null null

Might Governments Clean-up Malware?
Richard CLAYTON
University of Cambridge
Abstract: End-user computers that have become infected with malware are a danger to
their owners and to the Internet as a whole. Effective action to clean-up these computers
would be extremely desirable, yet the incentives conspire to dissuade ISPs (and others)
from acting. This paper proposes a role for government in subsidising the cost of clean-up.
The organisations that tender for the government contract will factor in not only the costs
of the clean-up, but also the profits they can make from their new consumer relationships.
A model is proposed for what the tender price should be – and, by plugging in plausible
values, it is shown that the cost to the tax payer of a government scheme could be less
than a dollar per person per year; well in line with other public health initiatives.
Key words: malware, cybersecurity, security economics.
T
his paper looks at the problem of dealing with end-user computers
that have, in a variety of ways, become infected with malware. This
can sometimes be a serious security issue for the owner of the
computer in that malware is often capable of copying confidential
files, stealing online banking credentials, or of fraudulently redirecting traffic
for financial gain (POLYCHRONAKIS et al., 2008). Additionally, it is almost
invariably a security issue for the rest of the Internet, because the infected
computer can be combined with others into a 'botnet' which is then used for
a large range of criminal activity, from distributed denial of service attacks,
through click fraud, to the bulk sending of email spam (MOORE et al., 2009).
Quite clearly, for the Internet to be safer for everyone, 'something must
be done' to clean-up the infected computers, but there are a number of
barriers to this – mainly to do with incentives. Since the incremental effect is
small and responses rare, no-one may be interested in collating lists of
botnet members and submitting reports to ISP 'abuse' desks. The ISPs, who
must be involved to map IP addresses to customer identities, gain little from
handling the reports. They risk alienating customers by simultaneously
threatening disconnection and refusing to provide free technical help to deal
with the problem. If the report does reach the customer they may not
appreciate the need to act and, indeed if the malware does not steal data
COMMUNICATIONS & STRATEGIES, 81, 1st Q. 2011, p. 87.
www.comstrat.org
88
No. 81, 1st Q. 2011
from them, inaction makes little difference to their Internet experience.
Furthermore, removal of malware costs time and/or money that the end-user
may feel that they can put to rather better use.
The financial cost of cleaning up malware can be daunting to many – the
perception of it being a complex task, with expert help expensive and
essential, goes a long way towards explaining why customers delay malware
removal and why ISPs are generally so reluctant to offer any assistance. Of
course some malware is extremely trivial to remove, but effective clean-up
may be difficult, it may need specialist knowledge or tools, and hence it can
indeed be rather costly when done on a one-off basis.
This paper suggests that governments should consider stepping in and
subsidising the clean-up – with the analogy being with their role in protecting
public health. We believe that such a subsidy will go a long way towards
improving the incentive issues – it will no longer be quite such an expensive
nuisance for an ISP, or their customer, to learn of a malware problem.
Furthermore, by reducing the cost of clean-up to the end-user, it would also
make it fairer (and more politically acceptable) to introduce regulations to
compel ISPs and customers to ensure that malware is removed in a timely
manner, and this in turn may incentivise the reporting of botnet membership.
Clearly, by bulk purchasing clean-up services through a tendering
system, a government will be able to reduce the cost of their subsidy.
Additionally, since the suppliers should be able to sell further products (antivirus software would be an obvious example), they should be treating the
referrals as a valuable 'sales lead', and tendering lower for the contract as a
result. Hence, we argue in this paper, tax-payers will end up with a rather
smaller bill than might have been expected at the outset.
The rest of the paper is arranged as follows. In the following Section we
discuss the nature of malware in more detail, and outline existing initiatives
for malware removal. In the 3rd Section we set out how a government
sponsored scheme would work, and in the 4th Section we model the costs
and set out the basis for our belief that it will not be as expensive as it might
initially seem; and then in the last Section we conclude.
R. CLAYTON
„
89
Malware
One of the most important ways that criminals make use of the Internet is
by distributing malware (malicious software). Ordinary consumers are tricked
into running these programs on their computers, and the malware will then
compromise online banking sessions, steal passwords for email accounts so
they can be exploited for sending spam; and almost invariably cause the
computer to join a 'botnet'. The botnet is the 'swiss army knife' of Internet
wickedness, allowing criminals to command the individual botnet members
to send email spam, participate in advertising 'click fraud', take part in denial
of service attacks, or assist in hosting illegal web content.
