The Digital Battlefield
Eugene Kaspersky argues that the Internet has become war zone with information as the prize, and calls for an international online police force to fight off cyber threats
RP: Terms such as “cyber-warfare” and “cyber-terrorism” have been used loosely in recent years to describe a wide range of national and international threats. Do you think there is a need for a narrower definition of these terms, and if so how would you define them?
EK: Cyber-warfare can be defined in many different ways. I break it down like this: if a cyber-attack causes serious financial damage, it’s cyber-crime. If there’s damage to a nation’s state-owned infrastructure and the cyber-attack was launched by another nation, this is an act of war – cyber-war.
Instead of being fought over disputed territories, natural resources or a disputed throne, the ultimate goal of cyber-war is access to information. This could be the blueprints of a next-generation fighter plane, the schematics of a power grid, or how to get entry to the industrial control systems for a drinking-water supply. Once this information is obtained, the new owners use it for their own personal gain, sell it to the highest bidder on the black market, or use it to destroy or damage targeted objects.
Concerning cyber-terrorism, the threat of it was first given serious thought back in the early 2000s, but discussions of it in public were almost non-existent. That was until the film Die Hard 4.0 came out in 2007! The subject of this film was easy to scoff at – Hollywood is Hollywood after all, and no one expects it to base its films on fact. We at KL, however, saw the serious side, since we understood there was nothing to stop that kind of scenario being played out in real life. After watching the film I started talking openly and issuing warnings about cyber-terrorism. My warnings have turned out to be bang on the money: the threat of cyber-terrorism is only too real and not in the slightest exaggerated.
Targeted cyber-attacks on various Internet sites, local networks, databases and state organisations are making the front pages almost weekly of late. And what makes these cyber-attacks most lethal of all is that they can go undetected. Physical objects like merchandise or military equipment, which are traditionally desirable in terms of theft, are easy to monitor and protect due to tangibility and physical size – you can’t carry one off on a flash drive. When it comes to information, of course, it’s just the opposite. Software attacks are invisible. They can be launched over the Internet. They don’t show up on metal detectors or CCTV. Thus, they are much more dangerous. For example, technical vulnerabilities in a state’s computer-supported infrastructure may be exploited in a cyber-terrorist attack to disrupt vital networked systems. And the consequences could be catastrophic.
RP: Given that there are very few countries with both the capabilities and motives to launch a large-scale cyber-attack, how do you respond to those who argue that the threat is being overstated?
EK: I’ll stick to the facts in my response, which are as follows. First, the militaries in different countries are busy creating dedicated cyber-units and coming up with cyber-weapons. Examples include China, the EU, France, Germany, India, North Korea, South Korea, Nato, the UK and the US. Second, industrial espionage incidents and acts of sabotage are no fantasies. Examples include the high-profile attacks using Stuxnet and Duqu, which were clearly backed by nation states. Third, news about carefully planned attacks is appearing at an alarming rate, to the extent that a new term has been coined for it: advanced persistent threat (APT).
There is no doubt that this is all just the tip of the iceberg. Whenever we uncover a new Stuxnet-like malicious program it turns out that: the malware accidentally “blew its cover” because of a mistake or oversight; it has been quietly “residing” in various networks for a long time already, and we can only guess at what it has been up to there; and many technical features of the malware and also the motivations of its creator are still a mystery.
Clearly, we’re sat atop a powder keg. The militaries of different countries are gradually turning the Internet into one big minefield. A single keystroke could unleash such chaos that nobody would be left unaffected. A misguided push of a button could bring everything to a halt – and not just computers. The chain reaction would engulf the real world as well as the virtual one. Infrastructure could be affected – including the potentially devastating sort like nuclear power stations. A network conflict could quickly escalate into a military one. And it’s no overreaction on the US’s part in its equating hacker attacks with an invasion – the country clearly understands the scale of the possible consequences. Indeed, the more we look at it, the scarier it gets.
RP: Can you give any examples of “cyber-warfare” activity that might demonstrate the possible scale of attacks in the future?
EK: Targeted attacks on critical systems – including the high-profile “Aurora” and “Night Dragon” attacks – have already demonstrated the potentially disastrous consequences of networks being vulnerable. Recent developments such as the Stuxnet and Duqu malware have demonstrated that even supposedly secure industrial infrastructure systems can be attacked, not just commercial companies. Stuxnet was a unique, sophisticated malware attack backed by a well-funded, highly skilled attack team with intimate knowledge of SCADA technology. In a way, Stuxnet can be described as a cyber-Hiroshima: the first application of a new, fearsome technology which rewrites the rule-book and forces all sides to seriously reconsider the new paradigm it has forged.
RP: State-sponsored “cyber-warfare” has been a growing trend in the past few years (albeit at a fairly low level so far), as has cyber-crime. Do you think there is an additional threat from non-state actors, such as terrorist groups, or are the capabilities beyond them?
