Follow-up on Eugene Kaspersky’s talk called “The threats of the Age of cyber-warfare” where the speaker is looking into instances of critical infrastructure damage, catastrophes and military challenges called forth by cybercrime. Mr. Kaspersky is also providing some ideas on minimizing the risks, making a special emphasis on international cooperation for fighting cyber criminals.
Unfortunately that’s not the end of my story. What can be worse? This is not a question, it’s an answer. We have some examples of the catastrophes, very big disasters because of the misfunctions of IT systems. I think all of you remember the blackout in 2003. And the same day, the same time there was an epidemic of Blaster Worm1 which infected millions of computers around the globe. And we have reports that the worm damaged Unix systems which were in charge of electricity distribution through the electric grid. The worm was one of the reasons, maybe the main reason of the blackout in the United States and Canada East Coast in 2003. I don’t have any hard data about that, but I am pretty sure it could not happen without the worm, it was the main reason.Another story, I think that you might not have heard about that because it happened in August, vacation time, but it wasn’t out of the focus of our attention. In August 2008, the Spanish plane crashed, just after the takeoff from Barajas airport in Madrid. And there were more than 150 people dead in this catastrophe. Last year, they reported the result of investigation, they said the plane had crashed because of the technical problems. But these technical problems were not discovered by ground-based engineers, because the computers were infected. So the malware blocked computers and the technical problems were not reported to the engineers. So the virus, the infection, the malware wasn’t the reason of that catastrophe but it could not happen without infection.
More, Stuxnet2 – I think I don’t need to explain that. I think all or most people who are responsible for IT security, and the national security working with transportation, industrial systems, factories, governments are really scared, because unfortunately all these systems depend on IT.
So these are facts which already happened. And the question is, this year, next year, do we expect to see similar incidents: yes or no? That’s very obvious, of course yes. It will happen because there is no 100% security. And unfortunately, these systems were designed years back, possibly by people who weren’t trained well.Just a few more stories. This is quite an old story but for sure it will happen again. Now it’s fixed, don’t worry – now this problem is fixed. But in 2008, they reported that cockpit systems, the pilot systems were connected to the passenger network. When I got this news, I was sitting with my mouth open, reading that and thinking: “How could they design that?” And then the lawyer from my company came to my room with some report and I said: “Listen, this is a new plane from Boeing, they have a pilot’s network connected to the passenger network”. And my lawyer said it’s not possible. But unfortunately, it is possible, it was actually, now it’s fixed. But for sure, people are people, engineers are engineers, and engineers unfortunately are humans too. They make mistakes. Here is another story, it’s a little bit more serious maybe: the military drones which didn’t have encrypted traffic, so it was possible to intercept the drone, and for example send it back, or to change the target. Well, it’s from the news, that’s why I am not surprised, because humans are humans. They design these systems in such a way.
The nations are vulnerable. Unfortunately, even the national systems are sometimes designed in such a way that they could be very easy victims of a hacker attack. Do you remember the movie about cyber terrorism – “Die Hard 4”? I recommend you to watch it again. Well, that’s a Hollywood story, and half of this movie is bullshit. Only half, when Bruce Willis crashed the helicopter with the police car – that’s not truth, of course it’s not possible. But the rest, I am afraid, might well be true. Just read the news, read the news very carefully. And you can find information which explains that what we do, what is done, is done in such a way, that unfortunately I don’t sleep well sometimes after such news.
As a result, we have a number of companies which were hacked last year. Well, most of the companies that underwent the attacks are American of course. But there are many victims in Europe, in Asia, in Russia, maybe in China as well, but the Chinese don’t report that at all. Unfortunately this list is much, much longer. The companies simply don’t report that. Another question is – do they need to report that or not? Some people say “Of course yes”, because their customers have to know what’s going on. There is another opinion – don’t ruin police investigation; it could be very dangerous for the police investigation.
