Eugene Kaspersky, CEO of the Russian antivirus company Kaspersky Lab, admits it crossed his mind last year that he might die in a plane crash caused by a cyber attack. Kaspersky is a man of eclectic tastes and boyish humor; when we met in his office on the outskirts of Moscow, he was munching a snack of sweetened, freeze-dried whole baby crabs from Japan, and at one point he showed me a pair of men’s undergarments, bought on a Moscow street, that had been stamped “Protected by Kaspersky Anti-Virus.” But he grew quite serious when the subject turned to the days leading up to April 1, 2009.
That was the date a virulent computer worm called Conficker was expected to receive an update from its unknown creator–but nobody knew to what end. A tweak to Conficker’s code might cause the three million or so machines in its army of enslaved computers, called a botnet, to start attacking the servers of some company or government network, vomit out billions of pieces of spam, or just improve the worm’s own ability to propagate. “It’s like if you have a one million army of real soldiers. What can you do?” Kaspersky asked rhetorically. “Anything you want.” He let that sink in for a moment. “We were waiting for April 1–for something. I checked my travel schedule to make sure I didn’t have any flight. We had no idea about this functionality. Security officials were really nervous.” In the end? “Nothing happened. Whew! Whew!” Kaspersky cried out. He crossed himself, clasped his hands in a prayerlike pose, and gazed toward the ceiling.
The unknowns about Conficker in the spring of 2009 (the infection remains widespread but, so far, inactive) reflect larger unknowns about just how bad cyber security will get (see Briefing). The trends aren’t promising: tour Kaspersky’s labs–or those of any computer security company or research outpost–and you quickly learn that malware is tougher to detect, spam delivery faster, and attacks growing in number and financial impact (see “The Rise in Global Cyber Threats” see slideshow). Security experts and attackers are locked in a kind of arms race. In Kaspersky’s case, his engineers and cryptographers do everything from seeking faster automated virus-detection methods to trolling Russian-language hacker blogs for clues about what’s coming.
Ingenious solutions are multiplying, but the attacks are multiplying faster still. And this year’s revelations of China-based attacks against corporate and political targets, including Google and the Dalai Lama, suggest that sophisticated electronic espionage is expanding as well. “What we’ve been seeing, over the last decade or so, is that Moore’s Law is working more for the bad guys than the good guys,” says Stewart Baker, the former general counsel of the National Security Agency and a former policy chief at the U.S. Department of Homeland Security, referring to the prediction that integrated circuits will double in transistor capacity about every two years. “It’s really ‘Moore’s outlaws’ who are winning this fight. Code is more complex, and that means more opportunity to exploit the code. There is more money to be made in exploiting the code, and that means there are more and more sophisticated people looking to exploit vulnerabilities. If you look at things like malware found, or attacks, or the size of the haul people are pulling in, there is an exponential increase.”
As these low-grade conflicts continue, the threat of outright cyber war is rising, too. More than 100 nations have developed organizations for conducting cyber espionage, according to the FBI, and at least five nations–the United States, Russia, China, Israel, and France–are developing actual cyber weapons, according to a November 2009 report by the computer security company McAfee. (In May the U.S. Senate confirmed the director of the National Security Agency, General Keith Alexander, as head of the newly created U.S. Cyber Command.) These arsenals could disable military networks or bring down power grids. And the battle could escalate at the speed of light, not just that of intercontinental ballistic missiles. “Cyber weapons can affect a huge amount of people, as well as nuclear. But there is one big difference between them,” says Vladimir Sherstyuk, a member of Russia’s National Security Council and director of the Institute for Information Security Issues at Moscow State University. “Cyber weapons are very cheap! Almost free of charge.”