Eugene Kaspersky, Founder of Kaspersky Lab Exclusive Interview
Date: 31 January 2017
Cyber Management Alliance's CEO, Amar SIngh, exclusivily interviews Eugene Kaspersky, Founder of Kaspersky Lab.
Amar Singh: Welcome to Insights with Cyber Leaders. I'm really excited to be joined by Eugene Kaspersky, founder of Kaspersky Lab., an internationally well-known cyber leader and traveller.
Eugene Kaspersky: Okay. Yeah.
Amar Singh: Thank you, Eugene Kaspersky. Thank you for joining me.
Eugene Kaspersky: My pleasure.
Amar Singh: There's so much I want to ask but let's start with about Eugene. You're amongst the most well-known cyber leaders today, on the planet, and you are the founder of a privately held billion dollar company. In your own words, how have you done this?
Eugene Kaspersky: Ah, well, that was a long journey. It started with…. like a hobby. I was collecting computer viruses because I just like that; like many people collect, I don't know, butterflies, the post stamps in the past.
Amar Singh: You were collecting computer viruses.
Eugene Kaspersky: I was; for a couple of years I was just collecting computer viruses because I was very curious, what's that? And it wasn't just collecting; I also reverse engineered. I made the short descriptions of the algorithms...
Amar Singh: Okay.
Eugene Kaspersky: ...the computer viruses, they used to spread and to me that was just very interesting to understand the nature of this artificial cyber life.
Amar Singh: Wow.
Eugene Kaspersky: At that time, computer viruses, they were not criminal. They were just teenagers, the students, the young scientists to design the artificial, self-replicating algorithms and that was just a research for them, and that was a research for me. So, that was very beginning of the story and my hobby has slowly turned to the product, the technologies, then to business. They are to really begin in the early 90's; that wasn’t serious at all so their income was almost zero.
Amar Singh: Right.
Eugene Kaspersky: But year by year we made our technologies better and better, and to be recognised by all companies. We distributed security software. I was one of the very promising companies and year by year we were building our business, that part of the network, new products, new technologies. So, that was a very long journey. So I started… the first computer virus which I had in my hands, that was in 1989.
Amar Singh: 1989...
Eugene Kaspersky: 27 years ago.
Amar Singh: I was born, I was very young...! I mean, so, you are technical, you still are; but you're also business focused, you grew this company yourself. That's quite… is that quite easy? What are the challenges I mean...?
Eugene Kaspersky: There are… From time to time I asked, "Is it easy to you to travel so much, easy to manage such a big company?” The answer is very simple. For the first five years it was very, very difficult. But then I just get used to it…
Amar Singh: Right, yeah.
Eugene Kaspersky: And so, well to start that, that was really complicated but year by year, the system, the company just was designed in such a way that it performs better and better and it was… It's not really difficult to manage the company because I made it in such a way that the company manages itself. So there are company managers, senior managers, middle managers, they have a lot of freedom and well, responsibilities so they do their own decisions. And the best, from time to time when I have a new idea and I call my engineers, I call my manager and explain to them, ok, so I have a new idea. So, if we adopt other technologies for this needs or we start this kind of research, from time to time they answer, "Hey, Eugene, wait for two or three months, we already working with that." "Good, I like it."
Amar Singh: Excellent, excellent, excellent. And that comes back to this thing you've made… you're super successful. You've made the money. Like I said, you are a true cyber leader. But you are still very involved in the technical detail also. How do you… do you feel that's one of the reasons for the continued success? Or what are your thoughts on...?
Eugene Kaspersky: Unfortunately, I'm not so much involved in the engineering right now so, I don't write the code.
Amar Singh: You don't write any more code.
Eugene Kaspersky: Well, two reasons because, well, I don't have time for that and secondly, young engineers they do it much better, I did. So, they are more smart and… but still I need to be in touch with the engineers because the new engineers, new technologies to understand, what's that? And to me it's very important to understand and recognise not only in the new opportunities, in the new technologies, new products, but also to understand the dark side of the Internet, to understand their motivations on the bad guys, the technologies which are bad guys are using because we can't live in the world which is disconnected from the bad guys, but we are fighting with them. So, we need to understand our immanence. We need to predict the new technologies, new vectors on attacks, to be ready to protect our customers. So, I have to be close to the technologies from both the good side and the dark side.
Amar Singh: Interesting.
