The willingness of authoritarian governments to leverage native tech companies to achieve their national goals has forced U.S. officials to adapt in how they view risk from those companies, according to a senior Department of Homeland Security official.
“Our focus is not on the country of origin, or the company, but it’s about what is the rule of law under which that product is potentially subject to,” Chris Krebs, head of DHS’s Cybersecurity and Infrastructure Security Agency, said Thursday at the Cybersecurity Leadership Forum presented by Forcepoint and produced by CyberScoop and FedScoop.
The problem lies with foreign tech companies that are subject to government demands without the visibility or appeal process that exists in the United States, he said.
“It’s the rise of authoritarian states and how they’re operationalizing their tech sectors,” Krebs said, summing up how U.S. officials view products made by Chinese telecommunications giant Huawei and Russian antivirus company Kaspersky Lab. Both companies, which sell their gear around the world, strenuously deny that they have any improper relationship with their host governments.
Krebs described how he and other officials raised their concerns within the U.S. government about the risk posed by Kaspersky Lab antivirus tools. It was a multi-month legal and policy process that culminated in September 2017 with a DHS order for federal civilian agencies to purge their networks of Kaspersky Lab products.
Applying that kind of risk calculus at scale is one way of grappling with the authoritarian tech challenge, he added.
Following the DHS ban on Kaspersky Lab products and another, broader, one initiated by Congress, the Moscow-based sued the U.S. government. The lawsuits, and subsequent appeals by the company, have been dismissed in U.S. courts.
While that legal battle has quieted, Kaspersky Lab, whose security researchers are considered top notch in the industry, has continued to make its case in the court of public opinion. The company this week released an analysis arguing that, under Russian law, the company would not be subject to certain demands from authorities for data.
Asked by CyberScoop to respond to that report, Krebs said DHS stood by a different legal assessment, which the agency had commissioned, that concluded that Kaspersky Lab could be compelled to hand over data to Russian authorities.
“This thing has run its course here in the U.S,” Krebs told reporters. “So I’m pretty confident with both our own independent legal analysis that we conducted, as well as the judiciary’s assessment of the situation.”