A major, global cyberterrorist attack has long been the stuff of fiction, the threat that a malevolent hacker could bring down businesses, sabotage power plants and cause widespread death and destruction by bringing down planes, traffic systems and defence networks.
But whether a scenario like that imagined in the 2007 film Die Hard 4 would happen is now a question of when, rather than if – according to renowned security expert Eugene Kaspersky.
The founder of the independent Kaspersky Lab security company, Kaspersky revealed to the Guardian that a cyberterrorist attack, similar to Die Hard's “fire sale” scenario, is his biggest fear and that the UK and most other nations are ill-prepared for it.
“I’m really afraid of terrorist attacks. I don’t know when or where, but I’m afraid it is going to happen,” said Kaspersky, adding that a potential remote attack on critical infrastructure, including power stations and transport systems, was entirely possible and something he and his researchers had been talking about for a while.
“When I was watching the movie, I had to stop 20 minutes in. It was a shock for me. I was keeping silent on cyberterrorism outside of government and thanks to Hollywood they gave out all these ideas – they opened Pandora’s Box for Stuxnet – so I said, what the fuck is going on, what the hell are you talking about? After 20 minutes I had to get a glass of whiskey and a cigarette,” he said.
While predictions of cyber apocalypse might seem easy to dismiss as conspiracy theory, 48-year-old Kaspersky is is one of the world's leading experts on anti-malware and security, advising governments and security agencies.
‘It was a shock - they opened Pandora’s Box for Stuxnet'
Speaking at his new office in west London, Kaspersky said that before the film, he had forbidden his staff and security researchers to discuss cyberterrorism with anyone other than governments - specifically excluding the media to avoid giving “bad guys” ideas, but now the cat was out of the bag.
“We came to ideas on these type of attacks years before it happened, and well before Stuxnet we were talking about attacks on critical infrastructure to governments,” explained Kaspersky. “The next day after seeing Die Hard 4, I came to the office and said ‘guys, now we’re free to talk about cyberterrorism to anyone’.”
‘Did they get the idea from the film?’
The only record of a cyberweapon designed and deployed to damage critical, physical infrastructure was the Stuxnet worm, which targeted Iran’s nuclear facilities causing real-world damage to its nuclear centrifuges by infecting their command and control software.
Stuxnet first appeared in 2009 when it was a simple espionage tool, according to Kaspersky, while the variant of the virus that contained a lethal payload – one capable of doing real damage and not just spying on data – came later, after Die Hard 4 was released.
“Did they get the idea from the film? I don’t know, but great minds think alike, if you call these gentlemen great,” said Kaspersky with a wry smile.
While Stuxnet was suspected of being a state-sponsored attack, backed by nation state resources and skills, once the complex technology was released into the wild it became open season. On the internet, the worm could be anyone’s tool.
“I’m afraid that Stuxnet and all these cyber weapons are a very bad innovation,” Kaspersky said, looking sombre. “They can be easily copy-pasted; it’s easy to employ engineers, easy to develop very similar weapons, and there could be some very, very bad guys somewhere in mountains who have zero clue about the technology they have, but they can pay and employ people to create it.”
Cyberweapons are like boomerangs, says Kaspersky: once deployed they can easily be repurposed and sent back to their developers, turning an attacker’s weapon against them.
“It’s not possible to copy-paste a cruise missile after it was used; even if you have the cruise missile in your hands, not every nation could reverse engineer it and produce the same. But software is software,” said Kaspersky with a shrug.
Risk one: DDoS attack
There are three different levels of cyber-attack that can be carried out on a nation, according to Kaspersky.
The first is a common distributed denial of service (DDoS) attack, which was routinely seen during the hacking sprees of Anonymous and Lulzsec hacktivists. The principle is simple: bombard a system with requests until it becomes overloaded and can’t cope. The victim is usually a web server, but the same technique could be used to bring down telecommunications systems including mobile phone networks. The same principle that overwhelms the mobile networks on New Years Eve could trigger a network blackout.
