Dear U.S. government: Please put up or shut up over Moscow-based cybersecurity firm Kaspersky Lab.
Twenty-year-old Kaspersky Lab, which has more than 400 million users of its anti-virus and security software worldwide, is being targeted by vague, unsubstantiated accusations. That includes the FBI reportedly briefing organizations that using the Moscow firm's products pose a threat to their business.
"The American public remain the only people unable to make an informed decision about whether or not to use Kaspersky."
In a Sept. 4 New York Times op-ed, Sen. Jeanne Shaheen, D-New Hampshire, called Kaspersky Lab a danger to U.S. national security, noting that CEO Eugene Kaspersky "graduated from the elite cryptology institute of the KGB, the Soviet Union's main intelligence service."
Shaheen says that she can't reveal the full extent of classified information that she received in briefings that has caused her to be so concerned about the company's products.
Instead, she writes: "At a public hearing of the Senate Intelligence Committee in May, six top intelligence officials, including the heads of the FBI, CIA and National Security Agency, were asked if they would be comfortable with Kaspersky Lab software on their agencies' computers. Each answered with an unequivocal no. I cannot disclose the classified assessments that prompted the intelligence chiefs' response."
Reaction: What intelligence agency would trust foreign-built software, especially when domestic alternatives are available?
Legislation passed Monday by the Senate would also ban the use of Kaspersky Lab software across the federal government. But that's well within the Senate's purview (see Russia Threatens Retaliation If US Bans Kaspersky Lab).
The Senate's move squares with Acting Secretary of Homeland Security Elaine Duke ordering all U.S. government departments and agencies to identify all Kaspersky Lab products on networks within 30 days, develop plans to replace them within 60 days, and do so within 90 days (see Kaspersky Software Ordered Removed From US Gov't Computers).
And that's well within the purview of the White House.
But what informs an intelligence agency's risk assessment - or concerns for government networks - does not necessarily apply to consumers. Nor should intelligence chiefs' choices be read as proof of a private company's malfeasance.
Nicholas Weaver, a computer security researcher at the University of California, Berkeley, has been calling for the U.S. government to stop using Kaspersky Lab anti-virus products since July. But he told the Associated Press that "for most everybody else, the software is fine."
Such nuance is too often absent in this discussion. Earlier this month, the largest U.S. electronics retailer, Best Buy, began pulling Kaspersky Lab products from its shelves. One person described as being familiar with the company's decision-making told the Minneapolis Star Tribune that the company felt there were too many unanswered questions about the security firm's software. And on Thursday, U.S. office supply retailer Office Depot followed suit.
Scapegoat for Congress's Failures?
Is Kaspersky Lab a convenient target for U.S. legislators, still struggling to come to grips with Russia's advanced - and dangerous - information warfare tactics?
While so many officials were warning of a "cyber Pearl Harbor," Russia came along and used U.S.-built social networking algorithms against us. Rather than wage a frontal assault aimed at destabilizing a democracy, it created a bunch of virtual personalities that could do the same thing via Twitter and made some well-placed advertising buys via Facebook. And boom, Vladimir's your uncle.
But the logical leap that posits that Moscow-based security firms pose an existential threat to U.S. democracy is a long one, unless there's evidence to substantiate this accusation.
Red Flag: Insinuation
So far, however, there's only been weak insinuation.
"It has been well-known that Kaspersky was trained by Russian intelligence and served with them for some time before starting his company," Jake Williams, head of U.S. cybersecurity consultancy Rendition InfoSec, responds to Shaheen in a recent op-ed. "But this alone cannot be the standard of proof for 'influence from Russian intelligence,'" adds Williams, who formerly served in the U.S. Army and handled classified information. "A large number of U.S. companies - mine included - would meet this standard for 'influence' by U.S. intelligence."
Kaspersky Lab has continued to deny having any unethical or inappropriate affiliations with any governments, including Russia. "The only conclusion seems to be that Kaspersky Lab ... is caught in the middle of a geopolitical fight, and it's being treated unfairly even though the company has never helped, nor will help, any government in the world with its cyber espionage or offensive cyber efforts," the company says in a statement.
On Sept. 27, Eugene Kaspersky is due to testify to that effect before Congress.
I have accepted invitation to testify before US House of Representatives & address allegations about KL. Hope to get expedited visa. pic.twitter.com/Z24emERmnn— Eugene Kaspersky (@e_kaspersky) September 14, 2017
(Sept. 20 update: Kaspersky Lab says the hearing at the U.S. House of Representatives at which Kaspersky was due to testify will be rescheduled, although no date has been set. "I look forward to participating in the hearing once it's rescheduled and having the opportunity to address the committee's concerns directly," Eugene Kaspersky says in a statement.)
Anti-Virus Conspiracy Theories
From a common sense standpoint, any anti-virus vendor found to be assisting its government's cyberespionage efforts would likely suffer instant and irretrievable death by market share decline, as users switched to competitors (see Anti-Virus Conspiracy Theories Cut Both Ways).
Meanwhile, the same vague suggestions of collusion leveled against Kaspersky Lab might be leveled at any other country's security firms. Looking at PC Magazine's 2017 list of the top 10 anti-virus vendors, for example, they hail from eight countries:
- Czech Republic: Avast
- Finland: F-Secure
- Japan: Trend Micro
- New Zealand: Emisoft
- Romania: Bitdefender
- Russia: Kaspersky Lab
- Slovakia: ESET
- United States: McAfee, Symantec, Webroot
Common Sense: Judge the Evidence
When it comes to suggestions that Kaspersky Lab software poses a risk to businesses, many information security professionals have responded the same way they do whenever anyone attempts to attribute an attack to anyone else: Prove it.
"Common sense isn't following claims without evidence," says British security researcher Kevin Beaumont about Kaspersky Lab, via Twitter. "If there's any credible evidence anybody has, post it."
For businesses or consumers, replacing technology from a specific vendor can have repercussions - it costs time and money; it needs to be justified.
So where's the evidence?
"The American public remain the only people unable to make an informed decision about whether or not to use Kaspersky. The FBI needs to educate the American people so they can make an informed decision about Kaspersky," Williams writes. "It's high time the bureau showed its cards or folded its hand."