Eugene Kaspersky: And so that’s why I spend quite a lot of time talking to my engineers, meeting with them and discussing the new ideas with the technologies, new innovations, but I like it. It's a very, very interesting life.
Amar Singh: That is really fascinating because these days, I'm sure you know, it's not common to say, sadly, the founder and the company are separate and not like Kaspersky, but many other companies…
Eugene Kaspersky: Yes, I know…
Amar Singh: The founder has gone and the company is becoming just a separate and novel company.
Eugene Kaspersky: It's still not my case so, it still…
Amar Singh: Excellent.
Eugene Kaspersky: …but my company is life.
Amar Singh: Excellent. That is so good to hear, sir. In your journey, was there a particular moment or moments that you particularly remember to make it where you are?
Eugene Kaspersky: There are many. There were both successes, faults, surprises. I think the first success that I really remember was here in London in 2005 when we got the award - Security Computer Magazine, SC Magazine.
Amar Singh: SC Magazine.
Eugene Kaspersky: We got that award from them; it was our best anti-virus in 2005. It wasn't expected at all. We were not sponsors. We were not so well-known that time in UK but there was a big show and I was sitting in some table somewhere in the corner. I didn't expect that we'll have such award and then from the stage they said, "And the best anti-virus award goes to..." "Let's go." "What?"
Eugene Kaspersky: I was shocked.
Amar Singh: Excellent.
Eugene Kaspersky: That was the moment in my life I just still remember. There were faults with other new technologies as well. I wish I remember when we invested a lot in the new products but unfortunately we didn't complete them because of the technical issues so, we had to restart them to use different ideas. So, they work hard days as well.
Amar Singh: Sure.
Eugene Kaspersky: And the surprises from the dark side of the Internet. Many of them didn't expect it. For example, we were talking about the attack on a physical infrastructure for years but we didn't talk about that to the public because we didn't want to open the Pandora box to teach the bad guys, but we were waiting for some kind of attack on the physical environment. And one day, I was almost ready for my summer vacation, one of my key engineers, the expert, he came to my office and said, "Hey, Eugene. Of course, you know what we are waiting for?" I said, "Yes.” He said, "It happened." That was the Stuxnet attack. Attack on the...
Amar Singh: Right.
Eugene Kaspersky: You know… attack on the nuclear facilities in Iran. So, that day changed my life as well because we were waiting for that.
Amar Singh: Sorry to interrupt you, sir. You're saying you already had seen something like this about to happen but you were not, you were waiting for that...
Eugene Kaspersky: Yeah.
Amar Singh: ...to...
Eugene Kaspersky: We were expecting that.
Amar Singh: You're expecting that something like this was going to happen?
Eugene Kaspersky: Yeah, exactly. So, we see the evolution of the cyber threats.
Amar Singh: Yeah.
Eugene Kaspersky: And we see the different sponsored attacks there, the technologies. And for us, in some cases, it's quite obvious that the next steps in this evolution will go this, this and this direction. In many cases, we're able to predict what's next. It’s not just me, my team of my experts discussing these new ideas. So, as a security guys, we have to see not only about the innovations in our products and technologies to protect our customers, but also we have to think about possible scenarios from the dark side, from cyber criminals or state- sponsored attacks, the ways they're going to go and in many cases we were able to predict it.
Amar Singh: Eugene, I think you touched on it a little but you have made your success, you made your money but you still fully involved and you still want to work.
Eugene Kaspersky: Yes.
Amar Singh: Is there a particular reason for that? What drives you every day? What makes you get up every day?
Eugene Kaspersky: It's so interesting because the life in the cyber security space is not the same all the time, because we're living in the world which has rapidly changed. There are new technologies, well, good technologies, services, products, and that changed the landscape of the cybercrime because they adopt the attacks according to the new reality.
Amar Singh: Yeah.
Eugene Kaspersky: They are looking for their new victims and the new technologies and new ideas how to attack, new cyber vault and it makes us to be… but it's not boring. It makes us to be more innovative, creative and to understand what's going on and to adopt our technologies to the new realities and this life is very interesting, and this life is maybe even more interesting than the life of other IT companies because the IT companies they typically have their technologies, customers and competitors. That's it. New ideas, innovations, that's it. In our world, plus to that, we also have criminals, bad guys, cyber police, so, we're living in a more complicated world. We also have technologies, competitors and customers; last to that we have their detective stories and its IT vault which is connected to their police investigations which is frightening because of criminals. So, we don't need to read detective stories. We live in detective stories and that's why it makes me to stay in the cyber security because it's a very, very, very interesting life. I like it and I think, well, there have been many times they were would ask, "Hey, Eugene. Like you said, you have enough money just to retire and well, enjoy your life." I said again, "I enjoy my life right now. Why do I need to change?"
