Kaspersky CEO sees cybersecurity headed from Dark Age to Golden Age

Kaspersky Lab’s colourful CEO stated at the company’s 2016 North American Partner Conference that while cybersecurity is presently in the Dark Ages, a Golden Age is on the horizon for the commercial market, with a key new industrial control security solution coming from Kaspersky later this year.

Eugene Kaspersky2CANCUN – Cybersecurity is presently in its Dark Ages. That was the gloomy perspective on the present laid out by Kaspersky Lab’s founder Eugene Kaspersky to approximately 100 of the company’s top channel partners at its 2016 North American Partner Conference here. The good news, on the other hand, is that the day of deliverance is nigh. With Kaspersky Lab – and its trusty partners who are the company’s route to market – in the vanguard, the industry could be on the cusp of a new Golden Age, in which the commercial sector – if not the consumer, stands on the brink of a world of secure operating systems and unhackable apps.

Kaspersky began with a bleak vision of the present in his presentation, entitled the Dark Ages of Cybersecurity. Kaspersky Lab in recent years has identified three recent types of malware attackers. The largest group – the base of the pyramid – is a collection of myriad types of virus writers and DDoS attackers that can be classified as nuisances. Above them are the cybercriminals, and at the very tip, the nation state-backed attackers, who have the most lavish resources at their disposal.

“What we have been seeing this year is that the complexity of the cybercriminal attack is now basically the same as the government grade attack,” Kaspersky said. The cybercriminals now have access to the same level of resources.”

Cybercrime is getting more and more international, with criminal gangs who speak different languages increasingly working together, and mercenaries offering cybercrime as a service are significantly increasing.

“Like solution providers, cybercriminals are also getting into the services businesses,” Kaspersky told the partner audience. “A couple organizations even had partner conferences. One had a lottery to win a car!”

The chances of cybercriminals being caught is remote, and when they are arrested, it’s typically only the junior guys, Kaspersky said.

“When the Carbanak Russian-speaking syndicate was broken some leaders were actually arrested, but not all of them,” he stated.

New business models are also emerging where traditional criminal gangs hire cybercriminals to go after new targets in areas like manufacturing and transportation. Kaspersky said these new digital business models include things like gangs stealing coal through electronic means and then selling it.

“I’m afraid that in the very near future they expect we will have cyberterrorist attacks as well,” he added.

Kaspersky pointed to recent blackout attacks in Ukraine in December.

“The hackers turned the power grid off and wiped the systems so engineers had to physically turn things on,” he said. “If the same thing happened in the U.S., where you can’t turn them on manually, you would have to reinstall the systems and reinstall the firmware – and it would take much more time. This can happen.”

Kaspersky also referenced a different gang of criminals using different malware to attack the Ukraine power grid.

“They didn’t physically damage the grid,” he said. “It was more sending a message – turning it off and disappearing.

“We are living in the dark age of security when the whole world is vulnerable. You don’t have to be a superhacker. You just need a guy from the industry who knows how to manage the system, and that’s possible.”

Kaspersky divided the target-rich environment into nine categories of cybersystems in three groups: the important, the critical, and national security, Important includes things like consumer, home user and SMBs, Critical encompasses connected cars and smart homes, online shops, and phone systems, and national security consists of power grids, finance, the internet and mobile networks. Kaspersky stated that for some elements of this, a Golden Age of Cybersecurity is indeed possible.

“What do we need to do to get this Golden Age of Cybersecurity? You need secure OSs, apps that are unhackable, and devices and equipment that are safe by design. Is it possible to do this if you are not a god? Completely!”

Can we expect this Golden Age soon? For consumer-related things, probably not.

“For the consumer area, it’s not possible because even if we invest more, companies have to spend more to deliver new product to the market and will lose out to companies who don’t invest in security enough and so are cheaper,” he said. “So I don’t believe in this for the consumer, not for decades,”

For the critical category, it’s another story.

“For critical infrastructure, with security auditing and penetration testing, network security and whitelisting where the default is to deny, and where no other than trusted applications can be executed, it is possible,” Kaspersky said. “It will be more expensive because you need more engineers to support it. We are not 100 per cent there, yet, but it is close.”

Kaspersky stressed that getting perfect security doesn’t require making everything completely airtight everywhere.

“Perfect security is – when the attack costs more than the possible damage it can inflict – so the attacker will go somewhere else,” he said.

Still, for the national security category and its’ heavy physical infrastructure, Kaspersky acknowledged perfect security can’t be achieved this same way.

“There are not enough engineers to do it — so my idea here is to redesign existing systems a little and develop new systems on top of secure platforms,” he said. “We have our first customer for that now, an oil refinery in Russia. They have designed their security based on our secure OS.”

This particular solution, designed to protect Industrial Control Systems located around the world from cyberattacks, is not far from release.

“It has been in development for a number of years, and consists of two pieces – the secure OS and Kaspersky Industrial Control Security, designed specifically for SCADA/PLC environments, and that IS something we will see in the market this year,” Mike Canavan, Kaspersky’s VP of Presales System Engineering, subsequently confirmed to ChannelBuzz.