It was once useful to distinguish different types of malware: a 'worm' is a
self-replicating program that spreads from computer to computer without
user intervention; a 'virus' attaches itself to a genuine program or email,
executing only when the user runs the program or opens the email
attachment; and a 'trojan' is a program that claims to do something useful
and secretly does something wicked.
These days, these distinctions are of limited value – and the categories
have blurred considerably. The main vector of infection at present is visiting
websites which contain malware, either because the site was specifically
constructed for that purpose, or because a legitimate website was insecure
and someone has broken in to plant the malware.
Malware infection
The user will become infected either because they deliberately install
software from the website (they may believe a video will not play because
their system needs extra components installed) (PROVOS et al., 2009), or
the site automatically downloads content to exploits flaws in system
components (so-called 'drive by' infection (PROVOS et al., 2008)).
Users can improve their protection against malware by keeping the
software on their computer up-to-date and by never running a program
provided by an untrustworthy site. It is also useful to employ anti-virus
software with a current list of threats to scan for; although technical
advances by the malware writers mean that a great deal of malware now
completely fails to be detected by these programs. Using a firewall, or as
most consumers will, connecting to the Internet via a network address
90
No. 81, 1st Q. 2011
translation (NAT) device, has value in protecting against 'worms', albeit
these are an unusual type of threat nowadays. Even with a totally secure
and up-to-date system, and with impeccable online behaviour, consumers
can still become infected with malware through no real fault of their own;
perhaps by visiting a reputable site that has been recently compromised,
having their browser automatically download malicious content, and thereby
falling victim to a '0-day exploit', for which no countermeasure yet exists.
Malware detection
Consumers become aware that their computer is infected with malware in
two main ways. The first is by running a malware detector on their computer;
the second is by being told that there must be a problem by someone else
who has noticed that their computer is behaving inappropriately.
It is often the case that newer versions of anti-virus software will detect
malware that has been present on a computer for some time. If a particular
malware program is widespread enough, the anti-virus vendors will ensure
that their products are able to detect and remove it. However, malware will
often arrange for anti-virus updating to fail, so that the anti-virus software
continues to run with outdated information of what is to be detected. The
user will have a false sense of security – and will continue to operate a
compromised computer.
The other major malware detector is Microsoft's 'Malicious Software
Removal Tool' (MSRT), part of the monthly 'Windows Update' programme. 1
Microsoft takes steps to detect and deal with malware if it is especially
widespread, and/or when there is particular disruption being caused by the
botnets that the malware makes possible.
Although the user may not themselves notice that their computer is
infected with malware, this may come to light because of the bad things
which it is doing are detected elsewhere on the Internet. Occasionally a
researcher will be able to enumerate all members of a botnet, or a spam
email may be sent to a special 'trap' address which is unused, so that any
incoming email must be unsolicited. Whatever the mechanism, the report will
be made to the user's ISP, who is then expected to deal with their customer.
1 http://www.microsoft.com/security/malwareremove/
R. CLAYTON
91
The reason that reports have to be made to the ISP is that for consumers
and small businesses there is no publicly available directory to map the IP
address of the misbehaving computer into a contact address for its owner.
Provided that the correct technical details are given to the ISP, it can use its
own private records to work out which customer is causing the problem, and
can then communicate with that customer. By convention (CROCKER,
1997), the email address used to reach the ISP is [email protected] and
the personnel who deal with this mailbox are called the ISP abuse team.
Malware removal
Once the user is aware that they have malware on their computer then
they should always wish to remove it, and if well-enough informed they will
generally do so. This is not only because they want to be good Internetcitizens, but also for self-protection – malware often contains a keylogger, so
that important information, such as online banking credentials, is at risk.
Once the user has removed the malware, they must immediately change all
of their passwords (and additionally all their password recovery questions, to
prevent the criminals changing the password straight back).
Some malware is relatively easy for anyone to remove – the Microsoft MSRT
program is very effective for the malware it targets; and anti-virus companies
provide removal software as well as detection software. However, where a
custom removal tool is not available, then generic techniques will be needed,
and these can pose difficulties for non-experts. To remove malware, the
basic steps are to find all running copies of the program and stop them;
remove all system start-up instructions that would cause the malware to run
at the next reboot; and delete all copies of the malware on the computer's
disk, perhaps disentangling it from legitimate files. Once the malware is
gone, the computer may need to be reconfigured because the malware may
have disabled the anti-virus system or messed with the firewall settings. In
extreme cases it can be simpler to reinstall the entire operating system from
scratch, and indeed to avoid lingering problems the super-cautious will do
this as a matter of course.
