Security-testing company NSS Labs has filed an antitrust lawsuit against multiple prominent cybersecurity vendors, alleging that they conspired to restrict testing of their products.
The suit, filed Tuesday in a U.S. district court in Northern California, claims NSS Labs has already “suffered substantial damages” from the alleged antitrust actions of CrowdStrike, Symantec and ESET, along with the Anti-Malware Testing Standards Organization (AMTSO). Unless an injunction is issued against the alleged conspiracy, the complaint says, “NSS Labs will suffer further injury, including irreparable injury such as permanent loss of market share.”
The complaint alleges that the vendors used the AMTSO, a California-based forum for considering anti-malware testing methods, to violate U.S. and California antitrust laws. Specifically, the complaint holds, the defendants threatened not to do business with product testers that voted against the AMTSO standard, which NSS Labs opposed. CrowdStrike, ESET, NSS Labs, and Symantec are all AMTSO members.
NSS Labs is taking on some of the biggest names in the cybersecurity market. CrowdStrike, known for its investigation of the 2016 breach of Democratic National Committee networks, announced in June that it was valued at more than $3 billion. Symantec was founded in 1982 and has more than 11,000 employees in 35 countries, while ESET says its products are used by more than 110 million users.
The embroilment is a reminder that, while cybersecurity professionals generally agree on the need for third-party testing of software, it can still be a hotly contested issue.
In a blog post, NSS Labs CEO Vikram Phatak said his company filed suit “because some vendors have not been living up to their responsibility to protect consumers and they know it.” He alleged that CrowdStrike, ESET and Symantec had “conspired to prevent testing of their products” by making that testing subject to the vendors’ permission in licensing agreements.
“This unethical and deceptive behavior hampers transparency and hinders consumers in their ability to assess whether a product delivers on its promises,” Phatak wrote.
In a statement, CrowdStrike called the lawsuit “baseless” and accused NSS Labs of obtaining products it tests via “fraudulent means.”
“CrowdStrike supports independent and ethical testing—including public testing—for our products and for the industry,” the statement said. “We have undergone independent testing with AV-Comparatives, SE Labs, and MITRE and you can find information on that testing here. We applaud AMTSO’s efforts to promote clear, consistent, and transparent testing standards.”
An ESET spokesperson said in a statement: “We are aware of the allegations stated in the blog post from NSS Labs, however, we have yet to receive official legal communication. As legal proceedings appear to have been initiated, we are unable to say more at this time, beyond the statement that we categorically deny the allegations.”
ESET products “have been rigorously tested by many independent third-party reviewers around the world,” the spokesperson added, “received numerous awards for their level of protection of end users over many years, and are widely praised by industry-leading specialists.”
In a statement, AMTSO said it is “disappointed by the antitrust lawsuit raised by a member organization (NSS), and we categorically deny all claims made against us.”
AMTSO added: “Rather than trying to use the legal system to tear down what we all built together, we encourage NSS to bring its concerns back to the table and engage with the rest of AMTSO membership to make our industry better.”
A Symantec spokesperson declined to comment, citing pending litigation.
This is not the first legal tussle between NSS Labs and CrowdStrike. In February 2017, CrowdStrike filed a lawsuit against NSS Labs to prevent the company from publishing results of its testing of CrowdStrike’s endpoint security product. CrowdStrike accused NSS Labs of engaging in “unlawful conduct” and “pirating” CrowdStrike’s software. A judge ruled against that injunction request, and the bad blood between the companies has remained.
UPDATE, 4:13 pm, EDT: This story has been updated with a statement from ESET.
UPDATE, 11:56 am, EDT 09/20/18: This story has been updated with an updated statement from CrowdStrike.
UPDATE, 2:49 pm, EDT 09/21/18: This story has been updated with a statement from AMTSO.