Shalyt is not surprised by the WannaCry carnage. He will not comment on clients and specifics but it's clear that Aperio's business model is based exactly on the kind of vulnerability the WannaCry attackers have exploited: a reluctance among many large organizations, including crucial infrastructure companies to update and/or patch their systems.
"This is one of the scarier parts for me in the whole story. The things that we really rely on for electricity, water, gas supply health care, there's very little incentive there most of the time to upgrade the systems," says Shalyt.
"In power generation you see this all the time, they're very scared of touching their SCADA (control and data systems) and in general their networks and their configurations: It was working for ten years, 15 years. Why should I ever touch anything? If I screw something up, I'll have downtime in power. Do you know how much that will cost the company?"
He explains that installing Aperio is therefore completely non-intrusive and doesn't require any downtime. "Otherwise no one would actually do it."
Attacks such as WannaCry and many others are constantly going on, Shalyt notes. And chances are that systems will be breached: "We assume that the digital network will be breached and the latest attack is a good example of that. We don't trust that the systems are really secure either to external hackers or a cyber threat. We believe even a mildly motivated attacker will be able to breach your network."
Deterrence is sorely lacking at the moment, Shalyt points out. The unregulated nature of cyberspace too often makes it easy for attackers to get away with it. "You can reverse engineer their malware, you can understand everything about their activity, you can shut down their operation but still you won't catch the actual guy."
That's why he's in favor of something that Microsoft has mooted, a 'cyber Geneva convention'. There are very few success stories. And when it was successful, it was due to collaboration between different countries, different actors, between the security industry and law enforcement. I was part of one such organization and I know that if there's more collaboration it will really help in scaring off potential hackers."