The economics of dealing with malware
Because malware can be difficult for consumers to deal with, they will
look for help in cleaning their computers. The main sources of help are
92
No. 81, 1st Q. 2011
friends and family (some of whom may have technical skills); computer
shops, especially the one they bought their computer from; and their ISP.
Customers have a strong expectation that their ISP will help them deal with
problems whose origin was on the Internet; especially if it was their ISP who
relayed the report that they had a malware problem in the first place.
However, ISPs are seldom set up to do generic technical support, and
because their support is offered over the phone and by email, removing
malware is especially difficult for them. Hence, their response is either to
point at 'how to' documents on the Internet, or to suggest contacting the
shop where the computer was bought. This can leave customers upset, and
they may erroneously conclude that if their ISP does not seem to care
whether they remove the malware, then they need not care either.
ISPs are not just extremely reluctant to offer technical support in dealing
with malware, but they may be reluctant to handle incoming malware reports
either. The provision of Internet access to consumers has become a
commodity, and this has meant that ISPs find it essential to compete on
price. To keep prices low, they have to eliminate costs from their
organisations, and one of the areas where it is very tempting to attempt to
save money is within the abuse team. Processing incoming reports,
determining which customer is involved and then talking to that customer is
expensive – it is widely claimed that just one communication with a customer
eats up the profits on that customer for the year. 2
In principle, the market should deal with ISPs who skimp on abuse team
activity. Their customers will be added to third party blacklists. As the
2 The cost of communicating with customers is widely claimed to be comparable with the
annual profit they generate, but substantiating this claim turns out to be difficult.
The Help Desk Institute (HDI), a membership/certification organisation for technical support
professionals, hosts a 2003 white paper (SHERRILL, 2003) which discusses the complexities of
determining what the cost of a call might be. The paper concludes that, "Industry average for
cost per call (fully burdened) within the help desk industry is $20–$40". It might be thought that
this figure could be on the low side for calls relating to malware, and of course costs will have
risen, some seven years later.
The other part of the equation, profit per ISP customer, is hard to assess. Many major ISPs
bundle television or telephone services, or provide dial-up services (where the cost base is
different from broadband). Earthlink's Q1 2010 figures (EARTHLINK INC, 2010) show a net
profit of 25.7 million USD, and that broadband revenue was 59% of their revenue. Assuming
(and it is an assumption) that broadband has the same profit margin as dial-up, each of their
900,000 customers yields a profit of 67 USD per annum.
As another data point, McPherson, in a detailed blog post on just this issue – the cost to ISPs in
communicating with customers about botnet membership – estimated the profit per annum to be
60 USD and the cost of a support call to be 50 USD (McPHERSON, 2007).
This evidence shows that the "profits for a year" claim is excessive, albeit not greatly so.
R. CLAYTON
93
number of entries grows, those blacklists will add larger and larger blocks of
the ISP's address space. Because these blacklists are used by many spam
blocking systems, this will impact the ability of the ISP's customers to have
their email delivered, and the general impression of uncleanliness may
reduce the amount of free peering that the ISP can negotiate. However, the
impact of these measures is relatively small, the process is slow, and there
is considerable asymmetry – a large ISP suffers little loss from blocking a
small ISP, whereas the small ISP would lose considerably by blocking the
large ISP (SERJANTOV & CLAYTON, 2005). Hence one cannot look to the
market to ensure optimal expenditure on abuse teams, except over very long
timescales.
Malware removal today
In an effort to improve the situation, a number of initiatives are currently
under way. For several years Qwest, in the United States has been putting
malware infected customers into a 'walled garden' with limited Internet
access (QWEST INC, 2007); more recently the largest US cable provider,
Comcast, has developed an automated scheme for detecting botnet traffic
and notifying customers (Comcast Corporation, 2009). In Australia
(HILVERT, 2009), the Netherlands (EVRON, 2009) and Germany (ECO,
2009), ISPs have mutually agreed to deal with botnets; this mutual action
means that all ISPs will incur similar costs and so should not be at a
competitive disadvantage. In the United Kingdom, an influential all-party
Parliamentary group has recommended that the UK ISPs come to a similar
mutual agreement (Apcomms, 2009).
Agreeing to handle abuse reports and pass them on to customers is only
one part of the solution, because it is also necessary for the customers to
have their computers cleaned up and – as just discussed – ISPs will not be
enthusiastic about being involved. The most likely customer assistance
mechanism will be partnerships with third parties – Comcast has formed a
partnership with McAfee for online assistance; and if the computer needs to
be worked on by a skilled technician the user will be charged 89.95 USD for
this service. Similarly, one of the Luxembourg ISPs recommends a local
home visit service that charges Euro 18.95 per quarter hour. 3
3 This sounds especially cheap, but the technicians are alleged to be under strict instructions
that they are never to be so quick as to avoid charging for less than half an hour. Hence the
price is more realistically portrayed as Euro 37.90, approximately 52 USD.
