£28bn: the cost of the 'worst case worm'

Study assess the dameage that the worst possible electronic attack could inflict

Estimating the damage that serious worm infections cost businesses is a difficult job.

Mi2g and Computer Economics are both widely-quoted when it comes to estimating costs, but neither discloses its damage model and their assumptions are not transparent. This casts serious doubt on the precision of their figures.

That is why a recent analysis by academics Nicholas Weaver and Vern Paxson, members of the International Computer Science Institute (ICSI), is worth looking at. Weaver and Paxson's model, metrics and assumptions are completely transparent.

They estimate that the likely cost of a sophisticated "worst case worm" attack, targeted at the US and designed for maximum economic impact, could be anything up to £28bn.

The scenario assumes that a very complex worm targets one or more "zero-day exploits" - security weaknesses that are publicly unknown. It is also assumed to be capable of secondary spreading through conventional vectors such as e-mail, web pages and local area networks - what is known as a "blended threat".

Risk analysis

The worst case worm would also be directed at infiltrating internal networks not directly exposed to the internet. The payload of the worm is assumed to involve widespread destruction of data and disabling of platforms.

Using accepted risk analysis techniques, Weaver and Paxson present a simple, linear damage model, based on lost productivity, repair time, lost data and damage to systems. It is assumed that back-ups are generally available and that most data loss is not permanent.

The authors estimate that 50 million hosts would be infected - 60% of the population of Windows systems in the commercial and government sectors - resulting in losses of £28bn in the US alone.

The most costly factor was found to be machine downtime. The model excludes secondary losses as too difficult to estimate and often grossly exaggerated. Home PCs are also not included.

The ICSI scenario is plausible, but overlooks one crucial shortcoming. Network perimeter defences can be breached only where firewalls remain open to traffic, primarily port 25 (SMTP) and, to a lesser degree, port 80 (HTTP). A third and yet smaller means of attack may be via portable devices such as laptops.

Many large corporates filter executable e-mail attachments and this would seriously impede the progress of the attack against the main targets, US commercial and government sectors. HTTP provides an alternative route, but is relatively slow and poorly focused as it needs human intervention (web surfing activity).

What if it happens?

So what if we were faced with a worst-case worm attack? Anti-virus defences would be useless in the early stages and may be impeded later by aggressive anti-anti-virus action on the desktop and distributed denial of service attacks on the signature update servers.

Organisations should be ready to implement a "siege mode" policy at their e-mail gateways, quarantining all attachments for the duration of the incident.

The browser and mail client represent the last line of defence and are technically the weakest links in the chain. IT directors should consider the cost benefits of installing more secure alternatives, such as Mozilla applications.

How probable is a worst case worm incident? Technically, it is feasible. If it does materialise, we can be quite confident it will be the work of a well-resourced hostile government. It could hardly be otherwise: no one else would have the necessary motivation, skills and resources. But it is not to be undertaken lightly, as retaliation would no doubt be severe.

Still, publication of the ICSI damage model must be applauded. It may be seen as too simplistic by some, but it does represent a valuable contribution to the anti-virus research community as a "stake in the ground".

Pete Simpson is Threatlab manager at IT security supplier Clearswift

Read the full ICSI report: 


Read more on Hackers and cybercrime prevention