Kaspersky's exploit-proof OS leaves security experts skeptical
Eugene Kaspersky, the $800-million Russian cybersecurity tycoon, is, by his own account, out to "save the world" with an exploit-proof operating system.
In a blog post this week quickly picked up by news outlets around the world, Kaspersky confirmed rumors that Kaspersky Lab is "developing a secure operating system for protecting ... industrial control systems used in industry/infrastructure."
Given the recent declarations from U.S. Secretary of Defense Leon Panetta and others that the nation is facing a "digital Pearl Harbor" or "digital 9/11" from hostile nation states like Iran, this sounds like the impossible dream come true -- the cyber version of a Star Wars force field.
No need for updates or patches. No need for antivirus software. No need to hire an expensive security firm to detect millions of malicious attacks aimed at public and private critical infrastructure. No need to push contentious cybersecurity legislation through Congress, trying to balance privacy concerns with the need for information sharing between the private and public sectors.
Just set it and forget it.
As Neil McAllister, writing in The Register, put it, "The new OS aims to create a fully secure operating environment into which existing [industrial control systems] software can be installed, where it can run with the assurance that any defects in its code cannot be exploited by outside programs."
It is possible, Kaspersky wrote, because it will not be something for the masses, but, "highly tailored, developed for solving a specific narrow task, and not intended for playing 'Half-Life' on, editing your vacation videos, or blathering on social media."
But on this side of that world in need of saving, the enthusiasm is somewhat tempered, even though security experts agree that a bullet-proof OS for industrial systems would be a very good thing, and Kaspersky is among those who could make one.
Gary McGraw, CTO of Cigital, a long-time advocate of "building security in" rather than "managing risk," said he believes, "the philosophy behind what Kaspersky is doing is right. But he said even though the OS would be very narrowly focused on the operation of control systems that need to be "on all the time," he doubts that Kaspersky Lab will have anything on the market soon. "A lot of it is hype," he said.
There's also the question of source. "The real question is, do you trust the people who built your system? The answer had better be yes," he added.
And that is the bigger problem here: Kaspersky, by his own account, wants to change the world as well as save it, and not in ways that appeal to Western thinking and U.S. interests. Noah Schactman, in a lengthy profile for Wired.com, noted that Kaspersky doesn't like the current level of Internet freedom. He wants it partitioned, with a digital "passports" required for access to certain areas and activities. He advocates government monitoring and regulation of social networking sites.
"Freedom is good," Kasperksy told Schactman. "But the bad guys -- they can abuse this freedom to manipulate public opinion."
The "bad guys" include anyone who wants to protest against the government.
Kaspersky's products are among the top ranked worldwide, are used by an estimated 300 million people and are embraced by U.S. companies like Microsoft, Cisco and Juniper Networks. But while he considers himself at some level a citizen of the world, he has close ties to Russian intelligence and Vladimir Putin.
Part of his education and training was sponsored by the KGB, he is a past Soviet intelligence officer (some suspect he has not completely retired from that role) and as Schactman notes, he has a "deep and ongoing relationship with Russia's Federal Security Service, or FSB," the successor to the KGB and the agency that operates the Russian government's electronic surveillance network.
Kaspersky has assisted the FSB in investigations, and the FSB played a major role in recovering his son, Ivan, who was kidnapped in April 2011.
Beyond that, when it comes to taking sides in cyber conflict, Kaspersky has not been a U.S. ally. Earlier this year, a team from Kaspersky Lab exposed what they called an entire toolkit for online espionage in more than 417 computers, most in the Middle East and nearly half in Iran. They named one of the modules, which was used to infect other computers, Flame. And then Kaspersky went public with it, pointing at the U.S. government as the source.
"On June 19, The Washington Post was able to confirm that Flame was yet another part of [America's] shadow war against Iran. Kaspersky had outed -- and in effect killed -- it," Schactman wrote.
So, should anyone trust an OS designed by a Russian with that kind of background and track record? As Gary McGraw puts it, "Millions of people use his antivirus products, but that's just for consumers -- it's not control-system software."
Kevin McAleavey, cofounder and chief architect of the KNOS Project, who said he is a long-time acquaintance of Kaspersky, believes that while Kaspersky is a loyal citizen of his country, "he's always demonstrated to me that as a person, he's a 'white knight' and genuinely believes that malware that can cause harm to innocent citizens through attacks on civilian infrastructure is an issue that has no national boundaries."
But McAleavey agrees that given Kaspersky's exposure of U.S. cyber espionage, trust will be an issue. "I can't see any Western nations wanting to trust his OS regardless of whether he publishes all of the source and lets you compile it yourself or not," he said.
"His protection of Iran was a move that won't be excused by our side, given that under Putin, their side exists once again, and the two are likely incompatible," McAleavey said.
There is no dispute that there is a need for this kind of an OS. Security experts agree that, as McAleavey puts it, "Security was never considered in many of these ancient designs. These [industrial control systems] are the most vulnerable of any systems as far as malware goes, simply because they're not maintained or upgraded."
And they are not maintained largely because, as Kaspersky notes, it's all about up-time. "The highest priority for them is maintaining constant operation come hell or high water," he said. "Uninterrupted continuity of production is of paramount importance at any industrial object in the world; security is relegated to second place."
However, McAleavey said the U.S should be able to build a secure OS in the U.S. His own firm has developed one, he said, building off of Berkeley Software Distribution (BSD), a Unix operating system derivative, but has so far been unable to get venture capital either from the private or public sector to bring it to market.
"We've already done the work, if we could just get the funding," he said.
"While nobody will believe that something can be near 100% safe, we've certainly proven to ourselves that we can get closer to it than anyone imagined. And I'm sure Kaspersky can as well," he said.
Read more about application security in CSOonline's Application Security section.