Here I am, as promised, to continue the research started together regarding the cost of malware. Reading news of more or less aggressive viruses that cause many damages to public infrastructure to private citizens and sometimes endangering human life itself. But when we are dealing with someone that has different works and that has no IT knowledge are we able to explain how much effort is needed for the production of a malware? How many professionals and what figures should be involved and how much cost it? In doing so, the next time you hear about viruses and malware, we can truly understand how much effort intellectual is behind such a threat.
Since the publication of the first part of the article I was able to speak with professionals and managers who operate in sectors such as healthcare and public administration, and I can tell you with certainty that they have no idea how much cost a malware. Common understanding is that behind the creation of malware, there are groups of fans, even very young, who cast begin to develop more concerned to test their ability. Nothing could be more wrong! Behind the production of a virus, there are professional organizations that act hired by the government or criminal associations to develop a “product” with all the adroitness of the case. The processes used are the same as followed by the main business software provider, valid professionals test themselves in the realization of projects with clear requirements and for which it is required a deep technical knowledge.
But imagine having to make up our team and want to list the professionals we need.
Starting from the analisys made by Charlie Miller in the the document “DEFCON-18-Miller-Cyberwar”, imagining to desire to compose a team for the development of malware, which professional figures will be needed?
All this resources have cost that could be really expensive related to the project objective and the total duration of the development. Let’s make an exercise together trying to give a value for each resource ad defining the project duration and the phases that compose them. In the following table we can resume the annual effort needed to implement a malware, analizing for each figure the number of resources used and related cost.
Final results are amazing:
Consider that this is an average annual cost, it is a row estimation and usually project like this have a duration of several years. A new generation of malware has being developed, modular agents that are able to infect several target simply changing some component of their architecture. This means that the development phase is really complex and that the project must be considered on going work. The fight against this malware is really hard, most of them use a zero-days exploit discovered by expert researchers.
Try telling this figure to those who believed that the production of malware is a NERD’s job (intelligent but socially awkward and obsessive person who spends time on unpopular or obscure pursuits). As you can imagine the amounts involved are certainly not for everyone and it is clear that the approach to the development of malicious agents is due exclusively to the two goals criminal associations who wish to profit by infecting systems primarily economic in nature governments or terrorist groups that intend to develop a cyber weapon.
While the first point is shared by many today, there is great reluctance in admitting these expenditures by governments, most of whom do not have a cyber defense/offense strategy. Who is the father od Duqu and Stuxnet virus? Do you believe that a group of reseachers have developed it for fun? Which is the real value of their targets?
Let me conclude this second part leaving some questions that need to be food for thought on the numbers that we presented. Considering as large investments how many resources and which figures should be hired to deal with the looming threat? The proposed data are enough to make us understand the enormous effort that daily the main groups of researchers producing against this threats?
Fully understanding how economically significant is the phenomenon, is it appropriate to provide this information to citizens so they understand fully the importance of a cyber defense strategy and related expenditures?
… to be continued
Let me say thank you to two great security specialists that have supported my research with their personal experience and sharing of precious and rare information.
Niels Groeneveld (Threat Analyst at Royal Dutch Shell)
Charlie Miller (Computer security researcher)
and thank you for the support to
Paolo Foti – Founder and researcher presso Cloud Security Alliance – Italy Chapter