Kaspersky discusses with APSM the magnitude of the global cyber-espionage, cyber-sabotage and cyber-warfare threat and how this will lead to the development and use of internet passports to protect individual identities.
Jonathan Matrai (APSM): Hi Eugene, How are you?
Eugene Kaspersky (EK): Good thank you. I am back in Australia, so I’m feeling great.
APSM: Great to hear, so just a few questions, Eugene, for our viewers. Can you help describe the threat magnitude of global cyber espionage, cyber sabotage and cyber warfare and the implications for Australian organisations who may be thinking that they’re immune or in the mindset of “it-won’t-happen-to-us”?
EK: I’d like to split this issue into two different categories. First of all, the espionage and cyber weapns, cyber weapons. Espionage, it’s not the innovation of this century, it was two thousand years ago, it is now, it will still be two thousand years from now. It is not possible to stop because to stop espionage there is a need to get the governments, all together to agree to stop espionage. Is that possible? No.
The weapons, of course, it’s not the innovation of the centre as well. We’ve had weapons thousand years ago, and we’ll have weapons, I hope that this is not the end of the world, but this year, and we’ll have weapons in the future. Cyber weapon is just a new era, a new dimension, new domain.
There is a good chance that governments will agree not to use cyber weapons in the future. Same like what happened with nuclear weapons and with biological weapons, because cyber weapons is very, very, extremely dangerous. Espionage is just stealing your data, it’s not damaging your physical environment, it’s not damaging your transportation, or power plants or what else.
It’s just that you’re losing your privacy. When I say you, that means country, government, or technological secrets. So you’re losing your privacy but it doesn’t physically damage you. Maybe in the future because of this data leakage.
Talking about cyber weapons is much much more dangerous because cyber weapon, say with the case of Stuxnet. With a cyber weapon it is technically possible to physically destroy mainly physical systems, I’m pretty sure about power plants for example. I’m not sure about transportation because it’s happened already. Because some parts of transportation like airports that have stopped working in the past because of computer malfunctions which were caused by malware. So it’s not news, it’s already happened, but that wasn’t designed for that.
But I am afraid that in the case the malware was designed to damage the effect will be much more dangerous. So cyber weapon is very dangerous because it’s much easier to develop. To develop a submarine takes decades of development and billions of dollars to be invested into it, not billions, thousands or hundreds of billions. Because submarine, the big submarine costs how much? Few billions? I’m talking about malware, military malware, it costs much less to do that, it’s easy to deploy it because it’s through the internet and sooner or later you get Stuxnet. It’s quite easy to do it again using different vulnerabilities, maybe to have a different target but it’s technically simple to do so it costs much less money. It’s simple to do and its not possible to stop it because they’re more than industrial environment, all the computer systems, they’re vulnerable and technically quite simple to infect. Cyber criminals they simply don’t have that much money to invest into their security research. Cyber criminals they develop quite primitive malware comparing to the military malware. Military malware compared to cyber crime malware it’s like a car and bicycle. It’s much more complicated and of course the budgets are much higher and it’s not possible to stop it. That’s why cyber weapons, it is an extremely dangerous thing.
There is talk about protection, you asked me the question about Australia, how Australian government economy is protected. It is the same like the rest of the world. Because it’s the same system, it’s the same computers. The same, power plants you have, be it Australian designed or maybe international projects, but I’m pretty sure most will be standard projects. Do you have your own computers? No, it’s all the same. Do you have your own operating system? It’s the same. So everywhere in the world they use very similar technologies, same computers, same operating systems, very same designs. And that is why Australia is just as vulnerable as the other countries. And actually Australia doesn’t have true enemies, so you’re not in conflict with any other countries, maybe except New Zealand (laughs).
So actually Australia is a happy land. But if there is something wrong is happening somewhere far, far away Australia, in Latin America maybe, if there is conflict between countries, and they design cyber weapon and for example they want to crash power grids of hotels but this malware has mistakes and this malware is unable to recognise the exact victim, there could be victims everywhere around the world, including Australia.
This is why cyber weapon is double the danger, first, it is much easier to use it, much easy to develop, deploy and to use. And there is no protection against it. The second reason why it is very dangerous because there could be very random victims. If you send a missile there could be just one victim, if you send a cyber missile. The difference between traditional weapon and cyber weapon is that you’ll find that cyber weapon can replicate. And the cost of replication is zero and it can do so automatically.
APSM: With the emerging trend of hacktivism and cyber terrorist’s manipulation through social media, do you see this as threatening the functionality of social media or do you think social media will adapt to the changes?
EK: Three questions in one, hacktivists, terrorist, and social media. They’re three different issues, hacktivist is just protesting, they’re just like in the past, if you remember in Europe, mostly in Europe, and two centuries ago in Russia, there were students protesting against something. In 1960 were large protests in France and there were students protesting everywhere in the streets of France, it is the same thing happening on the internet. Hacktivist, it’s the same prior to the internet but in a newer form. In an internet form. Terrorists, cyber terrorists, there is still no definition for cyber terrorists, but I understand it. It is cyber attacks with extremely dangerous result, maybe with human deaths result but definitely with infrastructure damage or transportation damage, definately. If I accept this definition, we don’t have any report about any cyber terrorist attack at the moment, but technically it’s possible.
APSM: Okay.
