Critics Contend Independent Code and Process Reviews Won’t Reveal Much
In a battle to save its reputation, Kaspersky Lab says it will allow independent inspections of its code and infrastructure after U.S. officials accused the Moscow-based company’s software of being coopted by Russian intelligence agents and used as a search engine for U.S. intelligence secrets.
See Also: How to Scale Your Vendor Risk Management Program
Kaspersky Lab’s new program, called the Global Transparency Initiative, calls for a review of the company’s source code, software updates and threat detection rules to start early next year. The security vendor plans to establish three technical centers in Asia, Europe and the United States by 2020 where interested parties can review its code. The company is also boosting its maximum bug bounty – a reward for researchers who find flaws in its products – to $100,000.
The move comes as Kaspersky Lab continues to battle claims that it worked with Russian intelligence agencies, which allegedly used the company’s anti-virus software as a kind of keyword search engine for classified U.S. cyber operations. Anti-virus software has expansive access to a computer’s data and can make copies of nearly any file (see Will Kaspersky Lab Survive the Russia Hacking Scandal?).
Eugene Kaspersky, the company’s founder and CEO, denies his company knowingly worked with the Russian government. So far, no technical evidence has been released that would support any of the collaboration allegations.
“We’ve nothing to hide,” Eugene Kaspersky says in a statement announcing the initiative. “And I believe that with these actions we’ll be able to overcome mistrust and support our commitment to protecting people in any country on our planet.”
Anastasia Para Rae, Kaspersky’s general manager for Australia and New Zealand, says that the current “geopolitical noise” around the company is a side factor in its motivation to be more open about its operations.
“We want to be crystal clear that our business is above board and runs on the spirit of transparency,” Rae says.
But a former top NSA official, Rick Ledgett, writes in the national security publication Lawfare that the move by Kaspersky is irrelevant since it “in reality it doesn’t address the alleged activity.”
“The code is doing exactly what it has been designed to do, but in a way that is inconsistent with what customers expect and are paying for,” writes Ledgett, who was the NSA’s deputy director from January 2014 through April. “It’s not the code itself, it’s the use of the code. The experts will find that the code does exactly what it’s supposed to do, and he [Eugene Kaspersky] knows that.”
U.S. Sen. Jeanne Shaheen, D-N.H., who has remained critical of Kaspersky Lab and its software, tweeted that the code review plan “is a red herring that doesn’t address any of the fundamental underlying concerns [with] Kaspersky” (see 10 Reactions: Allegations Against Kaspersky Lab).
Will AV Industry Follow Suit?
But cybersecurity expert Alan Woodward calls this a “very smart move by Kaspersky” and likens it to the steps taken by Chinese networking hardware vendor Huawei after the Australian and U.S. governments accused it of aiding Chinese intelligence agencies. In 2012, the vendor opened a center in the United Kingdom to allow for independent review of its code and hardware. Similar offers made to Australia and the United States, however, where the company’s products remain banned for government use, were rejected.
Now that Kaspersky has offered to allow others to review its anti-virus code and practices, “it will be interesting to see how others follow suit,” Woodward, who’s a professor of computer science at the University of Surrey in England, tells Information Security Media Group. “Will they be willing to let others attend an assessment unit to examine the ‘crown jewels’? I think this story may yet have more twists and turns” (see Surveying 17 Anti-Virus Firms on Their Security Practices).
Pressure on Kaspersky Lab has been mounting for months. In July, the U.S. government advised government agencies to not procure Kaspersky’s software. Last month, it ordered agencies to remove the company’s software from computers.
Anonymous U.S. officials quoted in media reports say Israeli spies discovered that Russia had infiltrated Kaspersky’s networks and used its widely installed anti-virus software as a kind of search tool for U.S. cyber projects. Kaspersky says its software is installed on more than 400 million computers.
That’s how Russia allegedly discovered the home computer of an NSA analyst. The analyst, who has not been publicly identified, took highly classified code and material home from work. Copying such sensitive code to a home computer is a major violation of U.S. government policies for handling classified material.
His computer had Kaspersky’s antivirus software installed, which apparently detected the tools. Russian intelligence agencies somehow found about this, and further targeted his machine. Many technical questions remain, such as exactly how Russia had access to Kaspersky’s network and what type of information it received.
Meanwhile, Eugene Kaspersky has continued his offer to testify before Congress, and he was scheduled to testify at a Sept. 27 hearing before the House Committee on Science, Space and Technology. But the hearing was postponed and a closed-door briefing instead held the next day, Reuters reports. The hearing was subsequently rescheduled for Oct. 25; the Kaspersky Lab CEO is not on the witness list.
Tuned For Spying?
By design and intention, Kaspersky’s software hunts malicious code. If that is what was on the NSA analyst’s home PC, then the security software worked as intended.
But the Wall Street Journal reported on Oct. 11 that U.S intelligence agencies conducted experiments with Kaspersky’s software, finding that it also detected classified information, perhaps by searching for keywords such as “top secret.”
On Saturday, The Intercept delved into the possibilities of how Kaspersky, which has a track record of uncovering suspected state-sponsored cyberespionage operations, may have detected the NSA analyst’s files.
Kaspersky’s anti-virus software is one of the more aggressive products on the market, utilizing what are known as “silent” signatures, The Intercept reports. Signatures are descriptions of known malware and automatically trigger an alert if a bad application is found.
Silent signatures, which are also employed by other anti-virus firms, don’t trigger an alert to users. Instead, the signatures are designed to spot a file that needs further inspection before it can be decisively categorized as being malware or not.
False Positive Problem
Security companies studiously try to avoid flagged benign files as malicious, known as a false positive, for fear of disrupting users. If a file triggers the parameters for a silent signature, the file may be copied and sent to the anti-virus company for analysis.
Ledgett, the former NSA official, says using silent signatures is necessary for protecting computers from criminals and malicious hackers. But the capability is “also a potential gold mine if misused,” since it could give attackers a stealth search capability, he writes in Lawfare.
“Instead of looking for signatures of malware, the software can be instructed to look for things like ‘secret’ or ‘confidential’ or ‘proprietary’ – literally anything the vendor desires,” he writes. “Any files of interest can be pulled back to headquarters under the pretext of analyzing potential malware.”
But when Kaspersky opens up its infrastructure and operations – including its software updates, threat hunting technology and signatures – there should be “visibility of any misuse” if there is any in the future, writes Matt Tait, a former GCHQ analyst and senior cybersecurity fellow at the Robert S. Strauss Center for International Security and Law at the University of Texas in Austin.
Executive Editor Mathew Schwartz also contributed to this story.