Cybersecurity Firm’s CEO Offers Source Code Review to US Government
The war of words between Washington and Moscow over software built by Russian cybersecurity software vendor Kaspersky Lab continues to escalate. A senior Russian government official has warned that Moscow may retaliate if the Senate moves to ban the use of Kaspersky Lab software by government agencies, by ceasing its widespread use of American technology software and hardware.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
Meanwhile, following reports that Congress might ban the use of Kaspersky Lab software by the Department of Defense, founder and CEO Eugene Kaspersky repeated his offer to allow U.S. officials to review the company’s source code.
“If the United States needs, we can disclose the source code,” Kaspersky told Associated Press on Saturday, adding that he would willingly testify before U.S. lawmakers as well. “Anything I can do to prove that we don’t behave maliciously, I will do it.”
Kaspersky’s offer follows the Senate Armed Services Committee recently releasing a markup of the National Defense Authorization Act for Fiscal Year 2018, featuring numerous changes categorized as having the aim of “countering Russian aggression.” In particular, the committee’s markup “prohibits the DOD from using software platforms developed by Kaspersky Lab due to reports that the Moscow-based company might be vulnerable to Russian government influence.
In an apparent case of the horse having left the barn, the Senate’s move is in part a belated response to Moscow’s interference in the 2016 U.S. presidential election.
No one appears to have suggested that software from Kaspersky Lab was involved in any way in said disruption.
While Kaspersky Lab software is used by the U.S. government, furthermore, it’s not clear how much it might be used by the Defense Department, in part because its software is often provided by third-party resellers, officials say.
The DOD couldn’t be immediately reached for comment.
GSA Doesn’t Know Install Base
The General Services Administration says it’s not clear how extensively Kaspersky Lab’s software is used across the U.S. government, including in which agencies. “What we’re looking at is a company that is ingrained across almost 3,500 different products,” a GSA official tells Buzzfeed of Kaspersky Lab.
The anti-virus software firm began getting contracts with the U.S. government in 2008, at the National Institutes of Health in 2008, Buzzfeed reports. By 2014, it says the Department of Justice, the Treasury Department, and multiple State Department offices and U.S. embassies were using the company’s products.
U.S. officials, speaking on background, have told multiple news outlets that concerns over the use of Kaspersky Lab software – and the potential for Moscow to force the vendor to subvert its software – have prompted an FBI counterintelligence probe. Last week, FBI agents interviewed at least a dozen U.S.-based Kaspersky Lab employees, NBC reports.
Concerns over the company’s software were also the subject of a secret Department of Homeland Security memo distributed to government agencies in February, and an April warning from the Senate Intelligence Committee to Director of National Intelligence Dan Coats and Attorney General Jeff Sessions, ABC reports.
Kaspersky Lab Denies Russian Government Ties
Kaspersky Lab, meanwhile, denies having ever helped the Russian government or any other government.
“As a private company, Kaspersky Lab has no ties to any government, and the company has never helped, nor will help, any government in the world with its cyberespionage efforts,” the company says in a statement. “The company has a 20-year history in the IT security industry of always abiding by the highest ethical business practices, and Kaspersky Lab believes it is completely unacceptable that the company is being unjustly accused without any hard evidence to back up these false allegations.”
Meanwhile, a senior Russian official has warned that any attempt to ban Kaspersky Lab products could trigger reprisals by Moscow.
Communications Minister Nikolay Nikiforov told Bloomberg in a Friday interview that any “unilateral political sanctions” by the United States could prompt a response by Moscow. Nikiforov added that Russian government systems rely on “a huge proportion of American software and hardware solutions in the IT sphere, even in very sensitive areas.”
Security Experts Demand Proof
Many information security experts outside Russia, meanwhile, have questioned whether the U.S. government is running a smear campaign against Kaspersky Lab, and called for officials to “put up or shut up.”
“The folks there I’ve worked with have tirelessly run down adversary campaigns, provided some of the best analysis on malware, & been pros,” says Robert M. Lee, CEO of industrial cybersecurity firm Dragos, an industrial control security instructor at SANS Institute, and a former U.S. Air Force cyber warfare operations officer, via Twitter.
“If it’s so important then tell the American people and allies. Or realize it’s a paranoid and awful precedent to make,” he adds. “We all fight assholes. The bad folks targeting innocent people around the world. We don’t need to fight each other too.”
If the U.S. government has Intel that @kaspersky is somehow bad; make it public. Or (my opinion) it’s crap rumors and needs to stop.
— Robert M. Lee (@RobertMLee) June 29, 2017
The security firm actively assists numerous government organizations with cybercrime investigations. In 2009, to better tackle online crime, Eugene Kaspersky called for the formation of an internet police force.
While that has yet to come to pass, in 2014, Kaspersky Lab signed a memorandum of understanding with the EU’s law enforcement intelligence agency, Europol, allowing them both to exchange knowledge and support, “such as the provision of expertise, statistical data, trends and other strategic information.” The same year, it also signed a cooperation agreement with Interpol.
What Goes Around
Katie Moussouris, an American computer security researcher who created the bug bounty program at Microsoft, has called on the U.S. government to avail itself of Eugene Kaspersky’s offer to share source code. In fact, many U.S.-based vendors – including Microsoft, with its Windows operating system – already do this for foreign governments.
Moussouris also describes the Senate’s approach not only as misguided and ill-informed – many Apple products, for example, are built in China – but also primed to backfire for U.S. technology manufacturers.
“We’ve already seen this happen when the @Snowden revelations showed the embedded surveillance infrastructure in U.S. companies. Forgot PRISM?” Moussouris says via Twitter. “The EU reaction was to advise businesses not to use U.S. cloud service providers. U.S. companies scrambled to reassure foreign govs & customers.”
Singling out products by national origin, if this is the trend, will affect US commerce far disproportionately more than foreign products.
— Katie Moussouris (@k8em0) June 29, 2017
Some reporting on the Senate’s move to ban Kaspersky Lab software has also been colored by innuendo. NBC News, in its report, notes that Eugene Kaspersky “graduated in 1987 from the Soviet KGB-backed Institute of Cryptography, Telecommunications, and Computer Science.”
“Silly standard for fear,” he says. “I can name many U.S. companies with founders who have close ties to U.S. intelligence.”