EK: Technically it is possible that anti-government organisations, or governments which we could call governments of terror, they can employ, because most of these groups and most of these powers they don’t have enough IT knowledge, they don’t have enough expertise themselves. But they can employ engineers; they can employ high end security experts or kidnap them. And force them to do, to design the tools for cyber terrorist attacks and that is linked to hacktivists. Because in the past, the students in the past which were just protesting they became terrorists, at least in the Russian history it was exactly the same case, the students which were protesting in the middle to the end of the 19th century they started to use bombs, homemade bombs. And they were terrorists. So I am afraid that the same scenario will happen in the hacktivist’s world. So I am not surprised if in the future, cyber terrorists will employ hacktivists. But at the moment there are two different group, hacktivists it’s the reality. Cyber terrorism, it’s just, I don’t want to call it opportunity, but actually, technically it is very possible.
Talking about social media is a completely different area, and of course, hacktivists and future cyber terrorists will use it, of course. But at the moment as I see the social media, the most dangerous on what’s going on there is that the fact that it is a very powerful tool in the hands of the wrong person to manipulate. And Arab spring, American summer, Occupy Wall Street, British Fall, Russian Winter. Who is next?
Usually I have this presentation, and I’d save it usually when I have this presentation about the most important issues in the cyber world. Social media, that’s number 2 after cyber weapons. When I have my presentation, I usually say that evry country could be a victim of this manipulation. Every country has its own internal problems. Maybe except Switzerland, Australia and New Zealand. Because actually you are happy nations. So you don’t hear of any serious internal problems.
APSM: No, and it’s very multicultural as well.
EK: So you don’t have any civil, as far as I see it, as far as I know. But if you touch on any other country, you’ll see very serious internal conflicts, any country. What’s next to Australia, Indonesia, of course.
APSM: Hotspot.
EK: Next maybe not Singapore. Malaysia, three different nations which are living as if they are in their own communities, Indians, Chinese, and Malays. What’s next, if you go to any country, you will see there is something wrong in there and it’s very easy by using social media to misuse the power of media to start a revolution within the country.
The first country that really recognised that is China, first of all they have a screen there, the national firewall and foreign social media are not allowed in China. They have their own media, and the Chinese are happy. So they don’t really need international media. And the Chinese, most of the Chinese they simply don’t recognise they have this firewall, because they don’t need information from the outer world. They are very introverted. And they have a new regulation, if you want to an account with a Chinese social media, you may register only with your ID. So the government has a hundred percent control on everyone in social media.
So, there are two scenarios. The first scenario is the western style scenario. So you are a hundred percent anonymous and you are a hundred percent free. But that’s very dangerous.
Chinese scenario, hundred percent safe, but government control big presence scenario.
Both are wrong. I am afraid there is nothing in between. There is nothing in between. And there are some problems with their IT security, some issues there. And some of this issues, I have some ideas and answers for these questions. But there are some questions I don’t have any idea any answers to them. And social media is one of them, I don’t know what to do.
That’s why I love to travel a lot around the globe just to meet people, just to talk to people, to get some ideas. There are many cases where I am just explaining my ideas to people, and sometimes to government officials. And they ask me the questions, and when I think about the questions these ideas they get more details there. Or it is time to think about details. And that’s very interesting.
APSM: Can you outline the development and use of internet passports to protect individual identities from theft and cyber terrorism.
EK: Yes, it is a very old idea. I came to this idea in maybe 2001 or 2002. To have an internet passport, it’s the same as how we have IDs in the non-internet life. You will need these ID when you go to the bank office, if you want to get access to your bank accounts, they will ask for you IDs. It’s like a biometrical identification that’s yours. This is you.
My favourite example is checking ID at the airport. All you need is a photo ID, but this is not in Australia. In some airports they don’t ask you. But the rest of the world, it’s just your photo ID. In some areas of our life, we don’t really need to present our IDs, when we’re walking along the street, or shopping or what else. You’re not animals, you don’t need to wear your badge. But in some cases like in airports, in banks if you want to have access to the service, you need to have the ID. And the reason why we have these regulations in our usual life is simply because of security. Because there are incidents where there are bad guys who are violating the rules, and there was a need to introduce more security just to stop them. So I think the same has to be done on the internet. The internet it’s not a different land, it’s not like it’s something really different. It’s just like our usual life but in a new technology. So I think there are same standards, same regulations must be introduced in a very similarly way in the internet forum. But at the same time, it is a question of privacy, how to get together their regulation, their identification, their privacy. This is some of the issue; you have to give at least some privacy to individuals, because on the internet there are so many data collected, and sometimes it is not necessary to collect these information.
Are you a customer of iTunes?
APSM: yes.
EK: When you register on to iTunes, you have to report so many things there. Because Apple wants to know everything about you. Hey, Welcome to Soviet Union. (Laughs). I don’t really like it. That’s too much and the most critical issue is internet passport. Kids, they are 100% online, and the kids are growing and sooner or later they will be ready for elections. So they will remember the community and part of the social and political life. And if kids don’t have passports, and if they don’t have secure online election systems. They will never vote. That will be the end of democracy.
The older generation will traditionally go to the election office. The new generation, will never go there. If there are no internet passports and there are no secure online election systems. In this case, sooner or later, it will be the last democratic man dead. No one voting.
JM: Thank you for your insight Eugene.
EK: My pleasure.
