The threats of the Age of cyber-warfare: Eugene Kaspersky on cybercrime

Co-founder and CEO of “Kaspersky Lab” Eugene Kaspersky delivers a speech called “The threats of the Age of cyber-warfare”, expressing his vision on the current state of the global cybercrime and exemplifying his research with some observations and evidence of close affiliation of malware related crime with real-world facts.

Today we are here to discuss the problems, explaining our view on the existing situation and the future. This is the main topic of my presentation, and I am going to start.

Well, computers are everywhere. How many computers do you have or use in your life? You don’t know. You don’t know how many computers you have in your car. You don’t know how many computers manage the train, if you use train to get to New York. You don’t know how many computers manage the elevators in this hotel. Everything is digital, everything is online.

Entertainment…It’s digital. Oh, well, except poker in Las Vegas. But in Las Vegas, poker is under the control of cameras which are for sure digital and report that to the digital systems.

How many times did you open paper printed encyclopedia last year? Zero. How many times did you open Wikipedia or Wikileaks? As to Wikileaks, usually I say, please don’t publish so much information at the end of Friday, because secret services – they are humans too. They have families and they want to have weekends.

Social lives – well, how many people here in the room have 5 or more accounts in social networks? Well, I understand I am talking to journalists, it’s not fair, okay, okay. But when I am in a business audience, or I deliver a speech to students in universities, if someone raises the hand, I ask security to catch that person and to write down the name, to report that to the employer or to the professor.

Governments are another issue. Governments want to be online. And a very serious problem is that the new generation wants be 100% online. And if you don’t have Internet government or online government, if you don’t have Internet voting, then the new generation, kids – they will never go to the election office. If there is no online service, they will never go to vote. If you don’t have secure online voting, Internet passports – that will be the end of democracy. Well, this is also a very special topic, and maybe we will discuss that later.

Industrial systems – unfortunately, or fortunately, all these systems, well, they are not online, but it’s possible to bring USB, so they are partly online. And unfortunately, it’s a very, very big danger, and I have some examples of what’s already happened because of the security issues with industrial systems.

So, everything is online, and unfortunately everyone, every business, every person is under the attack. There are so many targets: individuals, governments, businesses. And there are 3 main sources of these attacks.

The first source is not so serious, that’s just script kiddies¹, vandals. Still there are kids who develop malware just for fun, like in the past. But less and less kids are doing that, because they don’t have time, they play computer games. In the past, these kids were presenting themselves, they wanted to make themselves proud because they wrote a super computer virus. Not anymore. They play computer games, they grow into super heroes in computer games.

And the third source is organizations, governments or individuals which attack the Internet in very different ways with cyber weapon, with distributed DoS attacks, which develop spying software to steal critical information. Unfortunately, we are getting more and more reports about that.

So, a little bit about online crime. First of all, it’s global. It’s not just Chinese cyber criminals, it’s not only Russian cyber criminals – it’s global. Of course there are more cyber criminals in Asia, in Russia, in Latin America than in Europe or in the United States. But if you look at these faces, these pictures of criminals, you can see quite different faces: Americans, Russians, Palestinian… It’s everywhere. Computers are everywhere, Internet is everywhere, except Antarctic, I was there and checked, there was almost no Internet. So maybe Antarctic is the only one region free of cybercrime, but the rest isn’t – it’s everywhere.

Unfortunately, it’s very effective, it’s possible to stop a country with the help of malware. It’s organized. This is a very, very old screenshot (see image) but I like it, because it’s a part of the business, it’s a gang which develops botnets² and trades these botnets. So actually this is a price list: how many bots you want to use, how many days you want to use these botnets. There’s an ICQ number for technical support; there is also something about discounts if you buy the service 2 or 3 or more times; Terms of Service.

That’s a business. There is B2C (business to customers), B2B (business to business), well, I call this C2C – criminals to criminals. That’s organized world, huge well organized world with a lot of money in there, and it’s very profitable.

This picture here shows the consequences of illegal street race in Moscow. Believe me, Moscow doesn’t look like this everyday. So there were a couple of Russian cyber criminals in that car. It’s a new BMW 7. One of them died in this incident, he was 19 years old. A 19-year-old boy driving a new BMW. They have lots of money.