EK: Lately hacktivists have been causing havoc online. It appears they can hack anything and anyone, anywhere. The recent example of the Hungarian constitution being hacked and rewritten is a perfect example of the reach – and audacity – of the hacktivists. But more sobering and ominous is the prospect that these hacktivists may turn into cyber-terrorists, even if unwillingly. With such high skill-sets and well-publicised proven track records, the hacktivists could become targets for criminal or terrorist gangs that may want to work them to different degrees or even control them – whether the hacktivists like it not – based on traditional shows and uses of violence by organised criminals/terrorists.
RP: Is enough being done, in your opinion, to address the evolving cyber security threats? What more should governments be doing?
EK: The battle has only just begun. Many countries already have computer emergency response teams (CERTs) and good cyber-crime laws, but in many cases, law enforcement is faced with a shortage of funds and resources, which makes the fight harder.
Another problem in dealing with Internet threats is that the Web has no borders, and neither do the cyber-criminals who operate on the Internet. Today a cyber-criminal may rob Indian users, tomorrow UK users, and the day after tomorrow Danish users, while he himself is sitting in Somalia. But law enforcement agencies have jurisdictional limits, and are unable to conduct investigations alone right across the globe. So logically they should co-operate with their colleagues in other countries. But this is where the problem lies. National police forces and other law enforcement agencies don’t share information sufficiently. What is needed is an Internet police force to investigate international cyber-crime – a kind of Internet Interpol. I’d also suggest creating unified laws on cyber-crime. As you can see, there’s a lot of work ahead on this.
RP: At present the majority of preventative and investigative action taken against cyber-threats is conducted at the national level. Do you think there is a need for more international co-operation to confront these threats, and if so what sort of organisation would provide an optimal platform for these efforts?
EK: Absolutely! The least we can do at the moment is establish the “rules of the game” for the virtual battlefield, regulate the development and use of cyber-weapons, come up with new definitions, and adjust the traditional Code of War. In my opinion we urgently need a sort of cyber-IAEA – an international agency to oversee co-ordination involved in dealing with these issues. I was talking about at this at the recent Munich Security Conference. Not surprisingly, I discovered that my industry contemporaries share my vision, including Michael V Hayden, Neelie Kroes and Giampaolo Di Paola.
RP: Who should be taking the lead in this cyber-security endeavour?
EK: There are already two large organisations that want to be responsible for fighting cyber-crime on the global level: the Action Against Terrorism Unit (a department of the United Nations) and Interpol (international police organisation), which plans to open a Cyber Interpol division office in Singapore in 2014.
I also think some kind of international cyber-security organisation (“ICSO”) should be created, which would act as an independent global platform for international co-operation and treaties on non-use of cyber-weapons, and cyber-security regulations for critical infrastructure. The ICSO would also be responsible for investigating cyber-attack incidents and combating cyber-terrorism.
Of course, an ICSO would not eliminate cyber-weapons completely, but would at least greatly improve the situation as it stands at present. The most vulnerable parties (ie developed countries with high Internet usage) would benefit most from the existence of such an organisation, and so should be the first to support it.
RP: Kaspersky Lab is best known for home and office anti-malware software solutions. What is the company doing to help in broader efforts to strengthen cyber-security?
EK: First of all, Kaspersky Lab creates new technologies to meet new sophisticated threats head-on. With our help, businesses can: use the power of our cloud-based databases in the Kaspersky Security Network (KSN) to immediately and completely defend their networks; use our Application Control feature to monitor the behaviour of programs, instead of giving them free-reign once they pass the first layer of system defences; and share the identities of malicious objects with the world instantly – also via KSN – so they can’t attack elsewhere.
Our mission is to make the Internet a safe, secure network; I’d also add to that spreading the idea of proclaiming the Internet a military-free zone – a kind of cyber-Antarctica. I don’t think disarmament is possible. That opportunity has been missed – investments have been made, weapons produced, and paranoia is already with us. But nations at least need to agree on the rules and controls concerning cyber-weapons.
I realise that putting this idea into action will be far from easy. Society still regards computers and the Internet as a kind of virtual reality – toys that have nothing to do with real, everyday life. Nothing could be further from the truth! The Internet is very much a part of everyday reality. I’ve outlined what complacency could lead to. This subject has already been under discussion for several years in the confines of security professional circles. I was just the first one to get it to the wider public.
RP: What additional roles can private companies like Kaspersky Lab play in the fight against cyber-terrorism and even cyber-warfare?
EK: Fighting cyber-crime today is no longer a job any single lone entity can effectively perform by itself. This is because cyber-crime transgresses geo-political borders, making it relatively low risk for the attackers to target victims maybe thousands of miles away. Through its technical expertise, Kaspersky Lab provides advanced technical information regarding widespread or dangerous malware, which with the help of IMPACT, can be put in the context of current legal investigations or be used to start new cases.
Eugene Kaspersky is Chairman and Chief Executive Officer of Kaspersky Lab. In 1987, he graduated from the Institute of Cryptography, Telecommunications and Computer Science in Moscow and began studying computer viruses after detecting the Cascade virus on his computer in October 1989. In 1997, Eugene and his colleagues established Kaspersky Lab. The company is now one of the world’s top-four leading vendors of computer security software, and number three in Europe.