Amar Singh: Excellent. So, you know, we discussed your Kaspersky Labs has been on the forefront of discovering Carbanak, Stuxnet and other really bad malware. What are your thoughts on can it get much worse? What do you see in, let’s say, five years, ten years, what are your thoughts? Can you share that?
Eugene Kaspersky: Actually, what we see right now is the fact that cybercrime in the past there were… we call it primitive or mid-level complexity attacks. They attacked only individuals or small systems which were not really protected. Now we see some of criminal gangs, cybercriminal gangs. We design a very professional technologies and they manage their operations to attack variable protected networks, like Carbanak which you had just mentioned. And so, these guys, they able to attack even bank networks. And it sounds like a consumer attack. A consumer attack is very simple. You click the wrong link, bam, you're infected. That's it. And these, over the very well protected network, they have to open to crack these networks layer by layer so it takes weeks, or maybe months, for these guys to get from one company of the network to another company network and as a result, they manage the whole bank activities. So, they increase the bank accounts, they transport money from the bank to bank, from account to account, they release cash from ATM's, street ATM's.
Amar Singh: Yeah.
Eugene Kaspersky: So, they pay salaries to their fake employees and the fake companies; so, they do many things from inside of the bank and these operations are very professional. So, that's the first thing. They are criminal gangs which are able to design very well, very successful professional attacks. The second bad news is that there is traditional crime which wasn't connected to computer systems.
Amar Singh: Yeah.
Eugene Kaspersky: They recognised power offside and now they design attacks on industrial systems.
Amar Singh: Okay.
Eugene Kaspersky: So, the traditional cybercrime...
Amar Singh: Yes.
Eugene Kaspersky: ...they're still cyber.
Amar Singh: Okay.
Eugene Kaspersky: It's still digital.
Amar Singh: Digital, yeah.
Eugene Kaspersky: Traditional crime, they’re steal physical stuff.
Amar Singh: Yeah.
Eugene Kaspersky: The goods, the production.
Amar Singh: Yes.
Eugene Kaspersky: Production, they steal some from the production lines, they attack the transportation to deliver stolen...
Amar Singh: Goods, yeah.
Eugene Kaspersky: ...deliver stolen goods. For example, the volume of petrol depends on the temperature.
Amar Singh: Okay.
Eugene Kaspersky: The more temperature, the more volume. Less temperature, the less volume. So, they hack, SCADA system, the industrial network...
Amar Singh: Yeah.
Eugene Kaspersky: ...at the oil refinery and when they fill the tank with the petrol, they decrease the temperature so they have extra petrol in the tank...
Amar Singh: Right.
Eugene Kaspersky: ...by cracking they decrease the temperature; not physically.
Amar Singh: Yeah.
Eugene Kaspersky: Because the temperature runs in the virtual, in a computer system.
Amar Singh: System, yeah.
Eugene Kaspersky: And then, when they transport this petrol to the destination point, they release it according to the real temperature.
Amar Singh: Yeah.
Eugene Kaspersky: And they have two to three per cent extra. When they, for example, then the loads grain through cars or trains...
Amar Singh: Yeah.
Eugene Kaspersky: They check the weight and they report different weight by hacking computer system. So technically, they steal grain. There was attack on anti-virus at seaport by Latin American drug cartels. So, they transport cocaine...
Amar Singh: Yeah.
Eugene Kaspersky: ...to Europe using the sea containers...
Amar Singh: Okay.
Eugene Kaspersky: ...and they transport it to their destination ports and they are facing the budget control. So, they hacked the computer system which manages the unloading process and they were unloading containers with this cocaine to the safe location they could access to.
Amar Singh: Without the people knowing?
Eugene Kaspersky: Without people knowing that. So, we see more and more traditional crime, traditional mafia, to abduct computer systems, to do the same crime they did in the past but manually, physically.
Amar Singh: Correct.
Eugene Kaspersky: Now they'll do it in the cyberspace.
Amar Singh: cyberspace.