Unfortunately, these guys have much more money than software engineers, than IT security software engineers. This is the answer to the question. Will cyber criminals be looking for a job in your company? Never, because they have much more money, unfortunately.

And it is easy to do because it’s just software, the Internet. They don’t need to invest too much, and they don’t have physical contact with victims. That makes the life of cyber criminals very simple. And it’s low risk. If they have enough of brain, they can do it in such a way that it is very, very difficult to find them, to trace them.

They attack from different countries using proxy servers, and in some cases they don’t attack victims in their own country. They don’t want local police to have calls from local victims. Some of these guys are extremely clever. We still don’t know the names of criminals which were responsible for some kinds of very big attacks like Conficker³, or Kido, attacks in the past, with 10 million infected proxy servers. I still don’t know the names. They were very professional people.

So it’s global, it’s very effective, organized, profitable, easy to do, no risk… of course there will be more and more cyber criminals. And also, keep in mind that there are more and more Internet users from very poor countries. And we live in the same territory, in the same city, on the same streets.

So, I don’t know how much money we lose because of that, because cyber criminals don’t report their financial figures. I am sure Gartner⁴ doesn’t have reports from cybercrime gangs. However, we tried to count, to approximate the financial impact, and we got the number – 100 billion dollars. And this is only from the cybercrime based on malware. Spam, credit cards, trading counterfeit stuff – it’s not counted. Only the cybercrime business which is based on malware costs global economy at least 100 billion dollars a year. So, if it’s 500 billion per all cyber crime, I am not surprised. And compared with that disaster in Japan, they said it was about 300-billion-dollar impact – every year we have at least one tsunami impact on the global economy.

Unfortunately that’s not the end of my story. What can be worse? This is not a question, it’s an answer. We have some examples of the catastrophes, very big disasters because of the misfunctions of IT systems. I think all of you remember the blackout in 2003. And the same day, the same time there was an epidemic of Blaster Worm¹ which infected millions of computers around the globe. And we have reports that the worm damaged Unix systems which were in charge of electricity distribution through the electric grid. The worm was one of the reasons, maybe the main reason of the blackout in the United States and Canada East Coast in 2003. I don’t have any hard data about that, but I am pretty sure it could not happen without the worm, it was the main reason.

Another story, I think that you might not have heard about that because it happened in August, vacation time, but it wasn’t out of the focus of our attention. In August 2008, the Spanish plane crashed, just after the takeoff from Barajas airport in Madrid. And there were more than 150 people dead in this catastrophe. Last year, they reported the result of investigation, they said the plane had crashed because of the technical problems. But these technical problems were not discovered by ground-based engineers, because the computers were infected. So the malware blocked computers and the technical problems were not reported to the engineers. So the virus, the infection, the malware wasn’t the reason of that catastrophe but it could not happen without infection.

More, Stuxnet² – I think I don’t need to explain that. I think all or most people who are responsible for IT security, and the national security working with transportation, industrial systems, factories, governments are really scared, because unfortunately all these systems depend on IT.

So these are facts which already happened. And the question is, this year, next year, do we expect to see similar incidents: yes or no? That’s very obvious, of course yes. It will happen because there is no 100% security. And unfortunately, these systems were designed years back, possibly by people who weren’t trained well.

Just a few more stories. This is quite an old story but for sure it will happen again. Now it’s fixed, don’t worry – now this problem is fixed. But in 2008, they reported that cockpit systems, the pilot systems were connected to the passenger network. When I got this news, I was sitting with my mouth open, reading that and thinking: “How could they design that?” And then the lawyer from my company came to my room with some report and I said: “Listen, this is a new plane from Boeing, they have a pilot’s network connected to the passenger network”. And my lawyer said it’s not possible. But unfortunately, it is possible, it was actually, now it’s fixed. But for sure, people are people, engineers are engineers, and engineers unfortunately are humans too. They make mistakes.

Here is another story, it’s a little bit more serious maybe: the military drones which didn’t have encrypted traffic, so it was possible to intercept the drone, and for example send it back, or to change the target. Well, it’s from the news, that’s why I am not surprised, because humans are humans. They design these systems in such a way.

