plane registered three faults. In this case a tube had twice reported as overheated, but the third instance was not received because the computer was infected with a Trojan virus.

Three things come to mind here:

The first is that critical systems should be more secure. Ultimately, however, it is very difficult to make a system that is completely secure that also connects in any way with the outside world. Certainly such systems should not be based on a consumer OS that allows injected DLLs such as Microsoft Windows.

The second is that there should be consequences for those perpetrating such cyber crimes. We are well beyond the point in history where viruses are generated by kids working from their bedrooms. Today such acts are those of organized criminals, hidden behind levels of indirection and international borders. It is perhaps the verdict of murder that might galvanize action against these activities.

The third is the global threat we now face from politically driven cyber attacks. The recent Stuxnet virus illustrates just how sophisticated and dangerous these attacks can be. If you weren’t paying attention, this virus is first spread via USB drive, then exploits four zero-day vulnerabilities to enable remote code execution, escalate priviledge, and pass itself between computers. This worm has burrowed it’s way into some of the most secure and critical control systems in the world including, famously, a few thousand computers in Iran.

I’d like to close with an uplifting statement of how governments are taking cyber crime and cyber warfare very seriously, which they are, and how things will be alright. But I’m not optimistic enough to do this.

Update: A NYTimes article on the cost to Google of handling attacks

Comments