United States federal government bans use of Kaspersky software: What should firms and households do?

A leading maker of antivirus and internet security software has been blacklisted by the United States federal government over fears that it has ties to Vladimir Putin’s regime in Russia. Here’s the first two paragraphs of The Washington Post’s story about the decision:

The U.S. government on Wednesday banned the use of a Russian brand of security software by federal agencies amid concerns the company has ties to state-sponsored cyberespionage activities, according to U.S. officials.

Acting Homeland Security secretary Elaine Duke ordered that Kaspersky Lab software be barred from federal civilian government networks, giving agencies a timeline to get rid of it, according to several officials familiar with the plan who were not authorized to speak publicly about it. Duke ordered the scrub on the grounds that the company has connections to the Russian government and its software poses a security risk.

And here is a copy of the statement issued by the Department of Homeland Security regarding DHS Binding Operational Directive 17-01.

Kaspersky Lab (which has an American division headquartered in Woburn, Massachusetts) responded with this strongly-worded statement:

Given that Kaspersky Lab doesn’t have inappropriate ties with any government, the company is disappointed with the decision by the U.S. Department of Homeland Security (DHS), but also is grateful for the opportunity to provide additional information to the agency in order to confirm that these allegations are completely unfounded.

No credible evidence has been presented publicly by anyone or any organization as the accusations are based on false allegations and inaccurate assumptions, including claims about the impact of Russian regulations and policies on the company. Kaspersky Lab has always acknowledged that it provides appropriate products and services to governments around the world to protect those organizations from cyberthreats, but it does not have unethical ties or affiliations with any government, including Russia.

In addition, more than 85 percent of its revenue comes from outside of Russia, which further demonstrates that working inappropriately with any government would be detrimental to the company’s bottom line. These ongoing accusations also ignore the fact that Kaspersky Lab has a 20-year history in the IT security industry of always abiding by the highest ethical business practices and trustworthy technology development.

Regarding the Russian polices and laws being misinterpreted, the laws and tools in question are applicable to telecom companies and Internet Service Providers (ISPs), and contrary to the inaccurate reports, Kaspersky Lab is not subject to these laws or other government tools, including Russia’s System of Operative-Investigative Measures (SORM), since the company doesn’t provide communication services.

Also, it’s important to note that the information received by the company, as well as traffic, is protected in accordance with legal requirements and stringent industry standards, including encryption, digital certificates and more.

Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts, and it’s disconcerting that a private company can be considered guilty until proven innocent, due to geopolitical issues. The company looks forward to working with DHS, as Kaspersky Lab ardently believes a deeper examination of the company will substantiate that these allegations are without merit.

Kaspersky’s software has repeatedly come out ahead of the competition in tests performed by independent labs, which is a key reason why many cybersecurity professionals like it and recommend it.

But now the company is being blacklisted by the federal government and agencies are under orders to remove and uninstall any Kaspersky products they may have purchased licenses for. Best Buy has already severed ties. What about households and firms that use Kaspersky: what should they do?

My advice is, don’t panic. There is no need to purge Kaspersky from your systems if you use it. No evidence has been presented that Kaspersky’s software is malicious.

And it sounds like the government just doesn’t have any.

Rob Joyce, the White House cyber security coordinator, said Wednesday at the Billington CyberSecurity Summit that the Trump administration made a “risk-based decision” to order Kaspersky Lab’s products removed from federal agencies.

Asked by Reuters whether there was a smoking gun showing Kaspersky Lab had provided intelligence to the Russian government, Joyce replied: ”As we evaluated the technology, we decided it was a risk we couldn’t accept.”

Emphasis is mine.

Despite the issuance of this order, the Department of Homeland Security has said there will be “an opportunity for Kaspersky to submit a written response addressing the Department’s concerns or to mitigate those concerns”.

“The Department wants to ensure that the company has a full opportunity to inform the Acting Secretary of any evidence, materials, or data that may be relevant,” says the statement accompanying the order.

In a recent New York Times op-ed, Senator Jeanne Shaheen of New Hampshire advocated for today’s action by referencing briefings from the intelligence community.

At a public hearing of the Senate Intelligence Committee in May, six top intelligence officials, including the heads of the F.B.I., C.I.A. and National Security Agency, were asked if they would be comfortable with Kaspersky Lab software on their agencies’ computers. Each answered with an unequivocal no. I cannot disclose the classified assessments that prompted the intelligence chiefs’ response. But it is unacceptable to ignore questions about Kaspersky Lab because the answers are shielded in classified materials.

When someone says they’ve got evidence to back up a course of action they want to take, but won’t show it to you, then you’re left with just their word.

That’s not good enough.

Shaheen goes on to say:

Fortunately, there is ample publicly available information to help Americans understand the reasons Congress has serious doubts about the company.

She then goes on to talk about how the company’s founder Eugene Kaspersky graduated from an elite cryptology institute (something that is public knowledge and which I’ve known since before I started using the company’s products), and news reports that discuss the possibility and probability that Kaspersky has been collaborating with Russian intelligence, such as this one from Bloomberg.

