Kaspersky's exploit-proof OS leaves security experts skeptical

Eugene Kaspersky, the $800-million Russian cybersecurity tycoon, is, by his own account, out to "save the world" with an exploit-proof operating system.

In a blog post this week quickly picked up by news outlets around the world, Kaspersky confirmed rumors that Kaspersky Lab is "developing a secure operating system for protecting ... industrial control systems used in industry/infrastructure."

Given the recent declarations from U.S. Secretary of Defense Leon Panetta and others that the nation is facing a "digital Pearl Harbor" or "digital 9/11" from hostile nation states like Iran, this sounds like the impossible dream come true -- the cyber version of a Star Wars force field.

No need for updates or patches. No need for antivirus software. No need to hire an expensive security firm to detect millions of malicious attacks aimed at public and private critical infrastructure. No need to push contentious cybersecurity legislation through Congress, trying to balance privacy concerns with the need for information sharing between the private and public sectors.

Just set it and forget it.

As Neil McAllister, writing in The Register, put it, "The new OS aims to create a fully secure operating environment into which existing [industrial control systems] software can be installed, where it can run with the assurance that any defects in its code cannot be exploited by outside programs."

It is possible, Kaspersky wrote, because it will not be something for the masses, but, "highly tailored, developed for solving a specific narrow task, and not intended for playing 'Half-Life' on, editing your vacation videos, or blathering on social media."

But on this side of that world in need of saving, the enthusiasm is somewhat tempered, even though security experts agree that a bullet-proof OS for industrial systems would be a very good thing, and Kaspersky is among those who could make one.

[See also:Ã'Â Advanced persistent threats can be beaten, says expert]

Gary McGraw, CTO of Cigital, a long-time advocate of "building security in" rather than "managing risk," said he believes, "the philosophy behind what Kaspersky is doing is right."Ã'Â But he said even though the OS would be very narrowly focused on the operation of control systems that need to be "on all the time," he doubts that Kaspersky Lab will have anything on the market soon. "A lot of it is hype," he said.

There's also the question of source. "The real question is, do you trust the people who built your system? The answer had better be yes," he added.

And that is the bigger problem here: Kaspersky, by his own account, wants to change the world as well as save it, and not in ways that appeal to Western thinking and U.S. interests. Noah Schactman, in a lengthy profile forÃ'Â Wired.com, noted that Kaspersky doesn't like the current level of Internet freedom. He wants it partitioned, with a digital "passports" required for access to certain areas and activities. He advocates government monitoring and regulation of social networking sites.

"Freedom is good," Kasperksy told Schactman. "But the bad guys -- they can abuse this freedom to manipulate public opinion."

The "bad guys" include anyone who wants to protest against the government.

Kaspersky's products are among the top ranked worldwide, are used by an estimated 300 million people and are embraced by U.S. companies like Microsoft, Cisco and Juniper Networks. But while he considers himself at some level a citizen of the world, he has close ties to Russian intelligence and Vladimir Putin.

Part of his education and training was sponsored by the KGB, he is a past Soviet intelligence officer (some suspect he has not completely retired from that role) and as Schactman notes, he has a "deep and ongoing relationship with Russia's Federal Security Service, or FSB," the successor to the KGB and the agency that operates the Russian government's electronic surveillance network.

Kaspersky has assisted the FSB in investigations, and the FSB played a major role in recovering his son, Ivan, who was kidnapped in April 2011.

Beyond that, when it comes to taking sides in cyber conflict, Kaspersky has not been a U.S. ally. Earlier this year, a team from Kaspersky Lab exposed what they called an entire toolkit for online espionage in more than 417 computers, most in the Middle East and nearly half in Iran. They named one of the modules, which was used to infect other computers, Flame. And then Kaspersky went public with it, pointing at the U.S. government as the source.

"On June 19, The Washington Post was able to confirm that Flame was yet another part of [America's] shadow war against Iran. Kaspersky had outed -- and in effect killed -- it," Schactman wrote.

So, should anyone trust an OS designed by a Russian with that kind of background and track record? As Gary McGraw puts it, "Millions of people use his antivirus products, but that's just for consumers -- it's not control-system software."

Kevin McAleavey, cofounder and chief architect of the KNOS Project, who said he is a long-time acquaintance of Kaspersky, believes that while Kaspersky is a loyal citizen of his country, "he's always demonstrated to me that as a person, he's a 'white knight' and genuinely believes that malware that can cause harm to innocent citizens through attacks on civilian infrastructure is an issue that has no national boundaries."

But McAleavey agrees that given Kaspersky's exposure of U.S. cyber espionage, trust will be an issue. "I can't see any Western nations wanting to trust his OS regardless of whether he publishes all of the source and lets you compile it yourself or not," he said.

"His protection of Iran was a move that won't be excused by our side, given that under Putin, their side exists once again, and the two are likely incompatible," McAleavey said.

There is no dispute that there is a need for this kind of an OS. Security experts agree that, as McAleavey puts it, "Security was never considered in many of these ancient designs. These [industrial control systems] are the most vulnerable of any systems as far as malware goes, simply because they're not maintained or upgraded."

And they are not maintained largely because, as Kaspersky notes, it's all about up-time. "The highest priority for them is maintaining constant operation come hell or high water," he said. "Uninterrupted continuity of production is of paramount importance at any industrial object in the world; security is relegated to second place."

However, McAleavey said the U.S should be able to build a secure OS in the U.S. His own firm has developed one, he said, building off of Berkeley Software Distribution (BSD), a Unix operating system derivative, but has so far been unable to get venture capital either from the private or public sector to bring it to market.

"We've already done the work, if we could just get the funding," he said.

"While nobody will believe that something can be near 100% safe, we've certainly proven to ourselves that we can get closer to it than anyone imagined. And I'm sure Kaspersky can as well," he said.

Read more about application security in CSOonline's Application Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags operating systemapplicationssecurityData Protection | Application SecuritykasperskyAccess control and authenticationsoftwaredata protectionkaspersky labindustrial control systems

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place