No. 81, 1st Q. 2011
94
How users actually deal with malware problems is not widely studied.
One of the few reliable datapoints we have is the 2006 Consumer Reports
'State of the net' survey of two thousand US households which found that
39% of those surveyed had a problem with a "virus" in the previous two
years. Of these, 34% dealt with the problem by reformatting their hard
drives, and 8% replaced their computers (Consumer Reports, 2006).
Purchasing a new computer might at first sight appear like a waste of
money – but for many users it may well cost little more to purchase a new
computer (which will almost certainly be faster and better) than spend a fair
proportion of the price in cleaning up the old one. Since the new computer
will come with a modern operating system (better able to resist infections),
and 'free' anti-virus and anti-spyware products, it is perhaps surprising that
the figure was as low as 8%.
„
A government-funded scheme for malware removal?
It is envisaged that a government subsidised scheme for cleaning up
computers infected with malware would work as follows:
• The ISP abuse team learns that one of their customers has a
computer that is a member of a botnet, which is sending spam, or has some
other indication of malware infection.
• The ISP identifies the customer and informs them of their problem.
The customer is provided with links to educational material (why their
computer might be infected, and why this matters) along with some self-help
data for the particular problem they seem to have (e.g. a Conficker-infected
customer would be given links to the Conficker Working Group website 4).
The customer is also told the details of the government sponsored clean-up
scheme, which they are entitled to use if they wish.
• Ideally, the customer uses freely available tools to clean-up their
computer themselves. This will often be the best and most effective thing to
do. Large businesses, with in-house IT Departments, are also likely to
choose to deal with the problem internally.
• If the customer does not have success with these tools, then a
technician will visit their home (or for a lower price, the end-user can visit a
4 http://www.confickerworkinggroup.org
R. CLAYTON
95
local shop). Their computer will then be cleaned up for them. There will be a
charge for this service, to prevent the 'moral hazard' of consumers deciding
not to take any precautions at all, but this charge will be nominal (perhaps 20
USD, or 30 USD for a home visit) with the government paying for the rest of
the service.
• The consumer is strongly encouraged to follow 'best practice' advice
in installing anti-virus software and ensuring that their software is entirely upto-date, using programs such as Secunia's 'Personal Software Inspector'. 5
The consumer will also be advised to change their online passwords (and
password recovery questions), and to keep an eye on their bank and credit
card statements for suspicious transactions.
• The technician's company bills the government to receive the subsidy.
This subsidy will be set at a flat rate – in much the same way as health care
is often funded (both by governments and by insurance companies), with
preset prices for visits to clinics, dental check-ups or the filling of cavities.
If this scheme works as described then there are clear benefits.
There is of course the reduction of infected computers, albeit action in
one country may not be significant on a global scale. More important will be
the reduction in data loss by citizens – malware usually includes a keylogger
– so the quicker that a computer is cleaned up, the less likely that passwords
will reach the criminals, and the smaller the time window for exploitation.
Perhaps most importantly of all, the rapid, and hopefully painless,
correction of the malware infection should prevent any loss of confidence in
using the Internet. Most governments are now looking to the Internet as a
way of cutting their own costs in communicating with citizens, and for
benefits to the wider economy from having an online population. Keeping
confidence in the Internet high is an essential prerequisite to tempting
people online, and keeping them there.
Last, but by no means least, if the scheme is effective then other
countries (other governments) will look to implement their own version – this
means that early adopters will find their international standing enhanced,
and their views will carry more weight in this policy area.
5 http://secunia.com/vulnerability_scanning/personal/
96
No. 81, 1st Q. 2011
Who will do the cleaning up?
There are a number of candidates for the task of cleaning up computers
(since it will clearly not be done by the politicians or the civil servants!):
• Computer retailers – small computer shops have long been set up for
computer repair, and larger companies have increasingly turned to this area
as a new source of revenue. The large retailers increasingly offer on-site
installation and repair, using brands such as 'Geek Squad'.
• Community groups – many countries provide free computer services
for their citizens through local government initiatives, based around councils
or communes. These institutions could extend their activities to include
malware removal services.
• Utility companies – the utilities (electric, gas, etc.) have moved away
from just maintaining their own infrastructure and now provide a range of
consumer services such as emergency plumbers, central heating servicing,
etc. Training some of their existing operatives to deal not only with gas
boilers and leaky taps, but also with the relatively narrow field of malware
removal is not entirely far-fetched.
