News 18 December 2023

Actors’ views: Eugene Kaspersky

Founder and CEO, Kaspersky

As part of its "Rencontres OFF", which are off-the-record meetings with leading institutional and private actors involved in the digital transformation of society, Renaissance Numérique had the pleasure of welcoming Eugene Kaspersky, CEO and Founder of Kaspersky, the multinational cybersecurity company. Following this private meeting with our members and guests, we talked about today's and tomorrow's most pressing challenges in terms of cybersecurity: cyber-immunity, security of operating systems, open source systems vs. black boxes, cybersecurity awareness of the general public, regulatory frameworks, international cooperation… Discover his answers to our questions!

Your company has developed the concept of “Cyber Immunity”. Can you tell us more about it and how it differs from cybersecurity?

Well, the reality is that today, no company, organisation, or even critical infrastructure operator should consider themselves safe from cyberattacks if any of its equipment is connected to the internet – as it’s all vulnerable.

And this trend highlights the need to provide comprehensive protection of this ecosystem from a wide range of cyber threats. This is why we believe that Cyber Immunity – i.e. the inclusion of security mechanisms from the very earliest (design) stages of development of a device, and the building of an ecosystem where all connected elements are protected, is essential.

What would you say are the main benefits of this novel approach, for users? 

Cyber Immunity is an IT system’s inherent ability to face cyber threats without any additional security tools. It is especially beneficial for the industrial and critical infrastructure sectors where IT systems are subject to higher cybersecurity, reliability, and predictability requirements, i.e. energy, transport infrastructure, manufacturing, smart city systems…

Most types of cyberattacks on a Cyber Immune system are ineffective and don’t affect its critical functions.

Cyber Immunity is the heart of KasperskyOS – our own cyber immune operating system which was created from scratch and is secure by design. Its architecture is based on the division of objects into many isolated modules. All interactions among them are controlled at the level of the microkernel and the internal security system: they allow only what was indicated at the stage of system development. Thus, even if a cybercriminal gains access to any of the components, they (the components) are not able to perform malicious actions and in any way affect the system’s operation.

How do you see this concept shaping the future of cybersecurity, particularly concerning the development of what you call “immune” applications for operating systems and IoT or “smart” devices? Can “immune” devices, apps or systems be smart?

A very good question! Of course, having absolute software security and having a wide range of convenient and user-friendly software features are opposing things. And it is a difficult job to find a balance in the middle between security, functionality, performance and other characteristics that are so important to the user of any system.

Back in 2018, to achieve this objective, we started with a small thing. It was a Cyber Immune IoT gateway built according to our methodology. We realised that very high guarantees can be easily provided in a relatively static system that doesn’t allow for significant expansion or configuration by the user. This product significantly reduced the risk of hacking by strictly separating activities into different security domains, and applying integrity control policies and secure design patterns.

The next challenge we faced was to create a Cyber Immune system with a graphical user interface, which required the product to have sufficient performance. Today you can see Centerm’s Cyber Immune thin clients running our firmware and the user does not have to worry that their experience has been compromised for the sake of high security guarantees.

"We are now building third-generation Cyber Immune systems that can be expanded with applications created by third-party developers. This is incredibly important – especially for our IoT gateway, which has to be able to work with many protocols. In this case, applications bring support for new protocols and filters. This is a small step toward the dynamism of Cyber Immune systems and their expansion with third-party functionality. Such applications run in highly restricted sandboxes – as is the case in modern mobile operating systems – but the operation of these sandboxes is ensured by default due to the architecture of KasperskyOS".

To support third-party developers, we’re creating our own sotfware development kit (SDK) and a trusted application store where these applications will be hosted.

The ability to launch third-party code is also important in other applications, such as our experimental development of a platform for mobile professional devices. These are complex devices – not nearly as static as the first Cyber Immune products. And today we can already see some promising results. This will pave the way for Cyber Immune devices with extensive smart functionality in the future.

In an increasingly fragmented world, where the notion of digital (or technological) sovereignty is omnipresent, how can Kaspersky contribute to fostering global cooperation to build a more secure cyberspace?

Indeed, in the increasingly fragmented world we are currently living in, building a more secure cyberspace is about more than just protecting devices or working on technical solutions. In fact, it is more about building a more stable, resilient and trusted cyber-community.

Moreover, it is necessary to pool the expertise of all cybersecurity stakeholders and collaborate across borders more than ever before. Information exchange and the sharing of threat-intelligence among governments, private actors, the cybersecurity community, industries and academia must be intensified and qualitatively improved.

"We invite the broader cybersecurity community and stakeholders to stay open to international collaboration projects, exchange information, and support each other in order to fight cybercriminals on a more holistic level".

How to make sure regulatory frameworks effectively balance innovation in cybersecurity while safeguarding user privacy?

In recent years governments have taken great strides in the field of protection of the privacy and data of its citizens, e.g. with laws concerning personal privacy, such as the General Data Protection Regulation (GDPR) at the European Union level, or the French Data Protection Act, etc.

While user privacy regulations are likely to continue to be a hot topic around the world for many more years, effectively balancing innovation in cybersecurity and personal data protection sometimes looks like a delicate task.

First and foremost, to achieve this – greater user privacy – it is crucial for various stakeholders to collaborate. I can not overemphasise to what extent the rules, risk levels, and levels of protection measures should be developed with input from a great many relevantly-experienced experts. Collectively addressing evolving threats helps in pooling resources, sharing insights; the exchange of expertise and knowledge between regulators, public and private sectors, academia, and industry fosters innovation and enhances a more robust response to cyber threats, while also taking care of safeguarding personal data.

On a separate note, I am quite convinced that despite measures put in place by regulators and companies alike, it’s essential for end-users to also take an active role in protecting the privacy of their own online interactions. Personal data protection is a shared responsibility. Only then can we ensure that the internet continues to be a valuable and safe resource for all.

We often hear that open-source software is more secure than proprietary software. What is your take on this?

The use of open-source software is a prevailing software development approach and one may consider that there are no downsides; i.e. if the source code can be seen – the bugs can be easily fixed. However, the reality is more complicated, and open-source software may come with its own risks. It may contain, for example, accidental or intentional vulnerabilities or malicious code.

As of the end of 2022, a special service launched by our experts to track open-source backdoors and vulnerabilities contained data on 3,000 vulnerable and malicious packets stored in popular repositories. Around 35% of exposed vulnerabilities are of high danger level, and another 10% are of critical danger level.

"The problem of trust in open-source can be especially critical for products with heightened security requirements, e.g. within the critical infrastructure sector. So in this case, some extra code validation and analysis effort is always a good idea. The Cyber Immunity approach aims to solve the problem of using code of unknown quality thanks to the principles of isolation and control of interactions implemented in KasperskyOS".

In your opinion, what are some of the best ways to acculturate people to the notion of cyber security/immunity? 

We see that the entire progressive world has turned its attention to the secure-by-design approach. This is an incredibly important trend that will allow humanity to achieve a more secure future.

It is necessary to bring together the best representatives of the industry to conduct joint research, and develop tools as well as recommendations and standards.

We started by involving students in secure development and teaching them the Cyber Immune approach, holding meetups and hackathons. We are also working on industry standards that rely on techniques inherent in Cyber Immune methodology and other secure-by-design approaches.

More on this subject