What are computer viruses, and why are they so hard to defend against? It's a fundamental question, but one that's rarely asked. We end up skipping it because we're usually dragged down to a much more detailed and tactical level: hearing about particular exploits and countermeasures. Yes, the specifics are important, but without the generalized understanding, we end up topical but not thoughtful.

I stumbled upon the comparison of online security with airport security quite recently. It proved useful in debating someone who believed that computer security firms could prevent all exploits overnight, but have no economic incentive to do so. If only things were so simple! The airport security metaphor (like all metaphors) is simple, incomplete, and easily stretched thin. Notwithstanding all that, it served to make my point. Judge for yourself.

First off, mal(icious) (soft)ware, or "malware," is the general term used to describe software programs (like viruses) that are designed to do damage. These are the terrorists. They want to move freely and pass undetected until they reach their intended destination, where they can execute their plan.

Security software is the application that acts like the border patrol or the TSA. Its job is to identify malware and stop it before it can gain access to our system. Sometimes it sits on our machine, and sometimes it sits upstream (e.g., in an ISP or a corporate network).

As in airport security, where terrorists mingle with innocent passengers, malware travels side by side with legitimate code. And so the challenge in both airport and online security is predictably picking out the bad elements from the sea of good, and moreover, doing this in a way that is minimally disruptive to the overall functioning of the system.

Approach 1: Let's compile the perfect no-fly list.

The low-hanging fruit is to create a big list of known terrorists and check each passenger against it. This describes in essence what most security programs do. They contain a list of signatures (think DNA fingerprints) for every known existence of malware. If they find a match between a signature and a piece of code, they block access. The key word here is "known." Things are fine as long as we can be sure the list is accurate and up to date, and that the matching process is efficient and foolproof. Meeting all these requirements is challenging in the airport security world and equally so in the online world.The fact of the matter is that reliable protection using a list of known threats is near impossible given the rate at which new exploits are being created. Like terrorists, new malware can and does come from anywhere and at any time. This element of surprise offers the malware writers the ability to maximize damage - capitalizing on the window during which the threat remains unidentified and absent from any lists. ​This is "zero-hour" vulnerability, as security folks call it.

To make things worse, malware is often designed to self-mutate, creating derivatives that are sufficiently different from the original. The result: a signature that would block the original strain could fail to identify a variant. Parlayed into TSA speak: not only are new terrorists born every minute, but known terrorists can clone themselves into uniquely different variants. That's what the malware signature approach is up against, and explains why security vendors continue to look for reliable alternatives.

Approach 2: Ok, forget the list. Let's use our intuition.

As a reflection of this exposure, some security programs complement the signature approach with something else. It's called "heuristics," but the impolite description is "profiling." If you can't positively identify a threat, look for clues or indicators of malicious intent based on previous learning. In the airport scenario, this can be anything deemed suspicious that is used to pick out first-time terrorists who would never be on a no-fly list. But, as you might imagine, tuning the heuristic is unfathomably difficult. Too sensitive and you end up stopping a lot of innocent people. Not sensitive enough, and bad code (and bad people) continue to find ways through. As in all well-designed attacks, the perpetrators are often the ones who blend in the best.

Approach 3: Fine, how about we just interrogate everyone?

Ok, so lists and heuristics leave us short. So how about detaining every passenger for a detailed investigation? We're not talking about the simple pat down and bag screen, but rather some quality time in an interview cell with a latex glove. Some security software attempts to do just this. It's called "sandboxing" - a way to execute (run) a program in a restricted area to see if it has malicious designs. Sounds awesome, until you realize it's also the best way to bring web surfing to a grinding halt. There's simply too much traffic to indiscriminately sandbox everything, so we have to fall back on judgment to figure out who to pull out of the line. And that brings us right back to the use of some kind of heuristic (aka gut intuition). Shoot.

So where does this leave us?

Security has always been a game of minimizing risk, not eliminating it. So running up-to-date security software is rational, but it's not the silver bullet that we've been sold. In fact, it's probably true that the criminals have innovated around our current defenses more adeptly than we'd like to believe. The uncomfortable conclusion is that we continue to remain exposed despite the best (and mostly noble) efforts of the security industry. Assuming they have the know-how to prevent all exploits is grossly overestimating their capabilities, while at the same time unfairly impugning their motives. As with physical-world threats, when it comes to online security, the massively advantaged position is held by the attacker. It’s high time we looked to solve the problem from an entirely new perspective.