Easttom: in cyber war, malware is “the weapon of choice”

Prior to beginning his doctoral degree at Capitol, consultant and IT professional Chuck Easttom had already made significant contributions to the fields of cybersecurity and computer science. He is the author of 26 books on programming, digital forensics, cyber security, and penetration testing.  Several of those books are used as textbooks at various universities. He  holds more than 40 industry certifications and has served as a subject matter expert for CompTIA certification exams in the creation of the CompTIA Security+, Server+, and Linux+ certifications. He was also on the Certified Ethical Hacker version 8 test revision team and created the OSForensics Certified Examiner course and test. 

Easttom is a regular speaker at computer science and security conferences including Defcon, SecureWorld, ISC2 Security Congress, IEEE conferences, AAFS, and many others.  He has already published dozens of peer reviewed papers and articles in trade journals like 2600 Hacker.  Additionally Chuck Easttom is an inventor with 13 computer science patents so far.

Most recently, Easttom was invited to present a paper on weaponized malware at the 13^th International Conference on Cyber Warfare and Security, held from March 8 to 9 at National Defense University. In addition to the paper, Easttom is presenting a poster at the event.

What research did you present at the ICCWS?

The paper is, in effect, a how-to on weaponized malware, and puts forward the argument that we should use weaponized malware. Cyber warfare is here, it occurs, malware is the weapon of choice in this domain, so let’s look at how to use it effectively.

The paper also aims to set up a different type of malware taxonomy. Instead of looking at malware based on the damage it causes, we look at it based on which one would be best selected for particular cyber warfare missions.

In addition to the paper, I presented a poster on a proposed taxonomy based on the McCumber Cube, which is one of the important conceptual models used in the cybersecurity field. The McCumber Cube provides a view that goes beyond the oft-cited triad of confidentiality, integrity, and availability; it allows us, for instance, to apply these three parameters to data at rest, data in motion, and data in processing.  So we get multiple dimensions. What I’m proposing is a taxonomy for all types of attacks – malware, denial of service, or any other type of attack – based on which of the McCumber Cube dimensions they affect. I have a paper in the works on this topic.

What are some of the objections raised against use of weaponized malware, and how would you answer these objections?

The first is the general ethical issue of using cyber, in any way, as part of an offensive methodology. However, it is simply a fact that countries have cyber conflicts. That’s the reality. From my perspective, weaponizing malware isn’t different from developing any other type of weapon. Scientists work on developing missiles, guns, and other things. Why would a cyber weapon be any different? What I find odd in these ethical discussions is that the same people who voice outrage at the fact that the United States or one of our allies might attack computers in Iran don’t seem as outraged when we send in a plane and drop bombs. Now, if you’re angry at me, would it be better from my perspective for you to drop a bomb on my house or target me with a computer virus. Maybe others will disagree, but I vote for the virus!

That brings us to the second objection. Carl Sagan famously opined that no scientist should be involved in any sort of weapons research. While Sagan is a great hero of mine, I can’t agree with that. We live in a world where bad things happen and there are bad people. That means weapons are required, including cyber weapons.

One of the things I do discuss in my paper, though, is how to minimize collateral damage. I’ve already published research on how to target malware so that it looks at the machine it is on and determines whether it has found one of its targets; if not, it would self-destruct. That’s something we’re not doing that I think we should.

The Stuxnet virus offers a case in point. Experts agree that Stuxnet was designed to target Iranian nuclear refinement. In the process of reaching its target, though, it affected a whole lot of machines that had nothing to do with Iran or its nuclear program. And that’s a problem. Even if we agree that it’s okay to attack Machine X, it’s not okay to attack every machine that might connect to X.

You’re already a cybersecurity expert who has authored many books and publications. What motivated you to undertake a doctoral degree, and why did you choose Capitol?

We all have gaps in our knowledge. No matter how much expertise you may have, there are going to be areas where you can afford to strengthen your understanding. It’s not uncommon to encounter people – a colleague, say, or even a professor – who know less than you in terms of the overall field, but may have one particular piece that you don’t have.  We have to be ready to put our egos to one side and be willing to close those gaps.

Another reason is more personal. As a child, being something of a geek, I always imagined I would have a doctorate by the time I was 25. Life got in the way and I’m well past 25. My wife told me I would never be happy until I achieve that milestone, and she’s probably right. Not having a doctorate hasn’t hurt my career; I’m a frequent public speaker, often at events where I’m the only speaker without a doctoral degree, and have published several books. But it’s a matter of self-fulfillment.

Capitol jumped out for a couple of reasons. Online education has exploded in recent years, but quite a few of the schools involved – especially the for-profit schools – have what I would consider to be very weak programs. In some cases, they exist mainly for one purpose -- to take your money. Capitol is not an online for-profit school; it’s a bonafide university. The undergraduate engineering programs are ABET-accredited; the school has contacts with NASA, and it’s a DHS and NSA-designated Center for Excellence in cybersecurity. It’s a strong university that happens to offer the opportunity to take courses online.

I also like the fact that Capitol is focused. There aren’t 500 different majors you can take. If you want to major in medieval European history, Capitol isn’t the school for you. Capitol does business, engineering, and technology. I like being at an institution that has this kind of focus.