Cyber espionage between nations has reached such damaging levels it risks not only the trust between friendly countries, but the future of the internet itself.
That is the view of Eugene Kaspersky, the ebullient chief executive of Russian security firm Kaspersky Labs, who is in Canberra this week to deliver the message to politicians and business leaders.
Speaking ahead of his speech to the National Press Club on Thursday, Mr Kaspersky told Fairfax Media he was “very surprised” and concerned about the extent of espionage currently undertaken by Western countries. He also warned Australia to invest in educating a new generation of security engineers to future-proof its critical systems.
“Cyber espionage is not new,” he said. “We knew that from years ago, but I did not expect it in such a huge scale and coming from so many different nations.”
Mr Kaspersky said he feared governments would withdraw to their own parallel networks away from the prying eyes of others, and would cease investing in the development of the public internet, products and services.
“If governments and enterprises exit the public internet, there will be a lot less investment. If they emigrate to a separate zone, I’m afraid the internet will have a crisis”.
Last week Fairfax Media exposed Australia’s own spy network, based in its embassies in the Asia Pacific region. Germany, Spain, France, Brazil and Mexico have protested revelations of surveillance by the United States, while Brazil is attempting to pass legislation that seeks to segregate storage from its citizens’ communication from the US-centric internet.
Mr Kaspersky said data from his research labs cross-referenced with leaked documents and media reports confirmed the extent of efforts by the US, Britain and China to conduct massive surveillance of other nations.
Australia and Russia were engaged in cyber espionage too, Mr Kaspersky said, but the malware data was less conclusive.
Like other anti-virus companies, Kaspersky Labs has visibility of the number and frequency of malicious software programs caught by more than 300 million clients’ computers around the world. It uses that data, and the virus and Trojan samples collected, to backwards engineer them. This helps determine their creators’ goals and the methods necessary to guard against them.
It also forms the basis of early warnings the company issues to intelligence agencies including Interpol, Europol, the United Nations, various national cyber police departments, and its enterprise clients.
Mr Kaspersky said viruses such as Stuxnet, which is believed to have crippled Iran’s nuclear facilities, Red October, Flame and Duqu, were just the better known sophisticated engineering feats costing millions of dollars each to develop, test and deploy. Such malware was not the work of criminal networks intent on financial gain. Red October was first identified by Kaspersky Labs in January. It had been in place since 2007 and victim organisations were “embassies, consulates and trade centres”, the company said at the time.
“Most of the malware made by criminals we can easily recognise because we can see the names of [target] banks, for example, but there are different malware [programs] that are multi-component, with such high complexity behind them … criminals don’t need such complicated malware, theirs is much simpler,” Mr Kaspersky said.
Chinese malware is easier to identify, he said, because not much effort is spent trying to conceal its origins, however Western examples were highly disguised. Only now, after cross-referencing the data following the Edward Snowden revelations, it was possible to confirm the extent of cyber espionage by other nation states.
Earlier this year another security company, McAfee Labs, uncovered evidence suggesting attacks on South Korean banks and media companies in March and June were in fact connected to an ongoing cyber espionage campaign designed to compromise US and South Korean military systems and, when necessary, destroy them. It called it Operation Troy.
But Phil Kernick, a security expert with Australian-based firm CQR, said on-going espionage would cause more damage to the US and US companies than the internet itself and would lead to more data encryption.
“Eugene is right that the internet is going to change, but not a lot. It will lead to a point where we don’t trust the cables and there is more anti-American sentiment. We’re already seeing Brazil, Germany and others talking about their own national email services [to protect citizen data]. It’s an American problem, a problem for Twitter, Google and Facebook,” Mr Kenick said.
Mr Kaspersky will use his speech to also warn Australia to protect its networks and mission critical systems from sabotage. He said most SCADA and critical infrastructure around the word was old and not adequately prepared for the technical sophistication available to perpetrators today.
Last week a network of tunnels in Israel was reportedly hit by a cyber attack and shut down..
Mr Kernick said software used to control industrial systems such as transport, air traffic, manufacturing and mining was “awful and full of bugs”.
“The level of security knowledge of SCADA engineers and vendors is 20 years behind everyone else. Vendors charge $300,000 for software upgrades, there are no free patches as with business software, consequently there’s a lot of orphan, unsupported software in use,” Mr Kernick said.
Mr Kaspersky said the only way to safeguard critical infrastructure systems from targeted attacks was to invest in education.
“This is really bad news. Not one nation has the number of engineers and budgets to upgrade their systems,” he said.
“The first step is to develop a cyber resilience strategy; the second is to invest in education. Australia needs to grow enough cyber security engineers. Australian technical universities need greater investment in their IT streams. We have a very big shortage around the world.”
Mr Kernick said vendors needed to invest in their systems too, if they are to be resilient to cyber attacks.
A matter of trust
During his address to the Press Club, Mr Kaspersky was asked if he’d allow Chinese telecommunications giant Huawei to provide services to Australia’s national broadband network (NBN) if he was in charge of the project. The company has been banned from NBN Co on security advice from ASIO. It was also the subject of adverse findings by a US Senate security report.
“IT business and IT security is a business of trust, only companies which are trusted can be suppliers of national products,” he answered, before saying companies that wanted to change their perception, needed to open their code and products for scrutiny.
He said, as a Russian, he has faced similar questions: “We are opening an office in [Washington] DC for this reason. We will send our source code, you can check our source code. You’re welcome.”