This article first appeared in The Edge Malaysia Weekly on September 11, 2017 - September 17, 2017
COME year-end, one of the highlights in the annual recap of events that made 2017 memorable will undoubtedly be the massive WannaCry ransomware attack that took place in May.
Infecting over 220,000 computers running the Microsoft Windows operating system across 150 countries, the massive global attack that encrypted data and demanded ransom payments began on May 12, a Friday, before trickling to a stop after a kill switch was found in the ransomware to break its hold on infected computers.
InfoWatch Group president Natalya Kaspersky tells The Edge in Monte Carlo that there was actually nothing special about the WannaCry ransomware. Kaspersky is the co-founder of Russian multinational cybersecurity and anti-virus specialist Kaspersky Lab, which she exited in 2011.
“It’s actually quite a simple virus. Well, not exactly standard, but there was no technological breakthrough in itself. It’s just the way it affected a very large number of victims all around the globe that caught everyone’s attention. Another interesting thing about it was that the security update for the systems was actually available but people didn’t take care of it until the attacks took place and the scale [of the attacks] was reported by the media,”she says.
“But when we look back at the virus, it contained a bug through which it was possible to break it and decrypt the files. With ransomware, that’s not always the case. Very often, it’s impossible. But here, it’s a ransomware with vulnerabilities, through which it was possible to cure or recover the files.”
Though the scale of the attack was unprecedented, Kaspersky’s concern is not so much what the next wave of such attacks will bring, but the threat posed by the Internet of Things or IoT.
“For me, it wasn’t WannaCry. It was last year’s attack of the Mirai Virus. It was actually the first time that an attack through the IoT took place. The attackers used [tens of millions of] web cameras to send simultaneous signals to the largest American DNS (domain name systems) provider, a company called Dyn. This forced the company to shut down all its largest servers, [affecting] sites such as Twitter, PayPal, CNN, The New York Times ... you name it. The attack caused these websites to be unavailable for several hours, even though Dyn has huge and multiple layers of protection,” she says.
Dyn maps Internet domain name for end-users, that is, it matches the searches of domain names entered into a web browser to its corresponding IP address.
In the attack that took place on Oct 21, a giant botnet — a network of IoT devices infected with the Mirai Virus, including routers, printers and other smart gadgets — executed a distributed denial of service (DDoS) attack by flooding Dyn with lookup requests from tens of millions of IP addresses.
Consequently, many Americans woke up to find many of their most popular websites unavailable that morning — it reportedly affected 85 major sites. The attacks, which started in the morning and came in three separate waves, ended later in the evening.
“The Mirai Virus created a very big worry about the IoT. Because what the IoT is, if you think about it, is the internet which gets injected into normal, everyday things we use. And this means, I’m sorry to say, a very significant decrease in the level of security,” says Kaspersky.
She explains that this happens because many IoT devices are not secured as it is impossible at this juncture to secure all of them when technological advances are happening every day. So, security companies “simply can’t keep up”.
“I give you an example: We regularly invest in different companies and one day, a company came to us seeking for investment. They said they were providing some IoT devices. My first question was, ‘How would you protect your devices?’ The answer was amazing and very standard: ‘We have thought of it but we haven’t implemented yet. But after we sell the first hundreds of thousands of devices, we will certainly implement encryption or something’.
“This means the people who buy their stuff will be vulnerable. Imagine WannaCry on them. Imagine it [attacking] transport systems, smart cities or electricity systems. Many buildings now are full of little sensors which are getting Internet connected,” Kaspersky says.
She warns that when IoT is integrated into a system, the vulnerability level can immediately jump about 10,000 times, “[even for] energy stations, which has a level of security like 99.9999% now”.
These are the things people are not considering, she says. “You have to understand that the strength of security you have is equivalent to the weakest link in your system. So, if a hacker wants to get access to something, [with IoT integration], he doesn’t need to go up against the toughest walls. He can just break into the IoT-connected device.”
Organisations in old industries, she says, do not really recognise the severity of such threats. It doesn’t help that some security experts’ views have been seen as more alarmist than anything else.
“The truth is that there are very weak connections between these two groups of people because they can’t find a common language. So maybe, there should be platforms for the IT security experts to give their thoughts on what the problems are, and together [with the entrepreneurs], think over what should be done. My recommendation at this point is not to rush into IoT until we solve basic problems with its security,” she stresses.
It is hard to imagine anything worrying this cool and collected businesswoman who was instrumental in driving Kaspersky Lab’s double-digit earnings growth and turning it into a multi-million dollar company. She followed up that feat by turning loss-making InfoWatch, which was carved out from Kaspersky Lab after she exited the latter, into a profitable global business with an annual revenue of US$12 million by 2015, with offices in Russia, Germany, Belarus and now, Malaysia.
Kaspersky’s entrepreneurial feats have won her many accolades. She was named the third most influential business woman in Russia by Kompaniya magazine in 2010, and more recently, EY’s 2016 Russian Entrepreneur of the Year, which brought her to Monte Carlo, Monaco, for the grand EY World Entrepreneur of the Year race.
Despite the opportunity an attack via IoT may present to cybersecurity companies, she is more concerned about the threat it poses for now. “I see it more like a threat than an opportunity at this moment because it’s very difficult to catch up with these [IoT] systems. It’s economically unprofitable. Another day, another start-up appears, which will bring another type of IoT system. It’s impossible.”
Incidentally, the EY forum, held in conjunction with this year’s World Entrepreneur of the World award, was themed: “Could uncertainty be your best opportunity for growth?” The irony was not lost on her.
“You have to understand that I’ve worked for security for 23 years dealing with things like hackers, viruses, data leaks. All negative stuff. Therefore, I’m careful about the technology and the future, because I’m on that side. Of course, it doesn’t mean everything is gloomy. It only means that’s what I see and what I can share.
“On the future of InfoWatch, I still think we are growing good in Russia and we’re in the Middle East and now we’re going into Malaysia. Although we can’t do much with IoT [at the moment], there are many other problems we can help solve, like data leak and DDoS attacks. [So] don’t take me wrong. There are definitely opportunities for growth. I’m just in the business that watches out for the negative things that happens,” she adds.
Save by subscribing to us for your print and/or digital copy.
P/S: The Edge is also available on Apple's AppStore and Androids' Google Play.