Eugene Kaspersky: There's 'no neutral' on his secure industrial OS concept

Eugene Kaspersky: There's 'no neutral' on his secure industrial OS concept

Summary: Kaspersky's CEO talks the early reaction to his company's secure OS, cyberweapons, attribution of malware and the security talent crunch.


The early reaction to Kaspersky's concept of developing a secure industrial operating system has been mixed with little opinion in the middle.


Speaking in Brooklyn, Eugene Kaspersky, CEO of Kaspersky, said there is "no neutral" to his plan to develop a secure industrial operating system platform. "It has been either positive or negative," he said. Kaspersky was in Brooklyn for its NYU-Poly CSAW cybersecurity competition, which serves as a talent recruiting effort.

A month ago, Kaspersky outlined an effort to develop an industrial OS that would be secure. In a blog post, Kaspersky outlined:

First: our system is highly tailored, developed for solving a specific narrow task, and not intended for playing Half-Life on, editing your vacation videos, or blathering on social media. Second: we’re working on methods of writing software which by design won’t be able to carry out any behind-the-scenes, undeclared activity. This is the important bit: the impossibility of executing third-party code, or of breaking into the system or running unauthorized applications on our OS; and this is both provable and testable.

The most positive reaction to the industrial OS concept has come from Europe, notably Germany, said Kaspersky. Success for Kaspersky will be an international network of partners around the industrial OS and a solid use case.

On the negative reaction side, Kaspersky said critics note that "anything can get hacked." The other negative reaction revolves around this question: "Do we trust Russians?" Kaspersky said the details of the system are open, but the big idea is to get industrial software players to take security more seriously.

The effort to build a secure industrial operating system is critical. Why? Cyberattacks are likely to focus on the industrial complex. If blackouts and other disasters ensue chaos won't be far behind. 

What's unclear is whether Kaspersky can line up an industrial use case for its secure OS. "Success is when we have a serious enough industrial environment using our system," he said. The other big win is that a secure industrial complex will deter hacking. "As long as it's cheaper to send cruise missile than to hack then I'm happy," said Kaspersky.

Kaspersky also covered the following topics:

Cyberweapons: The difference between cyberweapons and conventional weapons is it's difficult to prove who's behind it. Attribution is the biggest issue with cyberweapons and it's easy to peg wrong sources, said Kaspersky. "The cyberweapon is software that learns and produces," he said. "Stuxnet was made in very professional way, but at the same time it infected 10,000 systems." In other words, the new collateral damage is likely to be enterprise systems. The worst case scenario would be malware designed to take out a specific power plant takes out all of them, he added.

What is cyberterrorism?There isn't a set definition, but Kaspersky said he fully expects an attack in years to come. "The next 10 years we'll see more and more attacks. I'm afraid that other states will join the game. We'll see much more sophisticated attacks," he said. States, hactivists and terrorists will all be players.

Attribution: Kaspersky added that "we're very far from attribution." "We can only guess who's behind an attack," said Kaspersky. The focus on defense instead of attribution can be dangerous as countries and intelligence agencies all start pointing fingers at each other. Many examples of attacks have been pegged to the U.S., Israel, Iran, Russia and others. The problem is there's no proof and false flags can be planted in the software. Attribution will be the biggest issue for intelligence agencies. Kaspersky said his company will assist agencies, but isn't in the attribution business.

Talent: Kaspersky is doing university tours to push more investment into IT security education. "Every developed economy is in dangerous situation. They depend on IT and it's everywhere," said Kaspersky. The problem: Many systems were designed without thinking through various security scenarios that are surfacing today. "There's high demand for IT security experts. We're very late and don't have enough (people)."

These security experts will be called upon to redesign systems to make them secure. There aren't enough people to manage security either, he said.

He added that everywhere around the world will feature a battle between public and private sector for talent. Governments and the private sector will cook up various incentive systems to recruit talent.


