To defend their position, the university claimed it is "similar to what medical researchers do to combat the latest biological viruses such as SARS." Opponents argue that while medical virus researchers may study the inner structure, viral functions, or immune responses, they do not create new viruses in an attempt to better understand existing ones, pointing out that just as there are many available samples of medical viruses already in existence which can be studied, there are tens of thousands of existing computer viruses for detection and analysis purposes. Chris Belthoff, senior product marketing manager at Sophos, Inc. agrees, "the University of Calgary has tried to draw a comparison with the SARS virus. But scientists don't actually create new biological viruses in order to find cures for new ones. Instead they do what we do - careful examination of new threats and a thorough understanding and analysis of the many threats which already exist."
Dr. John Aycock, the course professor, apparently persuaded the University to offer the class, reasoning that "in order to develop more secure software, and countermeasures for malicious software, you first need to know how malicious software works and the mindset of its creators." In other words, according to Dr. Aycock's standards, it takes a thief to catch a thief. Belthoff questions the wisdom of such an approach, asking, "Should we teach kids how to break into cars if they're interested in becoming a policeman one day? It is simply not necessary to write new viruses to understand how they work and how they can be prevented."
Belthoff also expressed concern regarding the ethical and legal implications of teaching students to write viruses, stating "creating new viruses is of no benefit at all, but could lead to greater danger." Sophos points out that none of the researchers working in its labs write malicious code to achieve a better understanding of how to defeat viruses. In a paper presented at the 2001 Anti-Virus Asia Researchers (AVAR) Conference, titled "Is virus writing really that bad?", Paul Ducklin, Head of Global Support for Sophos in Australia analyzed the controversy surrounding virus writing. Ducklin provides compelling examples of damage wrought by viruses, intentionally released or otherwise. Indeed, if any comparison can be made between medical viruses and computer malware, it is that both can pose significant threat if mistakes occur and the virus is released.
Putting the question of ethics or wisdom aside, there are important legal considerations involved with the decision to offer a course in virus writing. If (or more likely, when) one of these student-created viruses finds its way onto the Internet, who will be held financially, morally, and criminally responsible? It certainly seems the student has a ready defense - the professor made me do it - meaning the most likely candidate for prosecution may just be Professor Aycock or the University of Calgary. Considering that some viruses have estimated damage costs ranging in the millions of dollars, one has to wonder whether the University's insurance and financial officers, or alumni, are taking note of the implications of Dr. Aycock's planned curriculum.