The nations are vulnerable. Unfortunately, even the national systems are sometimes designed in such a way that they could be very easy victims of a hacker attack. Do you remember the movie about cyber terrorism – “Die Hard 4”? I recommend you to watch it again. Well, that’s a Hollywood story, and half of this movie is bullshit. Only half, when Bruce Willis crashed the helicopter with the police car – that’s not truth, of course it’s not possible. But the rest, I am afraid, might well be true. Just read the news, read the news very carefully. And you can find information which explains that what we do, what is done, is done in such a way, that unfortunately I don’t sleep well sometimes after such news.

As a result, we have a number of companies which were hacked last year. Well, most of the companies that underwent the attacks are American of course. But there are many victims in Europe, in Asia, in Russia, maybe in China as well, but the Chinese don’t report that at all. Unfortunately this list is much, much longer. The companies simply don’t report that. Another question is – do they need to report that or not? Some people say “Of course yes”, because their customers have to know what’s going on. There is another opinion – don’t ruin police investigation; it could be very dangerous for the police investigation.

And now a little bit more about governments, about national military forces involved in that. News from China: they said that they had so-called Blue Team Forces, cyber military forces. News from the United States – the same. India – they plan to have that as well. What about North Korea? Do they have computers in North Korea? Yes, they have. And they also report that they also have cyber military division. Germany – same plans.

And all that looks like a very, very bad Hollywood story. The Head of the United States Cyber Command³ Keith B. Alexander (on the photo) told Congress that cyber weapon could be as dangerous as the traditional military weapons, and the result could be as bad as with traditional weapons. And he was not kidding, that’s reality, unfortunately. That’s reality of this world.

And can we stop that? What to do to minimize the risks at least? Of course I have some ideas. First of all, the most serious issue is attacks on industrial systems, transportation, electric power grid etc. And I think that there must be much more serious government control on the industrial systems: the regulation, the standards, and penalties for engineers and companies which don’t follow regulation.

There should as well be more secure design for industrial systems, including maybe new future secure operating systems, because unfortunately most of the existing systems are not secure at all. There must be new design, new ideas, new innovations in IT, in operating system development. And these systems which are much more secure and protected must be used in critical industrial systems.

It’s not possible to fix the problems only within the national borders. Unfortunately, what I see is national leaders talking about national security only. But we live in the Internet. Internet doesn’t have borders. Unfortunately, it’s not possible to fix the problem only on a national level.

The only right way is international cooperation. Even if your country doesn’t have good enough relationships with others, some of others, you must talk about and establish global IT security, Internet security, because if you have someone on the street who does not follow the regulation and there is no police to stop that, you are not protected.

And the cyber police is the next issue. To fight the international cyber crime, to fight the international cyber terrorism, we must have international cyber police forces, I call it Internet-Interpol – the organization which is not under the national regulation but only under international regulation as a part of United Nations maybe, as a division in a traditional Interpol, I don’t know. But this is the only way to fight the bad guys in the Internet.

Internet ID’s are also important to stop hooligans and help the police fight cyber criminals. I have been talking about these Internet ID’s for many years, maybe 10 years. It was 10 years ago that I said for the first time that it would be a good idea if we had Internet ID’s. And people were smiling at me. 5 years ago, they started to listen. 2 months ago, I was in China, and in Beijing airport Wi-Fi is free, but to get access, to get a login and password you need to have a passport, to get a special machine to scan your passport, and then you have the login and password.

In Germany, they already issued some kind of Internet identification card. And the President of the United States, about half a year ago, said about plans to have Internet ID’s for every American to build secure Internet.

But once again, it’s not possible to fix that problem only on a national level, there must be international cooperation.

For now, we don’t have government regulation on industrial IT systems, secure OS for critical infrastructures, international treaties, Internet-Interpol, Internet ID’s. We don’t have any of these. We need them but we don’t have them. The only thing we have is technologies. We have many things to do. And I think it’s not only the task for private companies or the task for IT security industry, there must be international cooperation on the government level. Without that, I don’t see the good future and the blue sky for the next years. Unfortunately, we will see much more very serious incidents, more cybercrime, more cyber terrorist attacks, and maybe cyber wars between some countries.

And because we live in the Internet, a cyber war somewhere far away from your country could reflect on you as well, because the Internet is Internet, there are no borders and there are no countries in there. So we depend on IT, our world, the systems are not designed in a secure way. We just entered the cyber war era, so only global cooperation and coordination and better budgets on IT security are the solution for the problem.