Source code sunlight secures government trust says Eugene Kaspersky

Kaspersky flag

By Julian Bajkowski

The global computer security industry has spent at least a decade scaremongering and hyping-up the threat of Russian hackers and cyber-assailants through marketing and lobbying.

So it perhaps shouldn’t be a surprise that when Kaspersky Labs founder, Eugene Kaspersky, took to the stage for his first National Press Club (NPC) in Canberra on Thursday, he was met by room filled with pre-warmed securocrats, diplomats and government ‘advisory’ types.

At a time when the covert surveillance activities of the US, Australia and other partners of the ‘five-eyes’ community are attracting all the unwanted attention they go out of their way to avoid, the intelligence value of assessing Russia’s best IT export, live on stage, was clearly worth more than the ticket price alone.

One quote encapsulates Kaspersky’s personal and corporate philosophy: “I am paranoid, but at the same time I am optimistic. We will survive. I don’t know how, but we will survive.”

It’s fair to say that resisting intrusions is not altogether new to the Russian psyche.

The Kaspersky pitch to government, enterprise and consumers is simple: if you think the malicious code that Russian criminal hackers string together to outwit banks is world class, wait until you see the gear used to ferret the evil buggers out.

That’s paraphrasing it a little, but as far as security vendors go, the Kaspersky messaging is frank, candid and fiercely independent. Refreshingly, it’s also full of positive and irreverent humour that demystifies once ephemeral threats into tangible human behaviour.

Take the bogeyman of ‘cybercrime’ which is often blended with other online nasties like identity theft and online credit card and banking fraud.

In terms of risk to the global economy and international relations, Eugene Kaspersky personally rates it third behind cyber espionage and online cyber attacks against critical infrastructure (power, water, communications).

Kaspersky puts the number of cybercrime participants in the tens of thousands, before likening it to the impersonal and rudimentary pursuit of stealing someone’s wallet. As the barriers to entry drop, what was once a sophisticated and elite crime loses its kudos, and becomes endemic.

It’s now a low margin, high volume game.

“There are more and more stupids coming to this business,” he says without a hint of irony.

What he is more confounded by is the fact that it has taken until now for “Internet Interpol” – or the digital equivalent of cooperative cross-border policing – to finally get stuck into what is essentially a borderless crime.

“Finally Interpol is opening [its] cyber division in Singapore. I was talking about ‘Internet Interpol’ for ten years,” Kaspersky says.

He is at pains not to take credit or ‘one-up’ the move, but rather point out that as economies and societies change rapidly, regulators need to keep pace and take account of the fact that borders effectively disappear.

“Cyber criminals operate in the same territory, but national cyber police departments, they are disconnected,” Kaspersky says. “It’s very difficult to build a relationship. Now it’s not as bad, but in the beginning years ago, it was really bad.

“We must have an international body to supervise cyber investigations,” he says.

Kaspersky believes that a more potent threat is cyber espionage. He recalls that on one investigation his company found two hostile data surveillance programs from nation states on servers of another government.

“There are so many espionage attacks that I think that all the data is stolen, globally – at least twice,” he half jokes.

“There are big budgets, and I didn’t hear it from Mr Snowden. Such attacks like Stuxnet, Gauss, Flame, Red October – I’m pretty sure there were millions or tens of millions of dollars budget behind this … If they really want to hack you they will do it. The question is how much money they are going to spend on that.”

A more blunt way of putting that is that intruders have to burn through more money to grind through defences and cryptography than the prize on the other side is worth.

“The hack must be more expensive than the [value] of information, that’s just very basic economy,” Kaspersky says.

One of the big problems is that as the price of software development drops through phenomena like cloud computing that allow cheap testing at scales never seen before, so too does the cost of malicious code development and hacking tools.

At a nation-state level, there’s clearly some rutting going on, but in the world of money and looting online merchants, it’s not so much a doomsday scenario as a race to the bottom.

Kaspersky reckons he knows who is winning and why.

“The main danger is from the Russian-speaking criminals because they are the most smart guys… The reality is that the Russian technical education system still works very well.”

That’s a message that banks in developed economies may not want to hear.

Pushed on the issue of whether so called ‘backdoor’ technologies could be present in infrastructure from non-Western firms like Huawei, Kaspersky pushes the full disclosure protocol, especially on the source-code front.

“If I was the CEO of Huawei I would open the technologies, [under non-disclosure or only on a government level] as an excellent guarantee and to present that there are no backdoors. It’s obvious,” he says.

As for what impact recent revelations of massive global and domestic online spying and surveillance revealed by highly classified leaks made public by former National Security Agency contractor Edward Snowden, Kaspersky view is simple and pertinent.

“The major effect of Mr Snowden is the fact that Mr Assange is no more important.”

Securocrats don’t often giggle in public that often, but Kaspersky appears to know how and when to tickle.

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at editorial@governmentnews.com.au.  

Sign up to the Government News newsletter

Leave a comment:

Your email address will not be published. All fields are required