The U.S. Center for Disease Control and Prevention has its headquarters in Atlanta. Every time there is a major disease outbreak — or even concerns about one — the CDC makes headlines. It was at the center of the United States' response to the Ebola scare last year. More recently, it reported on the first apparent instance of the transmission of plague via dog to human. When there is a disease story making the rounds, the CDC is on the scene.
In a recent article for Forbes, Dave Lewis pointed out that the treatment of infectious diseases was an evolving but somewhat scattershot affair before the emergence of a centralized hub. When the Black Plague burst onto the scene in the 1300s, for instance, one of the reasons it was able to spread with such uncontrolled virulence is because there was not an organized means of combating it. The disease ended up claiming the lives of millions.
Of course, medicine has evolved hugely since the 1300s. But it is not only vaccines and better treatment options that separate modern medicine from the middle ages. It is also the fact that we have a centralized infrastructure. The CDC serves as an organizing tool for disease research — a place where findings from a wide array of sources are amalgamated, refined and made actionable. With the clear parallels that exist between malware and infectious diseases, the question Lewis asked is this: Is it time for a CDC of malware?
Can you imagine the Internet without Google? It is a difficult reality to conceive of, and yet once it was the case. When the Internet first emerged, there was no search giant indexing all of its pages. Instead, navigating the Internet was basically a big free-for-all. Now that Google is basically synonymous with computing, we can't dream of a world it.
One day, this same scenario may apply to malware. That is, we will look back in shock at the disorganized way we approached the influx of malware, and say, "Well of course we were always getting attacked — we weren't organized!" Malware, as Lewis points out, has evolved by leaps and bounds since the inaugural strain, a 1988 infection called The Morris Worm, whose greatest threat was that it slowed down computers. Today, malware does not just slow down computers — it commandeers them, steals from them, wipes them clean. It does not just threaten individuals and businesses, but also critical infrastructures. So where is our malware CDC?
"Oddly, we don't appear to have arrived at that stage in the evolution of malware response," Lewis states, which he "find[s] ... rather confusing."
But just because a malware CDC does not exist yet doesn't mean it could not materialize in the near future. In order for such a development to take place, we'd likely need a few preconditions in place:
If you are a business leader reading this article, you may be looking at it thinking that a malware CDC means your business won't have to worry about threat protection anymore. But that is the wrong line of thought. Just because the CDC exists, do you decide not to get vaccines — or wash your hands for that matter?
Were a malware CDC to arise, it would serve to augment — not replace — business cyber preparedness. Enterprises would still have a responsibility to take all the proactive steps toward solidifying a well-defended network, including:
Hopefully a malware CDC will arise. But whether or not it does, companies need to remain on the defensive and remember that an overarching malware prevention center does not mean businesses should adopt any degree of complacence when it comes to security. At the end of the day, the fight against malware is something that requires energy at every level.