Topics: Security, Enterprise Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Seriously?

    "As long as it's cheaper to send cruise missile than to hack then I'm happy," said Kaspersky.

    Any sane person would rather that their utility company was hacked and power lost for some hours, than to have a missile headed toward their city. If it were true that the enemy always took the easier attack route, vs. the most deadly one, I'd say "as long as it's easier to hack than send a cruise missile, we're ALL happy!".
    • The cost of cruise missiles

      I was also taken aback by that statement until I thought about it further. A cruise missile costs $1,000,000+ per missile. If $1,000,000 is cheaper than the cost of hacking a system, then he feels he has sufficiently hardened a system to deter all but the most determined hackers. It is no longer cost effective to hack a system at that point.
    • Think industrial hacking through

      A compromised refinery can be hacked to kill more people than a cruise missile. The defenses against such hacking are much weaker than against missiles. It is perfectly sane to prefer the missile strike because it reduces the potential attackers.
    • Absolutely!

      Missiles can be tracked. We know who fired them, can interdict them all now, and can immediately counterstrike the attackers. Also, missiles are much more expensive to produce and use, and the materials to make them can be monitored. But we cannot find hackers and punish them and the countries that use them, yet their efforts can be much more devastating to us than any missile hit. Only a handful of countries could afford a nuclear missile for a EM hit that would knock out all our electronics and most electrical devices in the US, but a hacker from some village in Afghanistan or Iran or any country could turn off and destroy all computerized systems in America--so which is really more dangerous? For now, hackers are much cheaper and more secure to use than missiles. In early 2000, Marxist and Islamic hackers from nearly every country participated in attacks on American systems. This proved that any disaffected person in any country could get wind of an initiative to hack US computer systems and work in tandem with others they never knew, and do from any system they had available, including their own work computers.

      So, yes, preferring missiles to hackers is a saner position that preferring hackers to missiles--certainly from the defending country's point of view.
    • Missile attacks are far less a threat than a national cyber attack

      You clearly have no concept of the type of damage a well planned and coordinated cyber attack could have on the US. For one, right now most of our critical infrastructure has been compromised by foreign states. If we were to go to war with Iran or China, they could theoretically shut down our power and water with a few strokes of the keyboard. Imagine the chaos and death that would ensue on a national scale. Meanwhile, individuals can wreak severe damage or impairment to enterprise and government systems and they currently are doing just that on an almost monthly basis. A recent example is the attack by Anonymous on Israeli banks. And this is not even to mention the massive cyber espionage already underway by governments and corporations alike, which could potentially cost our economy billions of dollars and give our competitors a strategic advantage over us using our own technological secrets. Currently, the Chinese operate a juggernaut of a cyber espionage program against us and so this threat is very real.

      So what's more dangerous to America? A million dollar cruise missile or a hacker with a $100 netbook? I hope these facts knock some sense into readers who think otherwise.
  • "and this is both provable and testable."...

    Only if the software has no ability to do any type of firmware upgrades. Period.

    At best software is testable. Any moderately complex software (as in greater than a few dozen lines) is almost "unprovable".
  • The cost of hacking

    Techboy_z, I think I agree with Kaspersky when he expressed happiness at the high cost of hacking... at least the way I read it he meant that an exchange of cruise missiles is unlikely because of the high cost (in financial and human terms), so if hacking is even costlier -- for whatever reason -- it is even less likely...
  • FUD

    This is so self serving, anyone who uses MSFT OS software and expects security is foolish, and anyone ho thinks a single company can write a useable OS from scratch is also foolish. UNIX is and has been the standard for network security and will always be.
    • Apparently not when an expert above says

      and is looking beyond what is out there what does he know that you obviously do not.
      • Easy

        The growth prospects of his business as devices go mobile and oses become more secure, as they have.

        New markets.

