The early reaction to Kaspersky's concept of developing a secure industrial operating system has been mixed with little opinion in the middle.
Speaking in Brooklyn, Eugene Kaspersky, CEO of Kaspersky, said there is "no neutral" to his plan to develop a secure industrial operating system platform. "It has been either positive or negative," he said. Kaspersky was in Brooklyn for its NYU-Poly CSAW cybersecurity competition, which serves as a talent recruiting effort.
A month ago, Kaspersky outlined an effort to develop an industrial OS that would be secure. In a blog post, Kaspersky outlined:
First: our system is highly tailored, developed for solving a specific narrow task, and not intended for playing Half-Life on, editing your vacation videos, or blathering on social media. Second: we’re working on methods of writing software which by design won’t be able to carry out any behind-the-scenes, undeclared activity. This is the important bit: the impossibility of executing third-party code, or of breaking into the system or running unauthorized applications on our OS; and this is both provable and testable.
The most positive reaction to the industrial OS concept has come from Europe, notably Germany, said Kaspersky. Success for Kaspersky will be an international network of partners around the industrial OS and a solid use case.
On the negative reaction side, Kaspersky said critics note that "anything can get hacked." The other negative reaction revolves around this question: "Do we trust Russians?" Kaspersky said the details of the system are open, but the big idea is to get industrial software players to take security more seriously.
The effort to build a secure industrial operating system is critical. Why? Cyberattacks are likely to focus on the industrial complex. If blackouts and other disasters ensue chaos won't be far behind.
What's unclear is whether Kaspersky can line up an industrial use case for its secure OS. "Success is when we have a serious enough industrial environment using our system," he said. The other big win is that a secure industrial complex will deter hacking. "As long as it's cheaper to send cruise missile than to hack then I'm happy," said Kaspersky.
Kaspersky also covered the following topics:
Cyberweapons: The difference between cyberweapons and conventional weapons is it's difficult to prove who's behind it. Attribution is the biggest issue with cyberweapons and it's easy to peg wrong sources, said Kaspersky. "The cyberweapon is software that learns and produces," he said. "Stuxnet was made in very professional way, but at the same time it infected 10,000 systems." In other words, the new collateral damage is likely to be enterprise systems. The worst case scenario would be malware designed to take out a specific power plant takes out all of them, he added.
What is cyberterrorism?There isn't a set definition, but Kaspersky said he fully expects an attack in years to come. "The next 10 years we'll see more and more attacks. I'm afraid that other states will join the game. We'll see much more sophisticated attacks," he said. States, hactivists and terrorists will all be players.
Attribution: Kaspersky added that "we're very far from attribution." "We can only guess who's behind an attack," said Kaspersky. The focus on defense instead of attribution can be dangerous as countries and intelligence agencies all start pointing fingers at each other. Many examples of attacks have been pegged to the U.S., Israel, Iran, Russia and others. The problem is there's no proof and false flags can be planted in the software. Attribution will be the biggest issue for intelligence agencies. Kaspersky said his company will assist agencies, but isn't in the attribution business.
Talent: Kaspersky is doing university tours to push more investment into IT security education. "Every developed economy is in dangerous situation. They depend on IT and it's everywhere," said Kaspersky. The problem: Many systems were designed without thinking through various security scenarios that are surfacing today. "There's high demand for IT security experts. We're very late and don't have enough (people)."
These security experts will be called upon to redesign systems to make them secure. There aren't enough people to manage security either, he said.
He added that everywhere around the world will feature a battle between public and private sector for talent. Governments and the private sector will cook up various incentive systems to recruit talent.