|Topic:||Why security is still an issue|
Eugene Kaspersky is the CEO of Kaspersky Lab.
Mr Kaspersky graduated from the Institute of Cryptography, Telecommunications and Computer Science in Moscow in 1987.
Cyber warfare involves attacks on systems critically important for national and/or global economies, and also for national and/or global security. Such attacks have the objective of weakening economic and military potential and inflicting considerable damage to nation states, with grave consequences for human populations, possibly with casualties. An international agreement on cooperation, non-proliferation and non-usage of cyber weapons is needed to combat such attacks.
Global cyber crime causes losses to the world economy to the tune of hundreds of billions of dollars a year, and it’s growing. Fortunately the governments of different countries have at last started constructive dialog on this issue and international projects and regional/national cyber police units have been established and are set to increase in number, size and funding. This is a good start, of course, but nothing more. There are no instant solutions to global cyber crime. A lot of work lays ahead requiring dedication and heightened cross-border cooperation. But besides ‘traditional’ cyber crime, there are other threats out there that can be just as costly to both individuals and the world economy on the whole, and all of them are Internet-related in some way, just like cyber crime. Of the three most important ones, two are threats regular Internet users face directly, while the third is an ominous state-backed extension, or sidestep, of the cyber crime threat – cyber warfare.
Lack of privacy on the Internet
Every purchase you make, flight take, site view, file download, person call, e-mail send, Skype-call receive – all of them either are tracked or can be tracked. Are you OK with that? Me neither.
Also not OK with that are numerous legislators around the world, who are steadily getting more and more involved in regulating the collection and storage of user information. But their task need not be as daunting as it at first may seem. All they need do is pretty much transfer the measures in existence for our offline lives. For example, Internet services shouldn’t have the right to demand private information if similar services can be found offline without the need for handing over the same.
Lack of digital IDs for specific online services
Any mention of ‘passportization’ of the Internet is often met with knee-jerk cries of ‘censorship!’ or ‘liberty attack!’ But when you get into the details of the idea, such cries are shown to be plain inapplicable. So, the details of the idea…
From the standpoint of personal security of users, it would be reasonable to divide Internet services into three categories: (1) red – for the most important services like online banking, electronic voting (to encourage the Internet-dependent digital native younger generation to actually vote), and others, which require user authentication through an e-token, or cyber passport; (2) yellow – for adult websites, special promo-sites for alcohol and tobacco products, etc., which would also require partial identification of one’s true identity via an Internet-passport (maybe even without a name, just age); and (3) green – the free-for-all category, where you can write, read, play, do anything you want – and completely anonymously if you want, but at your own risk.
Now, because most of the Internet today falls under the green category, cyber criminals are able to hide behind anonymity – be it to register and operate bogus sites or use proxies. Take that anonymity away through the introduction of Internet passports for red and yellow category services – and you take away the cyber criminals’ main enabler (anti-liberty? Hardly).
For Internet passportization to be put into action, the powers-that-be around the world need to come together and tackle this issue, since the Internet sees no borders. Unilateral passportization in one country is a waste of time. All countries need to introduce the concept. Clearly this will take plenty of political will around the globe. But that doesn’t make it any less necessary.
Cyber warfare – what I fear the most
To me, cyber war attacks are attacks on systems critically important for national and/or global economies, and also for national and/or global security, and which have the objective of weakening economic and military potential and inflicting considerable damage to nation states, with grave consequences for human populations, possibly with casualties. And if you think that such threats sound like something out of science-fiction, I’m afraid I’ve got some very bad news for you: all this is real already – today.
The first notable targeted cyber war attack was a Distributed Denial of Service (DDoS) attack on Estonian sites in 2007 that cut the whole Baltic country off from the Internet. The result of this attack was accidental; however it showed up the possibilities for using the Internet in a cyber conflict. In 2010 there was Stuxnet – a complex computer worm that was able to penetrate the network of an Iranian nuclear facility and physically damage hundreds of uranium enrichment centrifuges. Interestingly, the Iranian computer network had no Internet connection. A year after Stuxnet came the Duqu worm – malware that collects information clandestinely that can be used in attacking targeted computer systems. The most recent discovery of targeted cyber war attacks has been the Flame worm – a highly sophisticated malware program used for cyber espionage. And I’ve no doubt whatsoever that nation states are behind them all.
So what’s so dangerous about cyber weapons that can be used in cyber war attacks?
The most dangerous aspect of cyber weapons is their unpredictable side effects. A worst-case scenario would see a cyber weapon aimed at a specific industrial object not actually being able to accurately pick out its victim – either down to a mistake in the algorithm or a banal error in the code – easily possible with it being so vast and complex. As a result of such an attack the targeted victim – let’s say, hypothetically, a power station – would not be the only thing affected; all the other power stations in the world built to the same design would be too. A lethal boomerang effect.
It’s almost impossible to protect ourselves from such attacks today. To do so it’d be necessary to practically rewrite just about all the software code in existence for secure operating systems. It’s clear this is physically impossible; even if it were possible, can you imagine the size of the budgets involved? No nation state would ever permit itself to make such colossal investments in IT Security.
So what do we do?
This problem needs solving in the same way as the problems of chemical, biological and nuclear weapons were in the past. What is needed is an international agreement on cooperation, non-proliferation and non-usage of cyber weapons. And such a project needs to be organized and coordinated by an independent international organization – like a Cyber IAEA.
I believe that sooner or later nation states will come to fully understand the dangers of cyber weapons being applied in cyber war attacks, and then eventually put an end to, if not the development, at least the application and proliferation of cyber weapons.
So there you have them: three threats besides cyber crime that can cause one to lose sleep if one mulls on them for too long. As you can see, in terms of a general remedy to all of them – as well as to traditional cyber crime – controls need to be introduced at the international level. But control does not have to mean censorship or freedoms being taken away. That is why an independent and trusted international body would be best placed to encourage the necessary worldwide paradigm change and introduce the long-overdue Internet-and-data-abuse preventing and malware-and-cyber weapon limiting controls.