The U.S. Kaspersky Ban Sets an Ugly Precedent
Is the U.S. government’s ban on the products of Kaspersky Lab, the Moscow-headquartered global cybersecurity company founded by Russians, a reasonable precaution or brazen protectionism? It’s possible to argue either case. But whether the ban is justified is less important in the grand scheme of things than what it does to the borderless nature of the cybersecurity industry and the tech industry as a whole.
The precautionary argument is laid out persuasively in the Department of Homeland Security statement. The DHS says that “Kaspersky anti-virus products and solutions provide broad access to files and elevated privileges on the computers on which the software is installed.” That’s undeniably true. It also says the Russian government could “request or compel assistance” from Kaspersky; that, too, is true as far as it goes: The Kremlin can put any amount of pressure on any company with sizable Russian operations, and Kaspersky is one such company.
Kaspersky Lab has offered to let the U.S. inspect its source code, but any such inspection could miss backdoors, and the source code could be changed afterwards. The U.S. government could test Kaspersky’s products by putting them on a “honey server” and watching if any malicious activity ensues — but what if the Russian government is saving the Kaspersky weapon for some all-important attack, the way it would save some deeply embedded mole in the U.S. intelligence community?
Of course, facilitating government spying would kill off Kaspersky as a business with some $600 million in global revenues. Would the Russian government care about that if it felt national interest would be served by weaponizing Kaspersky at some crucial geopolitical moment? Not for a minute.
I asked Costin Raiu, the director of Kaspersky’s global research and analysis team, how the company answers the charges. He replied via email:
In our industry there are mainly two types of people — those who do offensive things, breaking software, creating espionage tools, exploits, and — to the extreme — helping governments with their spy efforts. The other category consists of people who fight for users, take their side, protect them from attacks, create software that defends computers and make all sorts of trouble for spy agencies.
For 20 years, Kaspersky Lab has been fighting for users. It created one of the world’s best security software and ONLY hired people who abide to some of the highest ethical standards. Any of our experts would consider it unethical to abuse user trust in order to facilitate spying by any government. Even if, let’s say, one or two such people would somehow infiltrate the company, there are 3000+ people working in Kaspersky Lab and some of them would notice something like that.
Essentially, it looks as though the firm is asking the world to take the purity of its intentions on faith, on the strength of its reputation. Kaspersky’s antivirus products consistently score at or near the top in product comparisons, and many years of such performance should be worth something. Its denials have convinced many, judging by the fact that there was no immediate follow-up on the U.S. decision from major U.S. allies.
German Interior Minister Thomas de Maiziere said recently that his government had had “positive experience” with Kaspersky and that the U.S. move was “grounds for a new test but not at this point grounds for altering our relationship.” The Canadian government, which has an even closer intelligence sharing relationship with the U.S. than the German one, has not moved to rescind its authorization of Kaspersky products. This undermines the “reasonable precaution” argument: The U.S. is not really safe from the theoretical danger of weaponized Kaspersky products if the nations with which it shares sensitive data don’t share its concerns.
There may be another reason why some governments are hesitant to follow the U.S. lead, at least for now: Kaspersky has proved helpful in identifying threats that potentially originate in the U.S. intelligence community. One example is the suspected National Security Agency tool known as the Regin trojan, discovered by Kaspersky and the U.S. firm Symantec in 2015.
It has always been difficult to attribute malicious actions in cyberspace, and traditionally cybersecurity firms didn’t expend much effort on it, focusing instead on defeating the threats — especially those presumed to be from non-state actors such as terrorists — wherever they came from. Arguably, that’s still the more reasonable approach, but the political focus has shifted to a vision of nation-state cyberwars.
The logic of the DHS statement that a Russian company is likely to act on behalf of the Russian government suggests it is potentially more credible on U.S.-generated threats. A reasonable policy for a third-party government in such a world would be to cooperate with the broadest range of cybersecurity companies so that no threat is downplayed under pressure from the nation states in which the security firms are based. That’s potentially good for Kaspersky outside the U.S. though, in fact, it’s ugly for the cybersecurity industry; instead of the equal trust the top firms enjoy today, such a pragmatic approach would place them under equal suspicion.
Suddenly, the attribution of attacks becomes as important as repelling them. But it’s a far iffier part of the business, and a far less useful one for practical purposes. Besides, given that insiders present the biggest threat when it comes to cyber intrusions, the companies can no longer safely count on an international pool of talent, as they have done for years. Is it worth hiring this talented Russian if he could be a spy? Does this nice American kid perhaps have instructions from the NSA to insert a backdoor in a commercial antivirus product? And in general, if nation states treat cyberspace as a theater of war, shouldn’t any government or large company confine itself to national software?
That’s certainly what Russian President Vladimir Putin appears to think when he tells Russian information technology companies to start using exclusively Russian-developed software if they want government contracts. “In some spheres the state will inevitably tell you: You know, we can’t take this because someone could push a button somewhere and it’ll all switch off,” Putin said.
Perhaps the U.S. government should be equally wary, as it was with the Kaspersky ban. But for other governments, and for private business, this kind of mindset could mean missing out on threats that cause real economic and political damage today. The shape of the cybersecurity industry before the new Cold War — a pool of international intellect and skill united against any and all threats — was more conducive to fighting them off.