Eugene Kaspersky: And this is very, very scary because the next step in cyber evolution which I'm really afraid of is cyber terrorism. So now, in the cyberspace we have professional cyber criminals which are able to attack very well protected networks. We have traditional crime which attacks industrial systems. What's mixed? If they mix the cyber to attack critical infrastructure and if the traditional terrorists join the game employing cyber criminals to abduct critical infrastructure, so, I'm afraid about this thought scenario. So, the reality is very professional cybercrime, traditional crime, crime into the cyberspace and I expect traditional terrorist to come to the same game. This is worst of the worst and that's really very, very scary scenario.
Amar Singh: Wow. So, I guess the question comes into a great segway into the CISO, Chief Information Security Officer, CEO of those companies, of people looking at this interview, what do they do? How do they start to…? How do they start to plan to protect themselves and respond?
Eugene Kaspersky: It's a very good question because there are many enterprises which depend on cyber, most of them they do. The enterprises which process the critical information; the enterprises which manage infrastructure and critical infrastructure; telecommunication company. Actually most of them, maybe all of them, they are vulnerable and unfortunately there’s scenarios, very possible scenarios, of the cyber sabotage attacks. It's not just criminal attack to steal something but it attacks to destroy or paralyse the enterprise. And so, this is very difficult question, how to find a way? What to do? How to design the systems in the most secure way? I think that the right way is to start with a security audit. Check your system; recognise the most critical parts, critical components in your enterprise.
Amar Singh: Yeah.
Eugene Kaspersky: Design the worst case scenarios. Both can happen; even the bad guys, professional bad guys, have accessed to very deep internals of your network. What can happen with your industrial network was your physical infrastructure, with your telecommunication. Design the worst case scenarios if you're under their… the sabotage attack or terrorist attack. What can happen? So, after that, when you understand the problem, when you see these worst case scenarios...
Amar Singh: Yeah.
Eugene Kaspersky: ...that's time to design a strategy. How to change your company, how to change your enterprise IT systems, the office network, the industrial network, how to make them… how to design them in the more secure way and that's quite a long process. So, actually, it's not possible just to download the product which guarantees their 100 per cent security; it’s not possible. It's a project because when we recognise that the system is vulnerable and we see the design of the system. We have to build the strategy which is unique for every enterprise and to implement the strategy. It's also different for every enterprise so it's not a product; it's a project and even more it's not project, it's a process because when it's done...
Amar Singh: Yeah.
Eugene Kaspersky: ...you have to do it again.
Amar Singh: Again.
Eugene Kaspersky: For some period of time you have to get to the security OG, penetration test, employee's training, design and adopting strategies for their new reality and implementing that. That's a process. I'm sure that's a lot of work to do and not easy, and unfortunately there are not enough of engineers able to do that. Is one of the problems because we see that they have lot of critical infrastructures around us; the critical data is around us which we depend on but it's vulnerable, it can be very easy victim of the terrorist attacks or cyber sabotage attacks...
Amar Singh: Yeah.
Eugene Kaspersky: ...and there are not enough of engineers to redesign it in the most secure way.
Amar Singh: Eugene, is cyber peace ever possible?
Eugene Kaspersky: I pray it's possible. I hope we can do it. What's going on? The governments in the past, they were not really aware about cyber terrorism or cyber sabotage, or cyber Armageddon; in the past, not anymore. Now I see that there are government representatives. They're speaking more and more about their cyber safety to cyber security and they are speaking in the right way, as far as I see. So, the States, they understood that how much do we depend on cyber, how vulnerable the cyber is and they are, I think, they are very close to the moment when they recognise that they have to work together because there is no national cyber problem, because the cyber is everywhere the same. The cyber space doesn't have borders. So, if anything wrong happens in one country it will be replicated to other countries as well. So, we are in the same boat, all of us. So, I see that nations, they're slowly going to the same way of understanding and there are meetings between United States and China, United States and Russia. So, they're slowly these relations that they started to talk to each other. I think, I hope, that it will come to some kind of international treaty against cyber weapons and against cyber terrorism. So, the nations will work together to make the cyber weapons and the terrorist that… cyber weapons to be forbidden and to fight altogether with cyber terrorism, the future cyber terrorism. I hope that the cyber peace is possible and I hope we will see it better sooner than later.
Amar Singh: Eugene, thank you so much for joining me today. Thank you.
Eugene Kaspersky: My pleasure.
Amar Singh: Alright. Thank you.
Eugene Kaspersky: Yes, thank you.
