Recently WTOP, Washington, DC’s newsradio station, aired an interview with a cybersecurity expert from a major systems integrator who said that the failure of the Conficker worm to result in some form of major cyber assault or disaster showed that our IT systems were more secure, more resilient than people tend to think.  This conclusion is wildly off base and patently flawed.  In short, just because the other guy in a fight doesn’t pull the trigger when he’s got the gun to your head, doesn’t mean you won the fight.

Since October of 2008, the Conficker worm has been the subject of a great deal of attention and debate. To date, the Conficker worm has infected countless computers—estimates range wildly from 200,000 to more than 10 million.  And it has demonstrated the ability to both end run security measures and establish communications with controlled computers despite major efforts.  It has also consumed an extraordinary amount of time and energy by CIOs and cybersecurity experts from around the world.

However, because there was no major Conficker-created problem on April 1st when hijacked computers went online and began communicating with controller domains, numerous commentators are now downplaying the significance of the worm.  This view is misguided.

In order to properly gauge the importance of the Conficker problem, the threat and the facts must be considered in their totality.  Whether or not Conficker ultimately turns out to be a sales tool for bogus Ukrainian security software or something much more destructive, the simple fact is that the Conficker worm has infected perhaps ten million computers around the world.  The worm has evolved, circumventing cybersecurity software.

As a result, if anything Conficker has demonstrated the inadequacy of today’s cybersecurity, in particular relying upon cybersecurity add-ons like firewalls, anti-virus programs, and the like.

Additionally, it is wrong to suggest that the worm has not a negative impact.  Conficker has begun executing harmful instructions on the computers that it has infiltrated.  For example, although shut down in early March, the worm has had its self-propagating routines reinstated—this makes for easier sharing among its generated P2P network.  Additionally, the worm received instructions to secretly install copies of the Waledac spamming worm, which has caused computers to be overwhelmed with fake anti-virus software.  This software claims to have done a scan of the infected computer, and prompts the user to pay money for the removal tool, but in reality, if the user complies, he has just paid money to have his computer even further infected.  While not catastrophic, these impacts are real.

Any analysis of the true impact of Conficker must also factor in the (wasted) time, resources, and energies of the cyber-community, governments, companies and individuals.  Extrapolating out from studies on the average cost of similar past attacks, the total economic cost of this worm (including the cost of efforts to combat the worm, the cost of purchasing counter-measure software) could be as high as $9.1 billion.  Even using the single, outlying data source that suggests a much more limited scope of infection (<200,000)—vastly less than all other sources suggest—the cost of this virus is still roughly $200 million dollars.   It should, however be emphasized that these estimates do not factor in opportunity costs—just what could have been achieved if the expertise, time, energy and resources that have been devoted to combating this virus had been devoted to more productive efforts.

Moreover, it is too soon to say for certain what is next with Conficker itself.  The worm remains active.   There is no way to know if the actors behind the worm have played out their full hand.  It is way too soon to declare victory.

And, it is likely that this is not the last we will see of worms like this one.  In all likelihood the next virus that deploys similar capabilities will not be nearly as benign.  While the worst case scenario has not yet materialized with this worm, it opens a Pandora’s box of new risks.  To suggest that we are somehow secure against these risks, just because Conficker hasn’t yet inflicted the damage it could, is nonsensical.

Finally, the most confounding aspect of the Conficker worm threat is that this entire problem, along with almost all other similar threats, can now be avoided if we start to deploy inherently more secure technologies. At least two technologies,  the Integrity Global Security operating platform and the Tenix Interactive Link Device, have been certified by the National Information Assurance Partnership and the NSA against the most sophisticated threats.  These new technologies are capable of protecting systems, isolating critical data and can eliminate viruses and worms from computers at the click of the mouse.   The widespread deployment of inherently secure cyber-technologies, which are certified to the highest levels of robustness, would reduce the risks of viruses like Conficker virus to basically zero, which, over even the near- to mid-term would more than pay for the cost to deploy these new technologies.  Over the long-term the savings here, in time, energy and opportunity costs would clearly be in the hundreds of billions.