Possible objections to the scheme
Cleaning up malware infected computers cannot be anything other than a
good thing. Hence, provided that the work is of adequate technical quality,
there is no apparent downside.
However, it is far from obvious that ISPs will be delighted to pass their
customers' details on to a third party (the clean-up company) with whom they
cannot directly negotiate contractual safeguards. Suppose that a third party
not only removed malware, but – for an introduction fee – they persuaded
the customer to move to another ISP. It will clearly be appropriate to identify
this type of commercial concern early on and to place restrictions on the
marketing of directly competitive services, lest ISPs decide that they will not
co-operate.
The co-operation of the ISPs is of course essential, because they must
handle the initial reports about malware infestation, and must make the initial
communication with their customer. The proposed scheme is designed to try
and simplify these tasks, and to allow ISPs to use automated systems. An
IETF working document written by Comcast engineers (LIVINGOOD et al.,
R. CLAYTON
97
2010) considers nine different ways of communicating with a user – their
deployed system currently arranges for the user to see a warning in their
web browser (Comcast Corporation, 2009).
Naturally, governments could take themselves out of the loop altogether,
and invite companies to set up independent malware cleaning schemes.
Clearly, if these companies charge a sufficiently high price to the users for
their service then computers will be cleaned and profits will be made.
However, the risk is that this approach is far less likely to be successful, and
not just because of a lower take-up caused by the non-subsidised price. The
involvement of the government makes it easier to cajole ISPs into doing their
part, and provides important assurance to citizens that the scheme is bona
fide and that quality controls will be in place.
Of course, individual political philosophies differ significantly – so some
would see any role at all for government as an anathema. It is only
necessary to look around the world at the different approaches that were
taken to handling the recent influenza epidemic to see these different
philosophies at work.
Even where governments have an interventionist approach to dealing
with public health problems (and dealing with malware is much the same
sort of issue), many have a lamentable record of purchasing IT services, or
preventing fraudulent claims for subsidy, and that might be felt to doom the
proposed scheme from the start. However, the government's task within the
proposed scheme is restricted to picking out the low tender(s) that are
consistent with appropriate quality controls, and thereafter ensuring that the
system is appropriately audited by independent experts to prevent any fraud.
These limits on involvement are not all that dissimilar to governments' role in
many other sectors and so it is reasonable to assume that they will not be
especially awful in this particular sphere of action.
A different type of doubt would be whether a government-sponsored
scheme for cleaning up malware might reduce the market for technical
innovations that would make the scheme unnecessary. Since the
government's subsidy is fairly limited (the calculations below suggest that it
will be less than a sixth of the total cost), this distortion of the market is not
substantial, but it might nevertheless mean that some people will reject the
scheme on philosophical grounds.
No. 81, 1st Q. 2011
98
„
Likely costs of the scheme
In this section we build a model for the costs of the malware removal
scheme and make some estimates for what these costs are likely to be. As
will be seen, many of the cost estimates are extremely rough. It would be
possible to pin some of them down by means of consumer surveys or pilot
implementations, and doubtless a government considering this scheme as a
policy option would promptly perform such investigations.
The model
The proposed scheme will involve costs for set-up, publicity, monitoring,
audit and a wide range of other incidentals. These are not considered here.
What is modelled and estimated covers what is likely to be the bulk of the
money involved – the costs incurred per reported malware incident.
The model is that a malware report reaches an ISP who passes it on to
their customer. Some customers will choose to deal with it themselves,
whereas others will take advantage of the government subsidised clean-up
scheme. If they choose to use the scheme then they pay a nominal amount
for the service, with the remainder of the cost paid by the government.
Using variables for the various values we have:
A proportion, s, of customers receiving reports will use the scheme.
Hence (1 – s) of reports are dealt with outside the scheme 'for free'.
The cost per clean-up event is C, with the end-user paying e and the
government paying (C – e).
Hence, the government puts the scheme out for tender. The various
organisations who wish to operate the scheme naïvely calculate what they
expect C to be (including an element of profit), and they put in a tender for
(C – e) and hope to be the low bidder.
There is of course going to be some significant price sensitivity, in that
higher values of e lead to lower values of s – that is end-users may eschew
an expensive scheme in favour of a do-it-yourself solution. Also, if e is the
same as C (or higher) then the tenders submitted should all be zero (or
negative, viz: organisations compete as to how much they are willing to pay
for the contract).
