Eugene Kaspersky, the Russian cybersleuth who last week revealed the most sophisticated virus yet targeting Iran, was greeted as a hero at the Tel Aviv University conference on digital security on Wednesday. He didn’t pretend not to know why, any more than the Israeli audience that played along with the coy remarks its officials have made about the country’s role in the digital espionage bedeviling the Iranian program.
“Maybe there are some people here who are not happy with work I was doing with Stuxnet and Flame,” he told an audience of more than 1,000 at the university’s annual International Conference on Cyber Security. (Stuxnet was the previous virus that hit Iran, targeting its nuclear program; Flame hit the petroleum industry.) Then the keynote speaker, clad in jeans and an untucked linen shirt, leaned forward and said in a stage whisper, “I’m really sorry.” Waves of laughter and applause followed. “It’s not personal,” Kaspersky went on, drawing out the laughter, which had a quality of mutual congratulation. “It’s my job … So next time, be more careful.”
But when the room quieted down, the guru got serious. Cyberweapons, Kaspersky advised, “are a very, very bad idea.” Whatever advanced knowledge allowed engineers to fashion the malicious software targeted at Iran’s nuclear program will, in short order, become known to other nations, he said, and next time could well be directed back at the originators — the very worry that President Obama reportedly voiced in approving the digital espionage in a joint program with Israel. “I’m afraid that in the future there will be other countries in this game,” Kaspersky said. “It’s only software. Maybe hacktivists will become cyberterrorists. And maybe the traditional terrorists will be in touch with the cyberterrorists.”
“My message is: Stop doing that before it’s too late. The ideas are spreading too fast. There is a genie in a bottle.”
Kaspersky, who was introduced as one of the top four experts on cybersecurity in the world, pointed out that cyberweapons “can replicate,” as Stuxnet did — escaping the Iranian centrifuge machinery that was its sole intended target and infecting computers around the globe. Flame is even more complex, monitoring computers it has infected and even recording conversations; it appears to infect computers disguised as a legitimate Microsoft Windows update. The Russian said his concern is the vulnerability of civilian infrastructure that relies on computer operating systems like Microsoft Windows, which cannot be hardened against attack. The only way to secure systems that deliver water, electricity and the economy is through a newly designed OS with security at its core. And until that new system is developed, he said, any country that launches a digital attack is running a terrific risk. “There are a lot of software engineers in Israel, I know,” he said. “But I don’t think there are enough to do it in three or five years.” In the meantime, he said, “I’m afraid that that cyberboomerang may get back to you.”
Silence greeted the warning. Earlier in the day, Israeli Defense Minister Ehud Barak acknowledged for the first time publicly that the Jewish state has an offensive cyberwarfare capability. The acknowledgment came, however, as part of an emphatic assertion that defending against cyberattacks is far more important: “Our goal with cyberdefense, which is the more important and difficult component, is to prevent damage,” he said. “It is more than we can benefit from an offensive action, even though both aspects exist.”