Skip to content

Matt Ridley: Our Race Against Computer Viruses Is Endless

Matt Ridley, The Times

Cybercrime has become part of daily life but, as with natural diseases, ingenuity allows us to remain one step ahead

The WannaCry ransomware cyberattack of last week, which briefly crippled much of the National Health Service, may be the biggest, but it will not be the last outbreak of cybercrime. Remember your Through the Looking-Glass. The Red Queen lives in a world where, she says: “It takes all the running you can do, to keep in the same place. If you want to get somewhere else, you must run at least twice as fast as that.” We, the good guys, are locked in a Red Queen race with hackers, just as we, the human race, are locked in a race with real viruses, and with antibiotic resistance.

It is a race in which permanent victory is impossible, but so is permanent defeat. Perpetual struggle is inevitable. I say this with confidence because for once the biological analogies are apt. The right way to think about cybersecurity is epidemiological. Indeed, the similarity between a computer virus and a real virus is more than a metaphor: both are pieces of linear digital information (one made of binary electronic digits, the other of quaternary DNA bases) capable of getting themselves replicated and spread. One leading theory is that sexual intercourse evolved, a billion years ago, as a security patch against parasites.

The fact that malware is manmade while maladies are not makes little difference. So long as there are enough actors out there experimenting, both will evolve, through mutation, recombination and selection — through trial and error. That this latest cyberweapon may have been enhanced with something called EternalBlue stolen from America’s National Security Agency is again not altogether surprising to a biologist. Parasites have a habit of stealing good genetic ideas from their hosts.

Computer viruses are as old as computing. The first widespread one, Elk Cloner, spread through Apple computers in 1981 via floppy disks. Ransomware first appeared in 1989, with a trojan horse called AIDS. By the early 1990s you could buy anti-virus software. Especially bad outbreaks occurred in 2003 (the “slammer worm”) and 2009 (the “conficker worm”), just like the bad plague years of AD541, 1346 and 1665. But apocalyptic warnings that computer worms and viruses would eventually win proved wide of the mark. I recall business seminars around the turn of the millennium at which the audience was effectively told that the problem of computer viruses was insoluble so the end of the web was near. This was around the time we were told that computers would fail, and social order would collapse, because software could not cope with the start of a new millennium. In practice, anti-virus protection has evolved just as fast.

Perhaps we were just lucky, then. Despite the supposed heroic but accidental action last week of MalwareTech, an anonymous 22-year-old, I don’t think it is luck. Here is why the good guys will always be able to defeat the bad guys — temporarily: the former can operate in the daylight, the latter must stay in the dark. This was brought home to me about ten years ago when my laptop was infected by a virus and I quickly found a website on which people were freely sharing the latest features of this virus and how to deal with it. Such open sharing is not available to hackers, however large the dark web gets.

Thus Microsoft already has a patch for the WannaCry ransomware, released in March, having been alerted perhaps by the NSA itself. That some organisations, such as the NHS, have plainly done a terrible job of keeping their computer security updated is reprehensible but no great surprise. It is a bit like a community that relaxes its vaccination rate.

Minnesota is currently experiencing a measles outbreak: about 50 people have gone down with the virus, mostly from the Somali immigrant community. This is entirely because vaccination rates in that community have halved thanks to the recent influence of the anti-vaxxer movement and its autism theory. Drop your vaccination guard and the Red Queen will strike. Don’t update your cybersecurity and ditto.

Here’s another parallel. Antibiotic resistance is also a Red Queen phenomenon, in which new antibiotics must continually be introduced to counter antibiotic resistance. In failing to invent new antimicrobials, it is as if we have been failing to update our pharmacological security software.

[…] The lesson of this week is eternal vigilance: update your software regularly, keep back-ups, filter mail and be suspicious of attachments. Don’t expect the problem to go away, or to find a silver bullet that kills the problem for ever, but don’t expect malware to defeat us either.

Full post