R. CLAYTON
99
However, there is potentially a lot more going on here than this initial
naïve analysis would suggest. Recall the US survey (8% of computers are
replaced when there is a problem), and it can be seen that a certain
proportion of end-users will not pay e at all, but will instead spend a
considerable amount on a new computer, giving a profit of N to whoever
supplied it. Clearly, the higher the value of e, the more likely this is to occur.
Furthermore, it will be possible to persuade a sizeable proportion of the
end-users who stick with their old computer that, once it has been cleaned
up, they should enhance it by the purchase of anti-virus software (or even
just a new mouse). Looking further ahead, making sure that all the scheme
users are added to appropriate marketing lists should make it more likely in
future that they can be sold new products – after all, they will be buying from
those nice people who were so good at fixing their computer last year.
These opportunities to profit from supplying other products mean that an
organisation which thinks itself capable of doing this type of selling should
lower their tender amount to ensure that they get the contract.
Expressing these further items as variables we have:
A proportion, n, purchase a new computer; each yielding a profit of N.
A proportion, v, purchase anti-virus (etc.); each yielding a profit of V.
A proportion, f, will buy in the future, for a (net present value) profit of F.
Putting all of this together:
Those who choose a new computer bring in a profit of n * N.
The others will incur a cost of (1 – n) * (C – e).
The profit from selling anti-virus etc. is (1 – n) * (v * V). 6
The profit from future business is f * F.
So the tender can be as low as: (1 – n) * (C – e – (v * V)) – (n * N) – (f * F).
Putting some numbers into the model
It is possible to make some plausible estimates of the numbers in the
model, in order to estimate what values are likely to be tendered. We start by
assuming that C (the clean-up cost) is 70 USD and that e (the amount to be
paid by the end-user) is to be 30 USD.
6 Note that new computers come bundled with anti-virus.
100
No. 81, 1st Q. 2011
Objections might reasonably be raised as to where these numbers come
from. The examples given above were from the USA (89.95 USD) and
Luxembourg (52 USD 7). Arbitrarily, the mid-point of these two values has
been chosen – dubious readers may plug in their own value. Similarly, a
reasonable case can be made for e being anywhere between 20 USD (much
lower and perceptions of moral hazard might make the scheme politically
unworkable) and 40 USD (any higher and the scheme hardly involves a
subsidy any more). Once again the midpoint (30 USD) has been chosen.
It's also worth observing at this point that C is nothing like constant, and
for any company doing significant volumes of work (as they might expect to
do, having been awarded a government contract for an entire country) there
is ample scope for research into automated systems that will result in
substantial cost-saving. In particular, the reports flowing through the ISPs
are likely to be for large numbers of instances of small numbers of particular
malware variants – viz: with a little preparation clean-up can be made very
simple for the vast majority of cases. 8
We know from the US that with e about 90 USD then n (the proportion of
end-users buying a new computer) is 0.08 and N (the profit from such a
sale) is about 100 USD. It's hard to say how elastic the demand for a new
computer might be, but let us assume that with e at 30 USD then n is 0.05.
The end-user price of commercial anti-virus products is highly variable
and there are many discounts. It is plausible to assume a price of 70 USD
and a profit of 42 USD (i.e. 60% trade discount). Hence V is 42, and we will
assume that, given the circumstances of the sale, there will be a sale in 50%
of cases (i.e.: v = 0.5). Note that if it was an anti-virus manufacturer offering
the service then the discount could be almost 100% rather than 60%.
Finally, we have to estimate the likely future profit from the customer
relationship (f * F). This isn't easy, but the going price in Google Adwords for
7 In fact this should be 47 USD because there's a kickback of 10% to the ISP for every
customer they refer.
8 To labour this point about economies of scale – there is a substantial difference between the
participants in the proposed scheme and how individuals deal with malware infection today. The
individual must identify the infection, research the topic, find specialist tools, scan the machine
for further problems and work one-on-one to educate the user. The technician from the removal
company would arrive knowing what the malware was (from the report that went via the ISP).
They'd have the removal tools immediately to hand, they would know if other remediation is
needed (and modern malware seldom damages user files), and they could leave the user with
booklets, videos, or other professionally produced training material.
R. CLAYTON
101
'new laptop' is estimated at 1 to 4 USD. It might be assumed that appropriate
relationship management would yield just as good a result as buying the
most expensive clicks, so we will put this value in at 4 USD. Plugging these
values into the model we find that the naïve tender value (C – e) would be
40 USD and the more sophisticated one, taking account of all the other
factors, would be 11.05 USD.