And now a little bit more about governments, about national military forces involved in that. News from China: they said that they had so-called Blue Team Forces, cyber military forces. News from the United States – the same. India – they plan to have that as well. What about North Korea? Do they have computers in North Korea? Yes, they have. And they also report that they also have cyber military division. Germany – same plans.And all that looks like a very, very bad Hollywood story. The Head of the United States Cyber Command3 Keith B. Alexander (on the photo) told Congress that cyber weapon could be as dangerous as the traditional military weapons, and the result could be as bad as with traditional weapons. And he was not kidding, that’s reality, unfortunately. That’s reality of this world.
And can we stop that? What to do to minimize the risks at least? Of course I have some ideas. First of all, the most serious issue is attacks on industrial systems, transportation, electric power grid etc. And I think that there must be much more serious government control on the industrial systems: the regulation, the standards, and penalties for engineers and companies which don’t follow regulation.
There should as well be more secure design for industrial systems, including maybe new future secure operating systems, because unfortunately most of the existing systems are not secure at all. There must be new design, new ideas, new innovations in IT, in operating system development. And these systems which are much more secure and protected must be used in critical industrial systems.
It’s not possible to fix the problems only within the national borders. Unfortunately, what I see is national leaders talking about national security only. But we live in the Internet. Internet doesn’t have borders. Unfortunately, it’s not possible to fix the problem only on a national level.
The only right way is international cooperation. Even if your country doesn’t have good enough relationships with others, some of others, you must talk about and establish global IT security, Internet security, because if you have someone on the street who does not follow the regulation and there is no police to stop that, you are not protected.
And the cyber police is the next issue. To fight the international cyber crime, to fight the international cyber terrorism, we must have international cyber police forces, I call it Internet-Interpol – the organization which is not under the national regulation but only under international regulation as a part of United Nations maybe, as a division in a traditional Interpol, I don’t know. But this is the only way to fight the bad guys in the Internet.
Internet ID’s are also important to stop hooligans and help the police fight cyber criminals. I have been talking about these Internet ID’s for many years, maybe 10 years. It was 10 years ago that I said for the first time that it would be a good idea if we had Internet ID’s. And people were smiling at me. 5 years ago, they started to listen. 2 months ago, I was in China, and in Beijing airport Wi-Fi is free, but to get access, to get a login and password you need to have a passport, to get a special machine to scan your passport, and then you have the login and password.
In Germany, they already issued some kind of Internet identification card. And the President of the United States, about half a year ago, said about plans to have Internet ID’s for every American to build secure Internet.
But once again, it’s not possible to fix that problem only on a national level, there must be international cooperation.
For now, we don’t have government regulation on industrial IT systems, secure OS for critical infrastructures, international treaties, Internet-Interpol, Internet ID’s. We don’t have any of these. We need them but we don’t have them. The only thing we have is technologies. We have many things to do. And I think it’s not only the task for private companies or the task for IT security industry, there must be international cooperation on the government level. Without that, I don’t see the good future and the blue sky for the next years. Unfortunately, we will see much more very serious incidents, more cybercrime, more cyber terrorist attacks, and maybe cyber wars between some countries.
And because we live in the Internet, a cyber war somewhere far away from your country could reflect on you as well, because the Internet is Internet, there are no borders and there are no countries in there. So we depend on IT, our world, the systems are not designed in a secure way. We just entered the cyber war era, so only global cooperation and coordination and better budgets on IT security are the solution for the problem.
1 – Blaster Worm (also known as Lovsan, Lovesan or MSBlast) was a computer worm that spread on computers running the Microsoft operating systems: Windows XP and Windows 2000, during August 2003.
2 – Stuxnet is a computer worm discovered in June 2010. It initially spreads via Microsoft Windows, and targets Siemens industrial software and equipment.
3 – United States Cyber Command (USCYBERCOM) is an armed forces sub-unified command subordinate to United States Strategic Command, located in Fort Meade, Maryland and led by General Keith B. Alexander. USCYBERCOM centralizes command of cyberspace operations, organizes existing cyber resources and synchronizes defense of U.S. military networks.