The online world is a mystery to many people, especially adults, according to Eugene Kaspersky, head of the anti-virus and cyber protection firm that bears his name. “We’re all immigrants in the new world of cyberspace,” Kaspersky said at a roundtable discussion with some of Israel’s top IT managers. “Our children who will one day replace us are, on the other hand, cyber-natives,” and it shows in myriad ways.
But understanding cyber issues – especially cybersecurity – isn’t as complicated as many believe, if you think about it the right way, Kaspersky said at the event, held on the sidelines of the Third Annual International Cyber Security Conference of Tel Aviv University’s Yuval Ne’eman Workshop, taking place this week. The roundtable was conducted by the Israel Internet Society.
Some two dozen speakers from countries around the world, as well as many Israeli information technology security people, gathered to discuss cybersecurity policy issues, better ways to protect critical systems from hackers, and how to build cooperation between institutions and governments in other countries, said Professor Yitzhak Ben Yisrael, chairman of the Yuval Ne’eman Workshop, and a chief architect of the Prime Minister’s National Cyber Committee.
“Cyberspace is a reflection of the real world,” Kaspersky said, and once you start thinking about it in those terms, many of the solutions to problems the world faces become obvious. “Many people bristle at the idea of an online ID card, but I think it’s essential for the future of the Internet. If you were to go to a real-life bank, you would have to present your ID card, and in newer biometric ID systems, your palm or fingerprint, in order to get money. Why should the online world be any different?
The last time Kaspersky was in Israel (for the 2012 edition of the Conference) he astounded conference attendees by announcing that “the end was near.” Kaspersky presented evidence of the existence of the Flame virus, the malware that wreaked havoc with computer infrastructure systems used by Iran in its nuclear program, and said that it could represent “the end of interconnected world as we know it. Like a germ on a rampage, Flame, he said, could end up infecting power stations, air control systems, government computers, and a thousand and one other systems that make 21st century life possible. “The world is just so interconnected today, and the viruses that attack one power plant put them all at risk,” Kaspersky said, warning of dire consequences if IT personnel did not take immediate safety precautions.
Kaspersky did not come bearing such dramatic news this year, but said that he was worried nonetheless. “I have been in the IT security business for 25 years, and I am paranoid because of the things that I have seen.” Although he had plenty of stories about security breaches, with some published in the media, “there are a lot stories I can’t share,” he said – and if he did, listeners would be just as fearful of the cyber-future as he is.
On the other hand, Kaspersky said, he is optimistic – because the lessons on how to protect organizations, businesses, governments, and infrastructure seem to be getting through. There is much more awareness of the need for cybersecurity by private enterprise and governments, even if the pace of implementing protection can be slow.
“Cyber, of course, operates at the speed of cyber, but governments operate at the speed of governments, meaning that there are committees, discussions, and votes,” he said. But things are getting better; for example, after years of discussions, international law enforcement organization Interpol will next year open up a department specifically geared to dealing with cyber-threats, to be called CyberPol. “It will make life much more difficult for cyber-criminals,” the hackers who break into bank accounts to transfer money, and the like, said Kaspersky.
But there are much more serious threats in the cyber-world that have barely begun to be addressed, Kaspersky said. “Cyber-espionage is a much greater threat than cyber-crime today, but even that can be detected and controlled. What’s really worrying is cyber-terror, where an entity sends out an ‘Internet missile’ to search out and destroy critical infrastructure.”
Many of the “famous” viruses that have been unveiled in the past year – like Red October – were designed to steal information, and there are plenty of other viruses that are doing the same thing. “Just last week, the leaders of the United States and China sat down to discuss espionage and hacking, a major issue involving China.”
But it’s not just China; every country in the world is cyber-spying on both enemies and friends. “It’s just so easy to do, I would be shocked if there were a major country with an educated population – including Israel and the United States – were not cyber-spying. Even Sweden, a paragon of democracy, monitors Internet traffic coming from Russia,” Kaspersky said.
What really should be worrying everyone is cyber-terror, where rogue groups attack infrastructure and critical systems. In order to protect society, those systems need to be locked down. The problem is that many were designed years ago, before cyber-threats were even thought of. The systems running electricity, water, gas, public safety, and other systems needs to be upgraded, but it can only be done incrementally, Kaspersky said, since no country is going to close down its electrical grid or other infrastructure to allow for a lengthy system and equipment upgrade. (Speaking at the same conference three days ago, Prime Minister Benjamin Netanyahu said Israel was under relentless hack attack.)
The question, of course, is how to prevent these, and less serious attacks. According to Kaspersky, the answer is far less complicated than people think. Following his simile of real life and cyber-life, Kaspersky advocates things like fingerprint readers to allow access to financial and other Web sites. In addition, there should be standards for security systems, agreed to and implemented by everyone; for example, if one country suspected hacking activity aimed at it was being conducted in another country, the host of that hacking would be obligated by international agreement to root out the hackers.
“If you were to build a bridge, for example, you would have to comply with all sorts of rules and regulations,” said Kaspersky. “That’s what the cyber-world needs, as well,” and such standards should be worked out among nations. “Or we can do what is usually done – wait for the United States to come up with standards, and have everyone else adopt them.”
Until that time, Kaspersky has some suggestions for organizations hoping to prevent damage from cyber-attacks (preventing attacks is too much to ask for, he said; the best anyone can hope for is mitigation). “We need to increase awareness and education on cybersecurity matters, especially in universities, in order to train IT security workers, who are in very short supply.” There are few universities that teach those skills, said Kaspersky – although Tel Aviv University is set to become one of them, Ben-Yisrael said, offering majors and minors to all students in cyber-related disciplines.
Along with that, Kaspersky said, organizations needed to educate members and workers on the dangers of the Internet. Many cyber-attacks have their roots in “social engineering,” where users receive a message to submit information or click on a link that will install malware.
“We have a presentation that we provide to clients that is shown to their workers,” said Kaspersky. “It’s all about real-life stories of workers who clicked on the wrong link, jeopardizing their organizations. Once they see that presentation they become as paranoid as me.” It’s a fear tactic, without question, but the consequences of a cyber-attack are a lot scarier.