The death spiral
Will IT ride today’s approach to anti-worm and anti-virus software to certain doom?
By Wayne Rash
September 12, 2003

Occasionally, an airplane pilot will perform a series of maneuvers that result in the plane entering a steep spiral from which there is no escape. Due to a number of factors, including airspeed that is too high, centrifugal forces that are too strong, and sometimes control surfaces without sufficient authority, the airplane will head inexorably downward. The end is certain and rarely pleasant, and the only means of survival for anyone inside is to parachute to safety.

Now, apply that gloomy image to your IT department. You’re under increasing pressure to do more with less. You’re lucky to have the resources to keep up with today’s threats; it’s all you can do to keep your operating systems and major applications up to date and keep your anti-virus, change detection, and other security software current.

And then a worm or a virus (or both) gets loose. Now you have to play the game, making sure you have the necessary patches and updates before the malevolent code has its way with you. Most of the time, you win.

But you also know that the margins are getting smaller each time. As worms and viruses get more sophisticated, it takes longer to identify them and longer for the companies that create anti-virus software and OS patches to do their jobs. Meanwhile, the creators of this malware are getting vastly more efficient, so they can beat their foes at Microsoft, Symantec, Network Associates, and wherever else people staff the defenses against the Internet’s depredations.

How long will it be before the writers of malicious code win? How long before they can create worms that can spread so efficiently and so quickly that the anti-virus companies no longer have a chance? Maybe a year? Less than that?

When that point arrives, the Internet will no longer be as useful as it is now. Companies that depend on the Net for commerce, for information access, and to make life easier for their employees will be forced to cut back on their exposure to the risks of malicious code. It could mean eliminating that risk by leaving the Internet entirely.

But does it have to be that way? When I learned how to fly, I was taught how to keep my airplane stable and how to avoid doing things that would get me into trouble. But I also flew aircraft that were themselves stable and designed not to allow maneuvers that would result in a death spiral.

Suppose that my airplane had been designed so that I had to occasionally get new flight instructions over the radio to know how to handle some new stability problem or new failure mode that cropped up? Eventually, it would catch up with me.

That’s what’s happening now with anti-virus and anti-worm products and OSes. Instead of being designed to disallow successful attacks in the first place, or to detect an attack in progress and prevent it, we’re forced to update the products after the fact.

As long as we get the updates done before the worm appears, that’s fine, but what happens when the worms get better? That’s when the death spiral starts and we’ll be on our way to a certain end.


Wayne Rash is a senior analyst at the InfoWorld Test Center.

InfoWorld