Over the summer, the antivirus company Norton announced it was adding a new feature to its LifeLock security software: the ability to mine cryptocurrencies using its “Norton Crypto” tool. True to Norton’s roots as a security company, Norton Crypto was billed as a way to help customers improve their cybersecurity by allowing them to mine cryptocurrency without having to rely on “unvetted code on their machines that could be skimming from their earnings or even planting ransomware.” To be sure, there are real security risks associated with downloading and running untrusted mining programs. But, as a general rule, when a company refashions itself as a cryptocurrency business, it’s usually because it’s in trouble and looking to pivot away from a failing business model to something new and cool (and potentially lucrative). In 2018, for instance, when I lived in Rochester, New York, the local business giant Eastman Kodak announced it was launching a “photo-centric cryptocurrency.”
So when a prominent antivirus firm takes a turn toward cryptocurrency, it’s certainly possible to interpret that move as a sneaky money grab. That was the general gist of Cory Doctorow’s tweet about Norton Crypto this week, in which he pointed out that Norton takes a cut of the cryptocurrencies its users mine (15 percent of the crypto allocated to each miner, according to its website). But perhaps the more interesting question is what it says about the market for antivirus software that one of the most prominent manufacturers of those products is now going the way of Kodak.
Once upon a time—say, 10 years ago—antivirus software was one of the standard cybersecurity recommendations for everyone. Companies purchased licenses for all their corporate computers from one of the big vendors and it became a matter of course that all Windows computers, or at least all work computers, would be running a program from McAfee or Norton or Kaspersky or Avast, or one of the other usual suspects, in the background at all times to scan for viruses. Most of these companies now offer a range of other security services in addition to standard antivirus and anti-malware programs. McAfee and Norton provide identity protection and VPN services, Kaspersky sells a password manager and a system for parental controls, and Avast has both a secure browser and a browser extension, to name just a few. In other words, the cybersecurity ecosystem has expanded well beyond just antivirus software. In fact, there is now some debate over whether antivirus programs are even a particularly useful or effective line of defense for most devices, especially operating systems increasingly include built-in security features. For instance, a few years ago Microsoft launched the built-in antivirus program Microsoft Defender Antivirus with Windows 10. Apple devices, which have generally been less targeted by malware than Windows ones, also include a malware scanning tool called XProtect as well as a Malware Removal Tool. And while it may seem like more antivirus protection is always better, this is not necessarily the case—in fact, antivirus programs have been known to try to uninstall each other if they think other antivirus programs are malware because they contain known malware signatures (which they use to identify viruses).
For many of us, including me, the so-called security software packages pre-installed on our work computers have come to feel a little like malware: clunky programs that require lots of computing resources and cannot be shut down and are constantly popping up on the screen with irritating little messages. And most importantly, many of the cybersecurity incidents we worry about most these days would probably be pretty unlikely to be caught or solved by antivirus programs anyway.
Perhaps, then, it’s more accurate to say that antivirus software feels a little like a historical vestige of past cybersecurity best practices. Why do we cling to them? Because they were hammered into us for so many years, or we already have the institutional contracts in place to provide these programs, or simply because it seems like a little extra security couldn’t hurt at a moment when cybersecurity breaches are so much in the news. When someone asks me “Should I get a subscription to Norton Antivirus?” these days, I always tell them no. There are security tools I believe in and think are sometimes worth paying for (password managers, VPNs, for instance), but antivirus software and identity protection services haven’t made that list for many years.
It’s difficult to dislodge entrenched cybersecurity guidance, especially when the recommendations we now offer for how organizations should protect themselves (segmenting networks, multifactor authentication, penetration testing) can feel so much more cumbersome or work-intensive than just installing some code on everyone’s computer. So I’m not especially optimistic that any of us will be receiving work computers any time soon that aren’t burdened with bloated security packages.
But the Norton Crypto announcement does suggest that even the big antivirus firms know their products are no longer at the vanguard of cybersecurity protections if they’re thinking about branching out into providing crypto mining services.
It remains to be seen whether Norton will be able to do this well (its user support board is littered with complaints), and whether other security firms will follow its lead. More businesses getting interested in cryptocurrencies is hardly news at this point, but the convergence of crypto mining and antivirus software is noteworthy if only as a harbinger of where these security firms see the market for antivirus software heading and how they’re hoping to stay current. But if Kodak’s unsuccessful attempt to revive the film and camera business with a Bitcoin miner is any indication, hitching antivirus software to cryptocurrency mining may not be the stroke of inspiration that Norton hoped it would be.