When Eugene Kaspersky started Kaspersky Lab in 1997 to build computer antivirus technologies, it’s unlikely he could’ve predicted what 2015 would hold.
As the years have unfolded, the company has morphed into a multi-headed hydra of computer security, with offices in 200 countries around the world. Its technologies touch 300 million security-conscious users globally, and it’s made Kaspersky, the company’s chief executive, into a cybersecurity celebrity.
With the spotlight comes scrutiny—in the case of Kaspersky, that means accusations of being in bed with Russian spies.
In March, Bloomberg News accused Mr. Kaspersky and an increasing number of his staff of having ties to the Kremlin and the Russian intelligence community and military—hardly a flattering charge for someone ostensibly leading the way for safety in cyberspace. The Bloomberg report follows a sweeping 2012 Wired profile of Kaspersky that made similar claims of Kaspersky closeness with the Kremlin, not to mention a slew of lower-profile reports.
Some of the details are clear: Kaspersky graduated from the Institute of Cryptography, Telecommunications and Computer Science at FSB Academy, back when when the school was sponsored by the KGB. (FSB, the Federal Security Service, effectively replaced the KGB as Russia’s primary intelligence agency after the fall of the Soviet Union.) He went on to work for Soviet military intelligence. He reportedly maintains close friendships in the intelligence communities. And there is no question that Kaspersky Lab shares data with the FSB, at least to help fight cybercrime. Then again, American cybersecurity companies work with the U.S. government, too.
Kaspersky, for his part, has repeatedly denied any compromising political ties to his business, and he derides reports of his allegiance to Russia’s government as “sensationalist.” He writes:
There are many ways to make up something sensationalist in the media. One of the practical ways is to speculate and create conspiracy theories. Unfortunately, there’s a demand for such stories and they have a very good chance of making a splash.
So how can a global company with Russian roots play a part in a conspiracy theory? Well, this one is easy: there should be some devilish inner job of the Russian secret services (to produce the “I knew it!” effect). In many cases you can change the adjective “Russian” for any other to produce a similar effect. It’s a simple yet effective hands-on recipe for a sensationalist article. Exploiting paranoia is always a great tool for increasing readership.
If you use Kaspersky Lab antivirus software, which sends data back to the company for analysis for users who opt-in to do so, the potential ties to Russia’s government means your data may be shared with the FSB. (Kaspersky Lab maintains that your data is anonymous.)
While the nature of Kaspersky’s relationship with the Kremlin remains, at the very least, a matter of contention, his company’s influence is anything but hazy. On top of their successful antivirus business, Kaspersky Lab researchers have discovered key details about the now-infamous Stuxnet virus, which was deployed by the U.S. and Israel against Iran’s nuclear facilities. Kaspersky analysts later uncovered Flame, which the Washington Post found was another American-Israeli cyberweapon against Iran. All of this is on top of building a highly successful antivirus business.
Kaspersky continues to be a sharp, outspoken guy on social media about all order of topics, and he took the time to catch up with us via email, elaborating on thoughts about his company, his wealth, and the state of modern cybersecurity.
To many, you’re a very important name-brand guy. To others, you’re effectively anonymous. How do you describe what you and your company do to someone who’s never heard of you?
Eugene Kaspersky: The short answer is that our business is saving the world from computer villains. The long one is like this: digital technologies have changed our world, but unfortunately they’ve brought along certain problems, too. Various bad guys are hacking computer systems and causing damage for private individuals, businesses, and even nations. Our role is to protect the cyber world from the threats posed by these bad guys.
Though you’ve debunked the accusations thrown at you several times, what do you say to those who insist that successful Russian business owners must have ties to the Kremlin?
I tell them that I see [no] such business owner—with no such ties—every day when I look in the mirror.
What branches of math and computer science should young students be focusing on today? What will be most important in the future?
“Our business is saving the world from computer villains.”
I’d say it’s not the branches that are important. What matters is the difficulty: the harder, the better. If you manage to handle the toughest challenges, it will train your brain so that less complex problems will be peanuts for you. For me, it was cryptography; studying it was tough, but it really helped me to structure my thinking.
What keeps you up at night when it comes to computer security?
