Computing Profession

Let’s Teach Malware When It’s Ready: The Purpose of ­Undergrad CS

Georgia Institute of Technology Professor Mark Guzdial

 In the February 2011 CACM, George Ledin, Jr. argues in his article The Growing Harm of Not Teaching Malware that we need to be teaching all CS undergraduates about malware. He bemoans that, because of the lack of such classes, "This means that we are matriculating computer scientists whose knowledge of malware is roughly on par with that of the general population of amateur computer users." He describes what should be going on in these classes:

On the technical side, teaching malware requires knowing viruses, worms, Trojans, and rootkits, which obligates teachers to have read their source code, which in turn requires them to have the ability to reverse the binaries, and the facility to launch, run, and infect machines on an isolated subnet. Having read a sufficiently large, representative sampling of historic malware source code then leads to formulating various generalizations to build a theory of malware that can be tested by writing derivative malware, new in a shallow sense but not necessarily innovative.

Why do we need such expertise in malware? Why can't we just fix the problem? Professor Ledin explains:

The reason we cannot solve the malware problem is simple: We don't have a theory of malware.

I don't have a problem with teaching malware in undergraduate computer science. I do argue strongly that it should be an elective, not a requirement. In the end, I disagree with Professor Ledin over a view of what an undergraduate degree in Computer Science is for.

First, an undergraduate degree is about learning how to think, not inventing new knowledge. Malware experts don't have a theory of malware. Professor Ledin would like undergraduates to invent a theory of malware. Perhaps the undergraduate students at Sonoma State University are much better than the ones I meet, but I don't think most undergraduates can invent a theory better than the existing experts.

Second, and more important to me, the purpose of an undergraduate degree in Computer Science is to teach students about Computer Science, not prepare them to be software professionals. I agree with Jeannette Wing when she wrote: "One can major in computer science and go on to a career in medicine, law, business, politics, any type of science or engineering, and even the arts." It's not at all obvious to me that knowing malware is a critical requirement for any of those careers. I am happy with my doctor, lawyer, businessman, or politician to have only a cursory understanding of malware. Sure, professional software developers should know about malware. It's a fallacy that an undergraduate Computer Science degree is about becoming a professional software developer.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More