The cybervirologist
Eugene Kaspersky has a keen interest in aerospace and astronomy. During his visit to ETH Zurich, the Russian IT entrepreneur was still visibly fascinated by Buzz Aldrin, the second man on the moon, and Brian May, guitarist of the legendary rock group Queen, who is also an astrophysicist, after meeting both of them shortly before at the Starmus Festival in Zurich.
"Eugene Kaspersky is a legend, too", said ETH President Joël Mesot when he introduced the guest at ETH. Perhaps in a rather less spectacular field – cybersecurity – but one that is becoming increasingly important. In the space of 20 years Kaspersky, who studied mathematics and physics, has built up a globally leading security software company. Beatrice Lombard-Martin, President of the Swiss Russian Chamber of Commerce & Industry, which partnered with ETH Global to facilitate the visit, called him a builder of bridges between the Swiss and Russian science and technology sectors.
Online bank robbery
In his lecture, Kaspersky drew a picture of the current state of cybercrime and his strategy for addressing it. He said that malware falls into three groups. The first comprises programs with comparatively low complexity, but what makes them stand out is their sheer numbers: in 2018, Kaspersky registered some 380,000 new malicious scripts every day worldwide. “There is an enormous amount of work to be done in the fight against malware, and more engineers are needed. This field holds great opportunities for graduates of your university, too,” Kaspersky said.
The second, far more dangerous category is highly sophisticated attacks. While governments are behind 90 percent of these attacks, 10 percent are of a criminal nature, Kaspersky said, with the latter normally aimed at extorting money. “These hackers – most of them highly trained engineers – are becoming more and more professional,” he said. As an example, he cited the Carbanak case: between 2013 and 2015, cunning Russian cybercriminals succeeded in hacking global banking systems by infecting bank employees’ computers and slipping into their roles, enabling them to make off with a reported one billion dollars.
Kaspersky defines the third group as sabotage attacks on infrastructure, usually politically motivated. No company today can escape the Internet of Things. “But when everything communicates with everything else, the risk of large-scale damage increases, too.” This was dramatically demonstrated by a hacker-engineered blackout that affected 700,000 people in Ukraine in late 2015. Malware had made its way into an energy utility’s system, presumably through fake e-mails carrying an infected Word file. The computer worm Stuxnet, which began infecting primarily Iranian nuclear facilities no later than 2007, is another example, and one that is still considered singular in terms of its complexity and the effort expended.
Attacks mustn’t pay off
But what can stop cybercriminals? "The price of an attack must be significantly higher than the damage it causes", is Kasperky's answer. Conventional security architecture, which attempts to safeguard critical systems, is no longer enough. These systems have to be made “immune”. One way Kaspersky’s company is aiming to achieve this goal is by controlling industry processes – for instance by ensuring the proper interplay of IT components from different suppliers.
Another weapon in the fight against scam attempts is an operating system with built-in security functions for large-scale and connected systems. In this operating system, programs can execute only documented operations. If application developers were to generate faulty code, it would lead to undocumented behaviour, which Kaspersky’s operating system would immediately block.
A knowledge-sharing hub in Zurich
In the discussion that followed, ETH President Mesot asked the speaker whether he thinks the global issue of IT security calls for global regulation. Kaspersky said that it is not possible to restrict the Internet, despite any attempts to do just that – for instance in China. Accordingly, the issue must be addressed, he said, at international level and across the spectrum of interests. His relatively small company offers a way to do this, for instance at its Transparency Center near Zurich, where industry partners, administrative bodies and even the research community could examine the company codes and rules for identifying threats. Also with ETH Zurich t alks are currently under way regarding a potential partnership.