Quick inspection shows that the most significant contribution to the
lowering of the price is the sale of anti-virus software, which is reducing the
tender price by 19.95 USD all on its own. Hence there's significant sensitivity
here to both the sale price and the conversion ratio: if v was only 33% then
the tender price should be 17.70 USD. Quite clearly, this dependency on the
sales of extra products alongside the clean-up service means that any
organisation contemplating a low tender will have to implement an effective
plan to train their technical operatives to be competent at end-user selling.
The final calculation worth doing would be the government's costs.
Assuming that an organisation was indeed prepared to tender 11.05 USD
per clean-up, what should the government budget to spend? Estimates of
malware infection vary considerably from a few percent of the online
population, 9 up to scare-mongering 25% plus values. 10 Some of the most
reliable data comes from the Microsoft MSRT programme, which expresses
infection rates in CCM (computers cleaned per thousand runs of their
scanning software). The CCM values are also very variable, but are typically
under 10 for first world countries – the USA is 8.6, the UK 4.9 and Finland
2.3. Converting CCM values to overall infection rates is complex, but it does
suggest that about 1% of the computer population will need the clean-up
9 Panda Security provide per country information, which distinguishes types of malware.
Presently about 3.1% of UK computers have a serious problem (as do 7.3% of US computers).
http://www.pandasecurity.com/img/enc/infection.htm
10 The 2008 OECD report on Malware (OECD, 2008) contained the sentence "Furthermore, it
is estimated that 59 million users in the US have spyware or other types of malware on their
computers". News outlets picked up on this, e.g. The Sydney Morning Herald (SYDNEY
MORNING HERALD, 2008) who divided the 59 million figure into the US population, and then
concluded that around a quarter of US computers were infected (assuming that each person
owned one computer). The OECD published a correction in the online copy of the report a few
days later. They were actually quoting PEW Internet research on adware/spyware (which is a
subtly different threat) from 2005 (which was a while earlier than 2008). The sentence should
have read "After hearing descriptions of 'spyware' and 'adware', 43% of internet users, or about
59 million American adults, say they have had one of these programs on their home computer".
Of such errors in understanding the meaning of data is misinformation made.
No. 81, 1st Q. 2011
102
service per month. 11 Assuming that s (the proportion of malware infected
computers that are dealt with by the service) is 0.5 this means that about 1
in 200 computers will be using the service each month at a cost to the
government of 11.05 USD, i.e. the annual cost per computer will be about 66
cents. The total cost clearly depends on the number of actively used
computers in the country, which will be roughly equal to the population.
Putting this in context, this amount is rather less than the cost of water
fluoridisation of about 92 cents (in today's money) per person (Centers for
Disease Control and Prevention, 2001), and debates about that particular
public health policy are seldom about the cost.
It might finally be noted that there are potential financial assistance
opportunities for early adopters. For example, within the European Union, a
successful scheme in one Member State is very likely to lead on to
deployment elsewhere. It might therefore be possible to seek money for
prototyping from central EU funds, particularly if this speeded up any aspect
of deployment.
„
Conclusions
It has long been obvious that there are no effective schemes in place for
ensuring that end-users who are infected with malware have their computers
cleaned up; a conclusion that can also be found within the Conficker
"lessons learned" report (Conficker Working Group, 2011).
Some countries are now beginning to see agreements being brokered
between ISPs to deal with the problem – addressing some of the negative
incentives by agreeing to act in a consistent and, sometimes, collaborative
manner. However, there are considerable externalities to malware infection,
and hence strong arguments have been made for regulatory action to
compel effective malware removal (ANDERSON et al., 2008).
This paper has suggested an intermediate scheme – falling short of
compulsion – which involves a government subsidy for clean-up schemes.
11 Microsoft's general approach is to tackle widespread malware infections – viz: the high
volume events. The work left over, which needs to be dealt with by the clean-up system, will
concern a minority of people who have failed to enable the Microsoft tool, and malware with
lower populations. Hence, assuming that Microsoft have already dealt with half the problem is a
reasonable working estimate.
R. CLAYTON
103
Some political philosophies will of course dismiss this out-of-hand, but there
are clear analogies with government initiatives for improving public health,
which is often seen as an entirely appropriate milieu for government action.
Although subsidies might initially be thought to be substantial, modelling
the opportunity to sell extra products alongside the main service suggests
that with some plausible assumptions the cost to the public purse could be
under a dollar per computer per annum – well in line with other public health
initiatives. The proposal cannot of course be seen in isolation. Unlike the
initiatives to eradicate smallpox or polio, which tackle a fairly static threat,
malware is constantly evolving and so this initiative will need to be
accompanied by other initiatives which tackle the criminals. However, given
that almost every wickedness on the Internet is underpinned by the use of
malware-infected computers – and given the slow and patchy Internet
industry response – this is clearly a legitimate area for governments to
consider getting involved in, and putting up money to improve.