But even that Bloomberg article noted, “The U.S. government hasn’t identified any evidence connecting Kaspersky Lab to Russia’s spy agencies.”

(Kaspersky has responded both to Shaheen’s op-ed and also to the Bloomberg story).

Writing for Wired, in a piece published on Labor Day (Why the U.S. Government Shouldn’t Ban Kaspersky Security Software), Philip Chertoff noted that most of Kaspersky’s rivals in the cybersecurity industry are also foreign companies that may have ties to the intelligence agencies of their own home countries.

It is not unreasonable to think that Kaspersky Lab may have ties with Russian intelligence. The company employs former intelligence officers, and Russia’s relationship-based business climate means that it’s unlikely Kaspersky Lab could have succeeded without relationships with senior government officials.

However, it’s a charge that could be levied at many technology companies, especially cybersecurity firms. As the digital economy has grown, international intelligence agencies and technology firms have formed a sort of intelligence-industrial complex. After exiting US intelligence services, many former officers and cryptographers transition to jobs with big tech firms, hired for those skills they learned in the service or specifically for their strong personal relationships with government officials.

For instance, Bitdefender — which is currently trying to poach Kaspersky’s business with ads like these — is based in Romania. (Bitdefender is the other company that routinely gets the highest marks in independent third party testing of antivirus and security software).

If we can’t trust Kaspersky because they’re foreign, then arguably the same logic applies across the industry.

Kaspersky is a multinational company that has servers all over the world, in many countries, including the United States as well as Russia. Again, that’s no different than other cybersecurity companies.

It must be noted that there are a lot of American firms handing over precious trade secrets so they can do business in China, or complying with Chinese laws so they can gain access to the market there.

The New York Times recently published a story about this. Shouldn’t that behavior be equally concerning to us?

It is to me, at least. And these are American firms.

Senator Shaheen claims to have seen information which is prompting her to call for a ban of Kaspersky software — but says she can’t share this information. That’s of no help, then, because it means those of us who understand these issues can’t weigh the evidence for ourselves to reach our own conclusions.

The U.S. intelligence community is very secretive and agencies like the NSA have a history of having violated federal law and the Fourth Amendment to the United States Constitution to spy on Americans.

The NSA has also reportedly spied on companies like Bitdefender and Kaspersky (surprise, surprise).

We have a growing body of evidence that Vladimir Putin and the Russian Federation interfered in last year’s elections here in the United States. We are all right to be concerned about that. We do not have evidence that Kaspersky’s software is a danger to our national security.

The Internet may have begun as a U.S. defense research project, but it’s a global medium now. Combating bad actors requires global cooperation, because the bad guys can operate from anywhere with an Internet connection, as Eugene Kaspersky notes in a piece today at Forbes:

When did it become OK to declare a company is guilty without one shred of public evidence? In addition, while the U.S. has talented cybersecurity experts, smart people, who are dedicated to fighting cybercriminals, are born and educated all around the world. If the most sophisticated cyber threats are coming from countries outside of the U.S., don’t you think using cyberthreat data and technologies from experts located in those countries might be the most effective at protecting your valuable data, especially given that they are fighting against those local threat actors every day?

It is time to separate geopolitics from cybersecurity. We need to work together globally. Kaspersky Lab has good relationships and regularly helps law enforcement agencies all over the world fight cybercrime, and we hope the U.S. will also consider learning more about us, and who we truly are, versus the rhetoric and false assumptions. We’re ready to demonstrate that we have nothing to hide, and that we only want to help defeat cybercriminals and prevent cyberattacks.

With that said, I previously offered to meet with Senators, Representatives, Committees, and federal agencies, publicly or privately, to answer any questions regarding my company or me. The offer still stands.

If those of us using Kaspersky were to ditch it, and wanted to replace it with something comparable, we’d probably go with Bitdefender, which (as mentioned) is the other company that scores the best in independent testing for antivirus effectiveness. Again, as mentioned, Bitdefender is Romanian. So we’d still be in a relationship with a foreign company and our computers would still potentially be transmitting data to servers outside of the United States, including servers based in eastern Europe.

One final point: Kaspersky’s software may be proprietary (closed source), but so are the operating systems distributed by Microsoft and Apple — which most people use for their desktop computing. Microsoft happens to be one of Kaspersky’s partners; they make use of the Kaspersky Antivirus SDK.

Seattle-based Amazon is also a Kaspersky partner.

When any of us uses proprietary software, we’re making a decision to trust the company we’re getting it from, because the source code cannot be audited by anybody in the same way that free software can be.

At this juncture, I have no reason to believe Kaspersky’s software is risky, malicious, or a threat to national security. I will therefore continue to use it to protect the proprietary systems that I run.

I actually prefer to do the majority of my computing with free software, notably the GNU toolchain, Linux kernel, KDE applications, and WordPress, all of which are distributed under licenses that allow anyone to see the source code, distribute it, and modify it.

Written by Andrew