The US Kaspersky Security Software Ban Needs to Be Backed Up With Evidence
More than a month has passed since the antivirus giant Kaspersky Lab had its US government business executed without a trial. But while American federal agencies remove all traces of one of the world’s most popular pieces of security software from their networks, they have yet to explain exactly what merits that Government Services Administration ban. And as the rest of the world decides whether it needs to similarly rid itself of all Kaspersky code, it’s starting to get impatient for answers.
For years, rumors have followed Kaspersky and its billionaire founder, Eugene Kaspersky, regarding ties to Russian intelligence agencies. Last month’s GSA edict put an official stamp on those suspicions, but without any official explanation as to what exactly the Moscow-based cybersecurity firm has done to merit them. Stories in the New York Times and Wall Street Journal have since cited anonymous sources accusing Kaspersky of siphoning American secrets, including the files of an NSA staffer, to its own servers, where the Russian government then accessed them. But it’s still not clear whether Kaspersky has been actively collaborating with or unwillingly compromised by the Kremlin, or, based on a new statement Kaspersky posted in its own defense Wednesday, whether it was the Russian government’s source for those NSA files at all.
All of that has led to a growing chorus from the security community, and now even a US senator, calling on US intelligence agencies to make a clear statement about what exactly they know Kaspersky to be doing—and whether that behavior merits US companies and consumers jettisoning it as urgently as the feds have. “Our government hasn’t even been clear about what they’re accusing Kaspersky of,” says Rob Graham, a security consultant for the firm Erratasec. “We’re just getting propaganda on this issue and no hard data. And that’s bad.”
An Opaque Process
It’s still not publicly understood, for instance, whether Kaspersky simply performed its intended antivirus function of identifying NSA-created malware and uploading it to its servers for analysis—which could explain how NSA tools on a staffer’s home machine ended up in the hands of the Russian government—or whether it’s acting as a more comprehensive search engine of its users’ secrets, allowing Russian spies to reach into millions of computers around the world. If the latter, Graham says, “that’s terrible, that’s the worst possible thing you could say about them, and everyone should delete Kaspersky from their machine.” But if it’s the former, “these insinuations and accusations don’t have merit. It’s a key sticking point that we need more information about,” Graham says.
‘We’re just getting propaganda on this issue and no hard data. And that’s bad.’
Rob Graham, Erratasec
On Wednesday morning, ahead of a hearing in the House of Representatives’ Science, Space, and Technology Committee about the Kaspersky scandal, senator Jeanne Shaheen of New Hampshire published an open letter to the Department of Homeland Security and Office of the Director of National Intelligence asking those same questions. “While I commend the administration for…ordering the removal of Kaspersky Labs products from federal agencies, I remain concerned about their use in non-governmental systems,” Shaheen’s letter reads. “I write to urge you to declassify information on Kaspersky Lab and its products in order to allow the American people to make informed decisions about risks to their privacy and security.”
Even without declassifying secrets, the US intelligence community could share more, argues Matt Tait, a former staffer at the British intelligence service GCHQ. “If Kaspersky is acting on behalf of the Russian government, I think the US government should be brave enough to put an official stamp on it and say it out loud,” Tait told the security-focused podcast Risky Business. “I’m not convinced they need to declassify why they think it’s the case, but they need to say out loud that they do think it’s the case.” After all, Tait points out, if Kaspersky does collude with Russian intelligence, that matters not only to the US federal government, but to state governments, defense contractors, and foreign governments.
Wednesday’s hearing, meanwhile, produced virtually no new information about Kaspersky as a security threat, classified or not. All of the witnesses, who included officials from the National Institute of Standards and Technology and the Government Services Administration, quickly disclaimed any knowledge of classified matters. The House committee members called Kaspersky a “wolf in sheep’s clothing” and insinuated that its headquarters in Moscow and Eugene Kaspersky’s education at a KGB cryptography school sufficiently demonstrated the company’s collusion with the FSB, but without substantiating those accusations.
If anything, solid official claims about Kaspersky’s alleged misbehavior have only become more noticeably absent, as the web of conflicting and ambiguous reports and claims about the company grows. Earlier this month, the Wall Street Journal reported that Kaspersky’s software had helped to steal a collection of highly secret documents brought home by a staffer working for the NSA’s elite Tailored Access Operations hacking division, who had run the Kaspersky software on a home computer. The New York Times followed up with a report that Israeli intelligence had compromised Kaspersky, and found evidence that it was spying on behalf of Russian intelligence, which it then shared with US officials.
On Wednesday, Kaspersky published a blog post telling its own, very different account of that NSA staffer incident, based on its internal investigation and records of its malware uploads. According to Kaspersky, the NSA staffer had in 2014 run a pirated version of Microsoft Word, along with a so-called “keygen” tool used to register it with a spoofed key, and which was infected with malware that included a “full blown backdoor” capable of allowing the theft of the NSA tools by any third party that controlled the malware. While the NSA staffer had in fact installed Kaspersky’s antivirus software, he or she had it turned off at that time, Kaspersky says, and only turned it on again in November of 2014. Kaspersky acknowledges that on another occasion, the Kaspersky software did detect and upload a trove of NSA hacking tools from the staffer’s computer, but asserts that Eugene Kaspersky himself ordered them deleted, without sharing them with any other organization.
In the vacuum of any official statement from the US government to sort out those narratives, everyone else is left to make our decisions about whether to exile Kaspersky from their PCs with incomplete information. But as unfair as it may seem, better to treat Kaspersky as guilty until proven innocent, says Nicholas Weaver, a security-focused computer science researcher at University of California at Berkeley.
“It is really disappointing and frustrating that the only statements are really innuendo, [but] for the average consumer it probably is irrelevant,” Weaver says. “When your license comes up for renewal, the negligible cost difference and interchangeability suggest: Go with somebody else.”
Nonetheless, he’d still like to see a clear statement from the government explaining exactly what warrants the switch. “It is critical to publicize it because it will cause people to change behavior, even if it has no effect on the future risk calculation,” he says. If the feds know enough to be sure that Kaspersky’s products are tainted, they should share enough to let the rest of us come to the same conclusion.