My biggest fear is a cyberattack on physical infrastructure that could cause large-scale damage and even loss of life. We have computerized systems run by software controlling virtually everything—from elevators to street lights, from smart-fridges to blast furnaces and nuclear power plants. And any one of these systems can become a target. So far, we’ve heard of two attacks on physical industrial systems—the Stuxnet malware that allegedly damaged Iran’s nuclear centrifuges, and the hack that caused damage to a German steel mill last year. I hope we don’t hear of another attack of the kind anytime soon, but the probability of one eventually happening is nevertheless quite high.
You attitude towards your fortune seems to boil down to, “I have enough and that’s fine.” Why does this seem to be so uncommon among the world’s wealthy?
I don’t think there is anything special about my attitude. There are many successful businesspeople who are not overwhelmed by the money they have, who are involved in various charity projects, and who have decided not to leave their fortune to their children, like Bill Gates and others.
How would you characterize the state of global cybersecurity today?
It’s quite bad. We see a rising tide of sophisticated cyber-espionage that is apparently government-backed. We also see how complex hacking tools that were previously considered government-grade are being used by cybercriminals to steal money, like in the recent Carbanak case. We see how traditional offline organized crime is using software engineers to facilitate their criminal activities, like in the case of the Antwerp sea port hacking.
“Generally speaking, threats and risks in IT are very significant as they are and don’t need exaggerating.”
At the government level around the world, there’s a growing understanding of the risks; however, at the same time, our exposure to and dependence on computer systems continues to grow. The majority of such systems are vulnerable to hacking. More and more businesses and organizations are successfully attacked. And as the Sony Pictures hacking story shows, it’s possible to cause very significant economic damage even by attacking the relatively benign entertainment industry.
What do you believe is the most pressing problem facing world governments with regards to cybersecurity?
There are many pressing problems in cybersecurity, but the worst threat is a potential attack on critical infrastructure. I’m afraid that malware technologies are proliferating and the probability that terrorist groups may get access to cyberweapons—malware designed to destroy physical systems—cannot be ignored.
What likelihood do you think there is of cyberattacks that could result in loss of life or major property damage?
Last year German security services reported that a malware attack caused significant physical damage to a furnace at a steel mill they didn’t disclose. So such attacks are happening already. I’m afraid that the likelihood of an attack that would lead to loss of life is also quite high.
Some cybersecurity firms have been accused of exaggerating threats to increase their bottom lines. What pressures are there in the industry to accurately portray the cyberthreats?
There have been instances when security companies tried to frighten consumers in order to boost their profits, but generally speaking threats and risks in IT are very significant as they are and don’t need exaggerating. I think that in the vast majority of cases security companies are just reporting what they see happening.
How important is it for the general public to understand the intricacies of cybersecurity as our lives become increasingly reliant on digital devices that are often vulnerable?
It’s always a good thing to know the risks and to know the basic rules of cyberhygiene (keep all your software up to date, use a good Internet security suite, do not open suspicious attachments or click on suspicious links, etc.). But I don’t think an ordinary computer user need be a specialist in cybersecurity. If you have a car, you don’t need to know exactly how all its systems work; you can take it to a garage for servicing or fixing if something isn’t working. If a doctor or a scientist or a bank clerk wants to learn about how to maintain a computer network, he or she can do that as a hobby, but it’s hardly a requirement for an ordinary user.
Some have said that anything can be hacked. Is that true, and what are your thoughts on the creation of “unhackable” technologies?
Unfortunately, it is virtually impossible to create absolutely impenetrable defenses—in both the physical and cyber world. For example, in April of this year, a group of thieves managed to break into a protected vault in London and steal jewelry reportedly worth millions of dollars. Though vaults are a very old technology, they’re still very reliable in protecting valuables; however, such heists do still occur now and again.
In the computer world the quality of protection makes a very significant difference. The digital technologies we have today are in the early stages of their development as the IT revolution continues, and so most of them are inherently vulnerable. I think that, in the future, computer companies will develop hardware and software systems based on architecture and underlying principles that will make them much more secure than today. But that will require time—probably a lot.
Close encounters of the third kind pic.twitter.com/PAo5Y5LBhc— Eugene Kaspersky (@e_kaspersky) May 11, 2015
Photo via Kaspersky Labs