Interview with Eugene Kaspersky »Today it's also a battlefield«

Security was the main subject of yesterday's conference keynote from Eugene Kaspersky. Subsequently we had the opportunity to ask him a few additional questions. Why is it so difficult to make software secure?

What is the reason that security vulnerabilities are growing, despite all the efforts of making systems more secure?

Kaspersky: I can give several reasons. First, there’s a lack of market incentives to create secure products, particularly for consumers. Security is way too often not a top priority for software developers or hardware designers. In fact, development of products that are secure by design is slower and requires higher costs. Devices or services that are late to the market and are more expensive as compared to the competition predictably suffer in the market place.

Second, IT security is typically an afterthought in the process of designing a product. It is an issue with how IT risks are perceived and is linked to the fact that there’s simply a shortage of IT security expertise in the world. There are not enough qualified engineers and software developers that understand IT security well enough.
And third, modern software typically consists of millions of lines of code, and statistically there’s a significant quantity of bugs in it. Not all of them can be exploited, of course, but they do exist. Development of ‘safe-by-design’ computer code is tedious and time-consuming, but it still needs doing – on a global scale.

Making mistakes is an integral part of being human, with software developers being no exception. What makes you confident that this challenge can be won?

We’re living through a digital revolution. The Internet and various embedded systems have been with us for a relatively short period of time. Every innovation creates new risks and problems. History shows that ultimately these issues can be fixed. If we compare the IT ecosystem we have today with air transport, I would say it can be compared to its very early days. Progress in aircraft security over the last 100 years has been amazing. I think that software security will follow the same path – with software engineers gradually adopting practices of creating secure code, and designers creating new products with very high levels of embedded IT security. However, I’m afraid it’s not something that will happen soon.

You talked about the ‘Balkanization of the industry’. What do you mean by that? Please explain.

The Internet has become the massive information super-highway of today by interaction of myriads of private individuals and enterprises across national borders. Unfortunately, today it’s also a battlefield – all sorts of spy groups are stealing secrets from governments, militaries, academic institutions and hi-tech companies. This espionage activity and the development of cyberweapons create potential risks to our critical infrastructure. Governments have a duty to protect their respective national security. And they are tempted to impose ‘borders’ on the World Wide Web, to control what’s going on their territories. I’m afraid that eventually that may lead to the end of the Internet as we know it today – a massive borderless network. And I think that would be most regrettable, and that governments around the world have a duty to jointly prevent it.