These attacks are very difficult to defend against, and the solution is usually just to wait them out. “Unfortunately there are zero ideas, zero things to protect the critical internet, mobile and telecoms infrastructure from DDoS attacks – only plans how to recover after an attack,” explained Kaspersky.
Risk two: attacking critical data
The second type of attack is an assault on critical data. Compromising data crucial to the operation of large companies, industry, infrastructure and government, rather than an individual’s personal details.
This could mean wiping data, but could also mean silently modifying data without the user’s knowledge, which could potentially cause more harm.
Risk three: damaging infrastructure
The third type of attack is the most difficult to execute but also potentially the most devastating.
It would involve attacking critical infrastructure to cause physical damage to systems, machines and buildings - precisely what Stuxnet was designed to achieve.
‘Defence agencies are scared'
How can nations protect themselves against cyberterrorism that could bring a country to its knees and cause death and destruction? The answer, for Kaspersky, lies in national and international regulation.
“I’m afraid that governments have different agencies, and there are agencies responsible for defence and offence. The defence agencies are scared, offence they see it as an opportunity,” said Kaspersky.
Communications infrastructure is very vulnerable to attack but, instead of defence, telecoms companies can build in redundancy and speed recovery so that they can get back on track after an attack.
For the things governments can protect, defence will revolve around technologies, governments and international co-operation, says Kaspersky.
New platforms and secure operating systems are required to protect critical infrastructure and data, making them resilient to attacks and harder for hackers to gain entry into important systems. Governments globally, meanwhile, need to introduce regulation to dictate certain security levels around critical infrastructure.
“Governments have to be advocates and sponsors for the industrial sector, for transportation, for everything, to enable enterprise to upgrade their computer systems to the most safe platforms," he said. "Unfortunately that’s very complicated and very expensive, because they need to redesign all the software."
‘Find the bad guys before they press the button’
Kaspersky proposes three levels of regulation, only through which can a nation beef up security.
The first “zone” would have little to no regulation as there is right now – “like walking in the street” – for individuals and small businesses. The second zone would be for organisations with critical data, regulating enterprise and government departments to protect data. But the third zone, for critical infrastructure, is the most important and would need to be the most secure to protect against the Stuxnets of this world.
Regardless of how resilient one country can make itself, it still requires international co-operation between nations sharing intelligence, “to find the bad guys before they press the button”.
“There are no nations on Earth that can sponsor the International Space Station alone, it takes collaboration,” quipped Kaspersky.
“Espionage attacks [like the NSA’s Prism] are very bad because they kill trust between nations,” explained Kaspersky, who said he was sure that every nation conducts similar programmes to that of the US’s NSA and the UK’s GCHQ mass internet surveillance. “They stimulate nations to fragment the internet, to invest more into their national IT projects, which is obviously good news for the local companies, but it will damage big enterprise, global internet companies. And I’m afraid it will slow down new innovations, and cyber evolution.”
“In cyberspace there is almost no distance from espionage to cyberweapons because it is very easy to upgrade one to the other at the push of a button,” warned Kaspersky.
Protect the UK from cyberattack
Most nations around the globe are aware of the cyberweapon threat, and have been for some time. The UK, for instance, has plans in place and under development to protect the UK from cyberattack. One of the schemes is undoubtedly the GCHQ surveillance programme, but GCHQ is supporting the UK’s cyber strike force.
Operated by the Ministry of Defence (MoD) as the digital arm of the military, the Joint Forces Command is recruiting hackers both into a mainstay force of the Joint Cyber Unit based at Corsham and Cheltenham, but also into a Joint Cyber Reserve similar in operation to the current army, navy and air force reserve forces like the Territorial Army.
While most of the preparations for cyberwarfare are unknown, it was recently revealed that the MoD is developing a secret, multi-million-pound research programme into emerging technologies including the use of social media and psychological techniques harnessed to influence people's beliefs.
What is clear, however, is that in Kaspersky’s opinion the world is currently ill prepared for a new wave of cyber-attacks and cyberterrorism, and that is unlikely to change overnight, especially with the global economy still reeling from the financial crisis.
• Carry on leaking: when corporate security goes really, really wrong
