The Trump administration vacillates almost daily on how seriously it wants to take Russian cyber threats and how best to address them. This weekend there was talk of a joint U.S.–Russia “impenetrable cybersecurity unit.” Less than a day later that plan was apparently nixed. Now ABC News reports that the administration is considering a ban on the popular security products sold by the Russian firm Kaspersky Lab at all federal agencies. Meanwhile, the Senate is mulling a similar ban in its draft of the National Defense Authorization Act. It’s a move that, for the moment at least, seems like a rather misguided overcorrection. So far, no one has released any compelling evidence that Kaspersky is working with the Russian government to undermine the security of its millions of customers.
ABC News says that U.S. officials are concerned about Kaspersky Lab executives having “previous ties to Russian intelligence and military agencies.” That may sound alarming, but it’s a pretty empty accusation. Just about every cybersecurity firm in any country in the world—including the U.S.—has employees who come from intelligence, law enforcement, and military backgrounds. Kevin Mandia, the CEO at FireEye, was a computer security officer in the U.S. Air Force before entering the private sector. Palo Alto Networks chairman and CEO Mark McLaughlin served as an attack helicopter pilot in the Army. Stephen Schmidt, the chief information security officer for Amazon Web Services, used to run the FBI’s Cyber Division. If other countries’ governments banned contracts with U.S. firms that employ former U.S. government officials, it would be very bad news for the security industry in this country.
Maybe the U.S. government has more intelligence on Kaspersky than it’s letting on. In June, FBI agents were reportedly interviewing U.S.-based Kaspersky employees, so perhaps they’ve found some real evidence that the firm is passing information about its customers to the Russian government. But if so, none of that information has been made public, and that would itself be shocking, since many, many U.S. firms (and people) rely on Kaspersky products. If there is reliable indication that those products are compromised, the American public deserves to know.
Kaspersky Lab CEO Eugene Kaspersky, for his part, has vehemently denied any inappropriate relationship with the Russian government. He wrote on his blog last month: “[A]s a private company, Kaspersky Lab and I have no ties to any government, and we have never helped, nor will help, any government in the world with their cyber-espionage efforts (cyber-espionage is what we’re fighting!).”
In the absence of any evidence provided by the government, some U.S.-based news organizations have taken it upon themselves to dig up incriminating details about Kaspersky Lab. But these reports are almost as unconvincing as the government’s vague concerns. Bloomberg Businessweek reported this week that it had obtained emails showing “that Kaspersky Lab has maintained a much closer working relationship with Russia’s main intelligence agency, the FSB, than it has publicly admitted.” This sounds promising until you get to the actual content of the emails, in which Kaspersky Lab agrees to design tools that will help service providers combat distributed denial-of-service attacks and assist Russian police and intelligence with identifying the attackers.
Here’s how Bloomberg Businessweek describes the product that Kaspersky developed:
A person familiar with the company’s anti-DDoS system says it’s made up of two parts. The first consists of traditional defensive techniques, including rerouting malicious traffic to servers that can harmlessly absorb it. The second part is more unusual: Kaspersky provides the FSB with real-time intelligence on the hackers’ location and sends experts to accompany the FSB and Russian police when they conduct raids.
Bloomberg Businessweek seems to take this as a sign of nefarious collusion between Kaspersky and the Russian government, but it’s not entirely clear why. Building anti-DDoS technologies is exactly what security firms should be doing for their customers—whether those customers are private companies or national governments. Helping a government track down online criminals and attackers also seems like a pretty reasonable request from a law enforcement agency. And even if you think people should be able to launch DDoS attacks in Russia with impunity, it’s hard to see how Kaspersky aiding the Russian government in this way has any bearing whatsoever on the security of its other customers worldwide.
Bloomberg Businessweek also takes issue with the fact that Kaspersky apparently advised his staff to keep secret the fact that they were helping the Russian official trace DDoS attackers, but again, it’s not immediately apparent why this would be such a big deal. Many—probably most—customers ask for some degree of privacy and secrecy when dealing with security firms. No one wants the details of their security posture, much less their failings, made public.
Last week, McClatchy turned up other evidence that it felt supported the case that “the clandestine FSB has a tight relationship with Kaspersky.” In this case, it was a certificate (entirely in Russian) issued to the company by the Russian government featuring an FSB military unit number. Kaspersky later explained that the number corresponded to the Center for Information Protection and Special Communications, which certifies companies to sell products to the Russian government.
Of course, it’s possible that Kaspersky is busy selling out all of its customers to the Russian government—but it’s hard to see how a certificate with Cyrillic script, or an effort to help Russian authorities combat DDoS attacks, or some employees who used to work for the Russian military justify that conclusion. If U.S. officials have some better intelligence about the ties between Kaspersky and the Russian government then they owe it to the millions of Kaspersky customers worldwide to make that information public. If, however, they’re just acting out of fear and hostility toward Russia in general, then they’re potentially making a big mistake—one that could easily weaken the security of U.S. computer systems rather than strengthening it, and have serious consequences for U.S.-based firms if other countries decide to follow suit.