Terror groups, not nation states, are the most likely to unleash devastating cyber weapons, according to Eugene Kaspersky, chief executive and co-founder of security firm Kaspersky Lab.
“I am 99.99% sure some nation states have developed top secret cyber weapons,” he told attendees of IPExpo at Excel in London. Unlike traditional weapons, cyber weapons can be reverse engineered, improved and used on those who developed them, so nation states are unlikely to use them on each other.
“But I am really afraid some terrorist group will pay cyber criminals to develop and deploy such weapons on their behalf,” he said, noting that some cyber criminals work like mercenaries, providing cyber crime services to anyone who is willing to pay.
Kaspersky said cyber weapons are likely to fall in one of three categories: those aimed at causing physical damage, destroying critical data and telecommunications.
He cited Stuxnet and attacks on power suppliers in Ukraine as examples of the first, the attack on Saudi Aramco an example of the second, and the telecommunication blackout in Estonia in 2007 an example of the third.
“We are living in a dangerous world, where we can’t trust anything. Cyber is now just about everywhere, and it is vulnerable. Everything can be stolen and is open to compromise,” said Kaspersky.
Critical infrastructure is the most “problematic” and probably the “scariest” area, he said, because cyber criminals are well-resourced and can attack even well-protected networks.
“Cyber criminal groups are very professional and have shown that they can get past the security of well-known companies that typically invest a lot in cyber defence,” said Kaspersky.
He warned that all operating systems are under attack. “It is not only Microsoft Windows, but also Android, Mac OS, Linux and iOS,” he said.
There are still only around 600 aimed at iOS, but Kaspersky believes nation states are behind most of those. He also blamed the lack of Mac OS threat on the lack of good Mac OS engineers.
“We struggle to find good Mac OS engineers to work for us, and I am guessing that cyber criminals have the same problem.”
Despite painting a gloomy picture, Kaspersky said the situation was far from hopeless because there are things that can be done to reduce the likelihood and impact of cyber attacks.
According to Kaspersky, essential practices for enterprises for protecting critical data include regular security audits and sound cyber security strategies, minimising all network connections by allowing only those that are absolutely necessary for the business to function, and allowing only trusted applications and processes because “endpoint security controls are not enough on their own”.
Essential practices for operators of industrial control systems, particularly operators of critical infrastructure, include air-gapping critical systems, continually monitoring trusted processes using a secure operating system, and putting all new equipment onto secure operating systems.
In support of this approach, Kaspersky Lab has developed a secure operating system for it process monitoring system, which is a combination critical infrastructure operators can use until they are able to migrate all systems to a secure operating system.
“This migration process will take years, but the sooner we start, the sooner we will be in a position that is much more secure,” he said.