OECD report on malicious software.

The Organisation for Economic Cooperation and Development (OECD) released a report titled Malicious Software (malware): a Security Threat to the Internet Economy last week on the international state of Internet security.

This report, developed in collaboration with "experts", aims to inform policy makers about malware impacts, growth and evolution, and countermeasures to combat malware. It seeks to analyse some of the main issues associated with malware and to explore how the international community can better work together to address the problem. Highlights include the following:

- Spam has evolved from a nuisance to a vehicle for fraud to a vector for distributing malware. Malware, in the form of botnets, has become a critical part of a self sustaining cyber attack system. The use of malware has become more sophisticated and targeted. Many attacks are smaller and attempt to stay "below the radar" of the security and law enforcement communities.

- The effectiveness of current security technologies and other protections in detecting and containing malware is challenged by the shrinking of the time between the discovery of vulnerabilities in software products and their exploitation.

- The behaviour of market players confronted with malware (whether Internet service providers, e-commerce companies, registrars, software vendors or end users) is influenced by mixed incentives, some working to enhance and some to reduce security. There are many instances in which the costs of malware are externalised by players at one stage of the value chain onto other players in the value chain.

- A wide range of communities and actors – from policy makers to Internet service providers to end users – h as a role to play in combating malware. There is still limited knowledge, understanding, organisation and delineation of roles and responsibilities in this broad community of actors.

- Current response and mitigation are mainly reactive. There is a need for more structured and strategic co-ordination at national and international levels with involvement of all actors to more adequately assess and mitigate the risk of malware.

- No single entity has a global understanding of the scope, trends, development and consequences of malware and thus the overall malware problem is difficult to quantify. Data on malware are not consistent and terminology for cataloguing and measuring the occurrence of malware is not harmonised.

- Although its economic and social impacts may be hard to quantify, malware used directly or indirectly can harm critical information infrastructures, result in financial losses, and plays a role in the erosion of trust and confidence in the Internet economy.