References
ANDERSON R., BOEHME R., CLAYTON R. & MOORE T. (2008): Security
Economics and the Internal Market, European Network and Information Security
Agency.
Apcomms (2009): Can we keep our hands off the net?, All Party Parliamentary
Communications Group Inquiry Report.
http://www.apcomms.org.uk/uploads/apComms_Final_Report.pdf
Centers for Disease Control and Prevention (2001): Recommendations for using
fluoride to prevent and control dental caries in the United States, MMWR
Recommendation Report 50 (RR-14): pp. 1–42.
Comcast Corporation (2009): Comcast Unveils Comprehensive "Constant Guard"
Internet Security Program. Press Release, 8 Oct 2009.
Conficker Working Group (2011): Lessons Learned.
http://www.confickerworkinggroup.org/wiki/uploads/Conficker_Working_Group_Lesso
ns_Learned_17_June_2010_final.pdf
Consumer Reports (2006): State of the net.
http://web.archive.org/web/20060820182702/http://www.consumerreports.org/cro/ele
ctronics-computers/online-protection-9-06/overview/0609_online-prot_ov1.htm
CROCKER D. (1997): "Mailbox Names for Common Services, Roles and Functions",
RFC2142, IETF.
104
No. 81, 1st Q. 2011
Earthkink Inc. (2010): "EarthLink Announces First Quarter 2010 Results".
http://ir.earthlink.net/releasedetail.cfm?ReleaseID=463674
ECO (2009): Anti-Botnet-Projekt des eco – Verband der deutschen Internetwirtschaft
mit Unterstützung des BSI, Press Release, 10 Dec.
http://www.eco.de/verband/202_7268.htm
EVRON G. (2009): "Dutch ISPs Sign Anti-Botnet Treaty", Dark Reading, 29 Sep.
http://www.darkreading.com/blog/227700601/dutch-isps-sign-anti-botnet-treaty.html
HILVERT J. (2009): "eSecurity code to protect Australians online".
http://iia.net.au/index.php/section-blog/90-esecurity-code-for-isps/757-esecuritycode-to-protect-australians-online.html
LIVINGOOD J., MODY N. & O'REIRDAN M. (2011): "Recommendations for the
Remediation of Bots in ISP Networks", IETF Internet-Draft, version 10.
http://tools.ietf.org/html/draft-oreirdan-mody-bot-remediation-10
McPHERSON D. (2007): "ISP Death By A Thousand Duck Bites", Arbor Networks
Security Blog.
http://asert.arbornetworks.com/2007/09/isp-death-by-a-thousand-duck-bites/
MOORE T., CLAYTON R. & ANDERSON R. (2009): "The Economics of Online
Crime", Journal of Economic Perspectives, 23(3), pp. 3–20.
OECD (2008): Malicious Software (Malware): A Security Threat to the Internet
Economy, Organisation for Economic Co-operation and Development Ministerial
Background Report, DSTI/ICCP/REG(2007)5/FINAL.
POLYCHRONAKIS P., MAVROMMATIS P. & PROVOS N. (2008): "Ghost turns
Zombie: Exploring the Life Cycle of Web-based Malware", 1st Usenix Workshop on
Large-Scale Exploits and Emergent Threats (LEET), pp. 1–8.
PROVOS N., MAVROMMATIS P., RAJAB M.A. & MONROSE F. (2008): "All your
th
iFRAMEs point to Us", 17 USENIX Security Symposium, pp. 1–15.
PROVOS N., RAJAB M.A. & MAVROMMATIS P. (2008): "Cybercrime 2.0: when the
cloud turns dark", Comm. ACM, 52(4), pp. 42–47.
QWEST INC. (2007): "Qwest Customer Internet Protection Program Increases
Security For Broadband Customers, Combats Spread Of Viruses And Malware",
Press Release, Oct 2.
SERJANTOV A. & CLAYTON R. (2005): "Modelling Incentives for Email Blocking
Strategies", 4th Annual Workshop on Economics and Information Security (WEIS05).
SHERRILL K. (2003): "Cost Per Call: Are we comparing apples to apples?", Help
Desk Institute Library.
http://www.thinkhdi.com/library/deliverfile.aspx?filecontentid=234
Sydney Morning Herald (2008): "A quarter of US PCs infected with malware: OECD",
2 June. http://news.smh.com.au/world/zombies-and-botnets-oecd-warns-of-hiddenarmies-in-cyber-wars-20080601-2kel.html

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project