        But an os is tied to a processor and compiler and just how different is CRM software from the social networking he pooh poohs? Computing is about applications not the operating system.
    • Windows Can Be Made Secure--Through Open Source

      In 1995 I attended a weeklong training seminar on the Fundamentals of Unix at Hewlett Packard in Atlanta GA. While there I met with a small group of IT people from a fortune 500 company. They had backward engineered Windows 3.11 and made it faster, better and more secure--and added features they needed that Windows didn't provided. This was just before the release of Windows 95 and these people had assured me that they intended on re-writing the code for Windows 95 too. When I asked them what they would do when Microsoft discovered they had backward engineered their product, their answer was that their accounting guys had studied the matter and the lawsuit would only cost them 10% of expense to maintain and fix all the problems Windows would normally cause them in their many offices in any one year.

      My point is that if we require all computer software to adhere to the Open Source concept, lawsuits like this would be eliminated and businesses could make modifications on the software they buy. For instance, if I buy a Toyota truck, and want to replace the fuel-injection system with one I made for it, which could add nitrous to the fuel, if Toyota finds out about it I won't have representatives from the company at my door the next day saying I violated my contract--I didn't really own the car, but only bought the rights to use it, so now I am being sued.

      Microsoft's insistence on this kind of "ownership" will eventually have a negative impact on all purchases, even for items that are not software. For my part, I ignore the contractual statements on installation that say "if you push this button, you agree to be bound by the above contract." Nope! Pushing a button is not the same thing as sighing a contract. And if I buy something, software included, I own it and have the right to modify it (but not resell the software once it is modified) just like anything else I buy, as much as I please. Otherwise, all sales are rentals, and no one but companies own anything.

      My point here is that companies can make even Windows secure, if they want to do the work. Applying Open Source assumptions to all software would make it safer for any company to make such modifications and would result in much more efficiency in the long run. Not to mention it won't endanger our rights of possession.
  • secure OS

    It is secure only if
    you do'not allow any access from the outside Net-world
    and from that point of view 1970'S C 64 was a secure OS !!
  • Finally some sense

    I can write the software he is looking for or at least head the development.
    I think maybe it is because I come from the same part of the world where Eugene is from that I can relate to what he would like to see accomplished.

    I've never understood what happened to software engineering that permitted rogues to interfere with other peoples computers.

    We have an OS that has 'security' updates every month which essentially makes the OS a beta version which the end user is the eternal tester. If I understand it correctly, it's IE that's the major problem.

    I hope he succeeds.
    • you can write a secure os from scratch?

      In Russian they say that a young bull is free to ram an oak tree.
      • You're knot kidding!

        "I'll be here until Thursday. Try the veal."
    • secure os

      If your measure for an OS is Windows, then your security expectations are rather low. Anything will be more secure than Windows. That won't make it any secure by today's standards.

      All this Kaspersky self-advertising is actually a nonsense. There are enough secure operating systems already. Just the public know very little about them, if any.
  • just don't connect to the internet

    Its pretty impossible to hack someones computer if its not connected to anything. Now send me my 1,000,000 bucks please! :) At least until people stop killing each other for stupid reasons and we don't even need the missiles in the first place...
    • Yeah? Can you imagine . . .

      . . . running a modern power grid without real-time data exchange between generators, distributors, substations, etc.?
  • Sounds like their 'secure industrial OS' is Linux based.

    They probably don't want to mention that, as that would ruffle some pretty big feathers.

    Germans are huge contributors to open source and Linux, and "secure industrial OS" describes Linux, too.
  • Proven inviolability?

    Seems I heard a similar story back in the late 70's and early 80's about a UK Ministery of Defense initiative around a mathematically "sound" processor called VIPER. I guess folks worried about bugs in processor design back then (and now they are thousands of times more complex?). Not surprisingly, if a timing error has a one in 100 million probability of occuring and you're processing tens of millions of instructions/second, you should probably watch out, if your life depends on it.

    The reality of security is that it ultimately comes back to people, especially the authorised ones.