For anyone who has been following my twitter will realise I have been writing about malware as objects. This seems like a fundamentally weird and albeit useless thing to do (and one I have wondered myself). Yet thinking of objects as something that matter in cybersecurity is essential.
This is a question I posed myself: can malware be an object?
This was somewhat triggered by my other side as a geographer interested in space, time, and place. Evidently when malware was emerging in the 1990s as a political concern, cyberspace was still often referred to as ‘frictionless’ and transversing the Westphalian model of individual sovereign states – all part of a growing post-Soviet triumphalism of western liberalism. This is how malware is often seen, as being ‘out-there’ and something bounded and what travels without little connection to anything else. Yet I’ve never been able to put my finger on to what may be a malware object – it clearly is much more than the software used to construct it. How about the writers (sometimes known as hackers and artists), the malware ecology of different interdependencies? Can it extend out to speeches, political discourse, malware laboratories? Some of these things would not exist if it wasn’t for malware. Yet who knows what this is.
In a good start to thinking through these issues and implications for cybersecurity, Balzacq and Cavelty (2016) (open access available here) talk of an actor-network theory approach. Though I disagree with some points they do highlight the importance that objects have to, in this case, international relations. Yet it is also true they have a huge impact on computer science and cybersecurity. I do not want to overly dwell on the philosophy here, but there have been movements to appreciate objects as things in themselves over the past two decades or so, with one of these being Object Orientated Ontology (OOO). This helps us comprehend how objects, such as malware, have an ability to act and cause things to change. I am not saying that malwares have intention, as that would suggest they have a human quality to be malicious – that is the human working with them. Of course objects in computer science have a somewhat different meaning to what I’m referring here, but do fit in. Without falling into the trap that Alexander Galloway notes in his work (2013) that we orientate our thinking around the technology we talk about, objects have states and behaviours.
However I do not think we can locate malware in a specific location on a map. If we think of how malware communicate – through command and control servers, in botnets, through peer-to-peer networking, using the internet – to download modules, to share information, to activate, then malware is stretched across multiple different places. If you require some information from a server that is routed through Ukraine, let’s say, but your target is in the USA, then where is malware as an object in the broader sense? Yes, there is local software on the individual machine, but it requires connection to extract information for instance. Then there are the political reasons that certain groups operate out of certain places, the training required, the knowledge to do certain things are all geographically disperse. Can you separate the malware object from this? I think not, and it becomes part of the malware object, made up of different malicious elements, such as the local software on the machine, with a sever elsewhere, with the right political conditions that enable it to become malware in a sense that we can detect and analyse it and it becomes successful.
So, when we consider malware as geographically distributed in this way, it is in tension, with lots of potential for something to happen (think of the Conficker botnet that did very little). So it is when all elements of the malware object are part of doing something that it really formulates, and it becomes malicious. Yes, we can see the warning signs through signatures, but it is only when the malware object comes together that it is something we can track, analyse, detect through networks. This is why Advanced Persistent Threats (APTs) are so interesting, as they are so sleuth that the object is very difficult to detect – and may not seem to be acting differently to the norm. When is an APT part of a malware object? This is something I need to do a bit more thinking on.
Therefore when talking about malware, when detecting it, it’s about the entire ecology of malware, it is not just the end-point detection, but it only becomes malware when all the elements forge an object. This may now sound obvious – but it disrupts the idea that an object is material, located in a fixed place at a certain time, and adds tension to the mixture. Therefore you have to tackle all parts of the ecology – computer science, international relations, crime – to attempt to force it to something that is only ever partially controlled. This means that connected thinking is essential to consider how to tackle malware, and cannot be simply at the end-point. Evidently, this is just me dropping an idea at the moment but I hope to work with this much more as a core tenet of how malware can be reconsidered to assist in cybersecurity, but also challenge some geographical thinking.