Congress may want the Department of Defense to ban products from Moscow-based cybersecurity company Kaspersky, yet experts would be surprised if it changes much from an operational standpoint.
The ban is receiving criticism from security professionals, who said the move signifies little more than political posturing. The proposal was added to the Senate’s fiscal 2018 defense authorization bill last week.
“I’d like to call this out as what it is: a purely political move,” Jake Williams, founder of Rendition Infosec, told CyberScoop. “This doesn’t need to be in the [Pentagon budget]. If intelligence indicates that Kaspersky is in cahoots with the Russian government, [the Department of Defense] could (and should) ban the use of Kaspersky products by policy.”
Eugene Kaspersky, the firm’s CEO and co-founder, offered again on Friday to let the U.S. government audit the company’s source code to prove “we’ve got nothing to hide.”
“We want the government, our users and the public to fully understand that having Russian roots does not make us guilty,” he wrote in a blog post. This follows Kaspersky’s offer to testify on the subject in front of Congress.
“A code audit is not really the issue here,” Williams, a former NSA employee, said. “First, a source code audit is a point in time. So what we see today may not be the code used to build the product tomorrow. Second, the compiled code may contain backdoors not in the originally compiled source. These are non-trivial to detect.”
Antivirus programs like Kaspersky have such power over the computers they reside on that even a clean code audit wouldn’t rule out the possibility of malware or code that could disable machines it’s installed on.
“Eugene knows this, too,” Williams said. “His offer is a publicity stunt more than anything else.”
Kaspersky has been subject to U.S. suspicions about connections to Russian intelligence, extending back at least to the Obama administration. Born in the then-Soviet Union, Kaspersky received an education at a KGB-sponsored technical school, worked for Soviet military intelligence as a software engineer and boasted about his KGB connections in advertising as recently as 2007.
“It’s public knowledge that Kaspersky has many close ties to the Kremlin, and FSB in particular,” Matt Tait, previously an information security specialist for the GCHQ and now CEO of Capital Alpha Security, told CyberScoop.
FSB, Russia’s main national intelligence agency, is the successor to the KGB, the main Soviet intelligence agency.
The ties Tait refers to include high level employees at Kaspersky coming from Russia’s military and intelligence services.
U.S. media has reported on persistent close ties between the Russian government and Kaspersky employees. The resumes are not necessarily exceptional. In the U.S., Europe and Asia, ex-military and intelligence officers frequently go into technology and security, leverage connections and knowledge of government, and continue to work closely with government.
It’s the specifics that matter. If Kaspersky’s employees are expressly working for the Russian government in order to commit espionage against customers and other countries, as U.S. government officials are implying, it would be an unprecedented exposure and breach of trust.
There has been no evidence to back up that idea.
“The question that matters,” Tait said, “at least for Kaspersky customers, is whether Kaspersky’s relationship with the Russian government goes beyond defending Russia’s infrastructure and helping the Russian government understand malware in Russia and into the realm of spying on Kaspersky customers on behalf of Russian foreign intelligence agencies.”
The company strongly denies that it aids the Russian government in hacking operations.
“Kaspersky Lab, and its Founder and CEO, Eugene Kaspersky do not have ties to any government, and the company has never helped, nor will help, any government in the world with any cyber espionage efforts,” a Kaspersky Lab representative told CyberScoop.
Sen. Jeanne Shaheen, D-N.H., wrote the amendment banning Kaspersky and subsequently said that the “ties between Kaspersky Labs & Kremlin are very alarming.” She did not respond to CyberScoop’s requests to further elaborate on those ties.
Sen. John McCain, R-Ariz., and Sen. Jack Reed, D-R.I., the chair and ranking member of the Senate Armed Services Committee, also did not respond to multiple requests for comment.”
Russia has been moving to do something similar, pledging to remove Microsoft software from government systems and state-controlled companies. Moscow pushed forward with that plan on city systems last year.
“In my humble opinion, this is just one step forward towards a global ban from the U.S. government of Russian and Chinese software,” Matt Suiche, founder of United Arab Emirates-based cybersecurity firm Comae Technologies, told CyberScoop. “Just like China is building its own hardware and software alternative, it wants to keep its distance from U.S. technology dependency.”
“The problem is that the U.S. technology industry is by far the biggest in the world,” Tait said. “The U.S. has a lot more to lose by giving foreign countries, especially in Europe, the opportunity to stoke fears of technology companies from outside their own country.”
Any evidence of wrongdoing or even substantial evidence of close ties between Russian officials and Kaspersky could risk exposing methods and sources from Western intelligence, so no one is holding their breath for such evidence to become public.
But Tait says people should know if such proof exists.
“If they want to protect [Defense Department] systems by saying ‘no Russian software,’ fine. But they should be really careful about where the ‘Kaspersky can’t be trusted because FSB’ rhetoric will end up, given the U.S.’ privileged position in the technology market, and a widespread distrust abroad that U.S. technology companies are able to act independently of the U.S. government.”