India needs to worry about terror groups attacking critical infrastructure such as power plants, telecom and banking systems, saysEugene Kaspersky, founder of the world’s biggest private cybersecurity firm. Excerpts
Is India particularly vulnerable or a target for cyberattacks, especially from adversarial neighbours such as China and Pakistan?
India is one of the most important countries from a cybersecurity aspect because of its large population, Internet literacy, and as a growing economy. I hope and believe we will never have an inter-state cyberwar, simply because all nations are equally vulnerable. Cyberweapons are like a nuclear weapon now, a deterrent. But I am worried about cyberterrorism. There are many groups that are responsible to no one and they are the worst case scenario for us.
In 2015, you investigated the Bangladesh Central bank cyberheist, which nearly robbed the country of a billion dollars, which you had traced to the North Korea-based cybercriminal Lazarus group. Have you seen any traces of that group targeting India banks?
There are many indicators that the Bangladesh attack was connected to Lazarus, and that it is based in North Korea. But we don’t really have hard data as that is the nature of cyberinvestigations. But there are many indicators that groups like Lazarus and attacks like WannaCry of 2016 could have the same source-code, which could have been shared.
What should Indian companies and the government be most worried about?
Like every other country, securing critical infrastructure is most important: power plants, power grids, water supplies and transportation. We work regularly with the Indian government and signed an MoU with the CERT (Computer Emergency Response Team) last year. We exchange information about the latest threats, and were able to share information about the last WannaCry attack in real time.
There have been concerns that with the push for a more “Digital India” without enough cybersecurity literacy, Indians will face more hacking especially financial attacks. Are those concerns valid?
Unfortunately they are. It is not possible to stop innovation, and not possible to stop countries like India from growing and improving lives through Internet, smart cities and other projects. But if these are done in non-secure ways, they will become targets.
Cybersecurity must be incorporated in projects here right at the beginning, not at the end, or you will have a weak foundation that is vulnerable to cyberattacks. Every 40 seconds, a computer connected to the Internet is hacked. Today, we see 300,000 new malicious applications or file every day, and malware, that can sabotage your systems have already cost the world 430 billion dollars.
In India, there is a debate over electronic voting machines. Do you think they can be hacked?
We can’t say as we have not looked at Indian EVMs specifically.
But if a machine is connected to a network or the Internet, then yes, it is possible to hack the machine. This is why we suggest strict security audits right at the first stage, where governments want to use e-systems.
You are a Russian company, but Russia also has this reputation in the U.S. and Europe for conducting cyberattacks, subverting the election process … how do you respond to that?
The reality is that much of this is media hype and hackers exist in every part of the world. I think all countries should now agree to an international convention against state-sponsored cyberhacking. Organisations like the UN, BRICS, EU, and global powers must recognise that by damaging each other’s cyberspace, all states are making themselves vulnerable.
