I was recently criticized—and rightly so—for interpreting malware to mean “malevolent software” when indeed it is commonly used to mean malicious software, whereas malevolent is used to describe programs—malograms?!
So, I decided to look up some definitions. Here is what I found.
“Malware (a portmanteau for malicious software) is any software intentionally designed to cause damage to a computer, server, client, or computer network.” [Wikipedia]
OK. So, what are malevolent programs?
“A malevolent program is a computer program designed to have undesirable or harmful effects.” [definition.org]
But wait. These definitions appear to be very similar. And they are. However, if you delve more deeply, you can find some differences. An example of a malevolent program is a logic bomb. Software designed to do damage at a particular time. But a logic bomb is also a form of malware.
What is missing is that malware is the term commonly used across a broad spectrum of nefarious software, some of which don’t damage actual systems and networks but exfiltrate data that are then used for identity theft, fraud, blackmail, extortion, and other crimes. Consequently, one must change the definition or use a different term. I like the term “crimeware” as it is all encompassing.
I would define ransomware to be crimeware (rather than malware) as, in its newer forms, it both damages the data (via encryption) and exfiltrates sensitive private and secret data to be used against those whose personal information or intellectual property was obtained by the attackers.
Why is this important? Surely, it’s my just being pedantic. Perhaps not. I think that we should examine more closely the categories that software emanating from bad actors fall into. That way we can perhaps be better able to plan for and defend against evolving threats.
At first blush it would appear that malevolent programs originate from within organizations (insider threat) or via suppliers or business partners and target victims and organizations specifically. Malware sounds like it originates externally and is an equal-opportunity employer seeking out vulnerable victims. Crimeware covers the whole waterfront, coming from both internal and external sources.
What des this mean for cybersecurity professionals? For one thing, it focuses one on the source of the maliciousness or malevolence. It also points to the motivation of the perpetrators. Merriam-Webster makes the following distinction:
“Malicious and malevolent are close in meaning, since both refer to ill will that desires to see someone else suffer. But while malevolent suggests deep and lasting dislike, malicious usually means petty and spiteful.”
This differentiation seems to support assertions that insiders or close peers and partners can be malevolent, whereas much malware is indifferent as to who the victim is, and is just interested in taking advantage of whomever is vulnerable. Also, hackers are less interested in the suffering of the victim than in the benefits gleaned from the attack, whereas part of insiders’ motives may be to cause pain and suffering.
What does this suggest for defending against different forms of attack? For one thing, one might try to resolve (in advance) the cause of the dislike to avoid malevolent insider attacks. This would not work for a malicious attacker who really doesn’t like or dislike the victim and would not respond to efforts to reduce animosity. It’s no use trying to appeal to a hacker’s better self. The only deterrence is the likelihood of getting caught and suffering some consequences.
Also, motivations and motives differ among and between various players. A malevolent insider’s motivation might be to “get even” in some way, and their motive or intent of particular attacks might be to take down a critical system and cause confusion and losses. A hacker’s motivation could be to show off how smart they are to their peers, that is, a narcissistic desire to gain approval. A hacker’s motive, on the other hand, might be to take down a system just for the joy of it.
The confusion between malevolence and maliciousness was apparent with the SolarWinds attack. Was the attack for the purposes of causing distrust of systems and a loss of confidence, with its political and economic implications? Or was the intent to exfiltrate data and monetize the information obtained? Or both? Whatever the plan, it’s bad news. But knowing the intentions of the attackers would greatly assist in choosing the most appropriate response.