The US Kaspersky Security Software Ban Needs to Be Backed Up With Evidence

More than a month has passed since the antivirus giant Kaspersky Lab had its US government business executed without a trial. But while American federal agencies remove all traces of one of the world’s most popular pieces of security software from their networks, they have yet to explain exactly what merits that Government Services Administration ban.

And as the rest of the world decides whether it needs to similarly rid itself of all Kaspersky code, it’s starting to get impatient for answers.

For years, rumors have followed Kaspersky and its billionaire founder, Eugene Kaspersky, regarding ties to Russian intelligence agencies. Last month’s GSA edict put an official stamp on those suspicions, but without any official explanation as to what exactly the Moscow-based cybersecurity firm has done to merit them. Stories in the New York Times and Wall Street Journal have since cited anonymous sources accusing Kaspersky of siphoning American secrets, including the files of an NSA staffer, to its own servers, where the Russian government then accessed them. But it’s still not clear whether Kaspersky has been actively collaborating with or unwillingly compromised by the Kremlin, or, based on a new statement Kaspersky posted in its own defense Wednesday, whether it was the Russian government’s source for those NSA files at all.

All of that has led to a growing chorus from the security community, and now even a US senator, calling on US intelligence agencies to make a clear statement about what exactly they know Kaspersky to be doing—and whether that behavior merits US companies and consumers jettisoning it as urgently as the feds have. “Our government hasn’t even been clear about what they’re accusing Kaspersky of,” says Rob Graham, a security consultant for the firm Erratasec. “We’re just getting propaganda on this issue and no hard data. And that’s bad.”

An Opaque Process

It’s still not publicly understood, for instance, whether Kaspersky simply performed its intended antivirus function of identifying NSA-created malware and uploading it to its servers for analysis—which could explain how NSA tools on a staffer’s home machine ended up in the hands of the Russian government—or whether it’s acting as a more comprehensive search engine of its users’ secrets, allowing Russian spies to reach into millions of computers around the world. If the latter, Graham says, “that’s terrible, that’s the worst possible thing you could say about them, and everyone should delete Kaspersky from their machine.” But if it’s the former, “these insinuations and accusations don’t have merit. It’s a key sticking point that we need more information about,” Graham says.

On Wednesday morning, ahead of a hearing in the House of Representatives’ Science, Space, and Technology Committee about the Kaspersky scandal, senator Jeanne Shaheen of New Hampshire published an open letter to the Department of Homeland Security and Office of the Director of National Intelligence asking those same questions. “While I commend the administration for…ordering the removal of Kaspersky Labs products from federal agencies, I remain concerned about their use in non-governmental systems,” Shaheen’s letter reads. “I write to urge you to declassify information on Kaspersky Lab and its products in order to allow the American people to make informed decisions about risks to their privacy and security.”

Even without declassifying secrets, the US intelligence community could share more, argues Matt Tait, a former staffer at the British intelligence service GCHQ. “If Kaspersky is acting on behalf of the Russian government, I think the US government should be brave enough to put an official stamp on it and say it out loud,” Tait told the security-focused podcast Risky Business. “I’m not convinced they need to declassify why they think it’s the case, but they need to say out loud that they do think it’s the case.” After all, Tait points out, if Kaspersky does collude with Russian intelligence, that matters not only to the US federal government, but to state governments, defense contractors, and foreign governments.

Wednesday’s hearing, meanwhile, produced virtually no new information about Kaspersky as a security threat, classified or not. All of the witnesses, who included officials from the National Institute of Standards and Technology and the Government Services Administration, quickly disclaimed any knowledge of classified matters. The House committee members called Kaspersky a “wolf in sheep’s clothing” and insinuated that its headquarters in Moscow and Eugene Kaspersky’s education at a KGB cryptography school sufficiently demonstrated the company’s collusion with the FSB, but without substantiating those accusations.

Continue reading…