Computerworld: You have argued for the creation of an ‘Internet Interpol’. How might that and law enforcement agencies work together to combat cybercrime?
Eugene Kaspersky: One of the main problems with investigating cybercrime is that cyber police departments are not connected and they are in different countries. Sometimes they co-operate, but not usually. Sometimes cybercrime police are not interested in investigations because the criminals are in another country so the benefits will come to the police in different countries.
The problem is that they are disconnected and so we need to see how they can work more closely together. The idea [of an Internet Interpol started] with the 2001 European Convention on Cybercrime — but the convention is not about an Internet Interpol.
Its rules help to assist with investigations, but unfortunately, it has a very critical article called 32B. It is about cross border access to infected systems during investigation. It means that police departments are allowed to have cross border access to the computer systems. Because of this article, many countries refused to sign this convention.
After 10 years there are about 30 countries who have signed. These countries include North America, South Africa, Japan and Australia. I don’t believe that the United States will open its network for investigators from Russia, China, Latin America or the Middle East. The same is for those countries; they will never open access to the United States or other regions.
This European Convention about Cybercrime is, in my view, dead boring. It doesn’t work and people from the European Parliament disagree with me. Unfortunately, I am afraid that we will be waiting a long time before the European Convention introduces it.
Sooner or later, I think we will have something like an Internet Interpol, but at the same time there is a need to have a criminal Internet legislation. They have to adapt computer laws to the same standards because in some countries, they are different. For example, in Japan, there are no criminal acts for cybercrime. I was sure that Japan had such laws but they don’t.
Sooner or later this organisation will be introduced, but I don’t know if it will be an independent international organisation or part of traditional Interpol or under the jurisdiction of the United Nations.
The existing Internet Interpol can’t investigate international cybercrime because the Interpol is designed in a different way. It is designed to find the right [police] contacts in different countries.
With cybercrime, it is different because there are no borders and the criminals can easily immigrate from country to country when they access victims. They can use proxy servers in different countries so there must be contacts in many different countries and there has to be one organisation responsible for all investigations.
What is the state of Cloud security?
There are two issues with Cloud security. First of all, the security technologies that use Cloud are new elements and there is an interesting shift happening in the security industry. The companies provide more and more services that are based on Cloud technology and that’s good news, because that makes the life of cyber criminals harder.
The second issue is that when the enterprise is government or businesses allocate data in the Cloud there is a serious security issue because when they keep it in-house or at end points, the company who owns that data is responsible for security. You own that and manage security for that. If the data is allocated in the Cloud than who is responsible for security?
The company which provides this service. If you leave your personal data in the Cloud who guarantees that no one else has access to that? There are many issues and unfortunately there are more incidents where Cloud services are hacked and it is leaked in a rain of data.
Do you think Anonymous are hacktivists or cyber punks causing trouble?
The hacking landscape is not the same. There are different cyber criminals who steal data to earn money or engage in cyber sabotage, such as those responsible for the Stuxnet worm. At the same time, there are hackers who only hack systems to learn. They don’t damage the systems and just get inside to see the application work.
Hacktivists which crack websites because of political or religious issues, I don’t think that is a good thing. But if they hack a website which has bad content or not so legal, these ones are a shade of grey. If you talk about hacks on websites that are questionable than I will never do that myself. My principles won’t let me do that.
What is your view on WikiLeaks?
With WikiLeaks, I think it’s dangerous to publish every piece of information that can damage others. For example, if your neighbour forgot their key and left it in their door, it’s a bad idea to cry to the whole city, "Hey that man forgot to lock his door”.
If we receive information which is confidential, usually about vulnerabilities in software, we help to fix this mistake. When it is fixed, we delete this information. We don’t want to have 15 minutes of fame, that is not my style. We are working to protect this world and make it more secure.
Personally, I am conservative with information. For example, there are comments made by politicians and they are leaked it damages cooperation between these countries. It works against international cooperation. If you want to have a war than it is good. If you want to have a global economy that works better than it is bad.
What are your thoughts on cyber warfare? Will China become a problem for the West?
There are several countries that have announced they have military cyber forces. Every country that has resources to allocate for this to develop a cyber weapon is very dangerous for others because the Internet has no borders. I don’t want to place China first in the list of countries that has threats because we don’t have enough information about China, as their government doesn’t report to us.
We are living in an age of new technology with the help of hacking which to some people does not look serious. When the Wright Brothers invented the aeroplane, the US military did not take the technology seriously. It was the French who took the technology seriously.
It doesn’t look like we could have a war in the Internet, but with the help of IT systems it is possible to have sabotage. After that there is the industrial environment which are managed by IT systems. There will be more strict government regulation for infrastructure.
Given the fact there has been a lot of attacks on security vendors such as RSA recently, what is Kaspersky doing to protect itself?
One of our regional websites was hacked last year than there were other reports of our partners getting attacked. We are victims of distributed denial of service [DDoS] attacks. Sometimes the attacks are serious but we have a distributed service so our customers and visitors don’t recognise that. I never hear about a serious attack on our corporate head quarters site and pray our perimeter is protected in the right way and we have invested heavily in security, but there is no 100 per cent security. The only example of 100 per cent security is when you are dead and in a coffin.