Russian state-sponsored hackers were able to steal National Security Agency material on methods they use to conduct cyber espionage as well as how they help defend critical U.S. government networks, according to The Wall Street Journal. An NSA contractor placed the material on his or her private computer – a violation of security policy – which reportedly had anti-virus software belonging Moscow-based Kaspersky Lab installed. The software appears to have detected the unsecured classified material and somehow alerted Russian intelligence of its presence, enabling the hackers to glean crucial information on U.S. cyber capabilities and defenses. Kaspersky Lab vehemently denies any involvement in the theft of the information.
The Cipher Brief’s Levi Maxey spoke with Michael Sulmeyer, the Director of the Belfer Center’s Cyber Security Project at Harvard University, about how anti-virus software creates a particular vulnerability for adversary nation-states to conduct cyber espionage and perhaps why geopolitics should guide some in the private sector to follow the U.S. government’s lead in removing Kaspersky’s software from their networks.
The Cipher Brief: Are the security fears involved in Kaspersky anti-virus software exclusive to Kaspersky or are the high-level computer privileges they require common among all antivirus programs?
Michael Sulmeyer: When we pay for and install anti-virus software, we grant it extraordinary access to our computers and networks. While we expect anti-virus to do what its name implies (protect us), to do so requires us to trust the software and its designers – what they do with the scans of our data can be for good, and sometimes for not-so-good.
The concern about Kaspersky specifically is that with this extraordinary access to so many millions of computers around the world, the Russian security services can see what Kaspersky sees. The result is that customers pay Kaspersky to facilitate the security services eavesdropping on their information.
TCB: Given what has happened, will the future use of a product be dependent on trust in the company and the governments the company answers to?
Sulmeyer: It’s a good wake-up call for everyone to recognize that when they install this kind of software, they’re granting that software’s developer some very privileged access to their life and their company.
Geopolitics matters here: we usually don’t think twice about installing anti-virus software from, say, Finland. Why? We don’t have grave concerns about how the government in Finland would use or abuse the data its companies might collect. So understanding the software you are installing, where it comes from, and what kinds of disclosure policies – formal and informal – its designers are subject to are always important questions to consider.
TCB: What are possible ways that Russian intelligence was alerted to Kaspersky discovering NSA material in a contractor’s private computer?
Sulmeyer: You see a bit of this coming out in the recent announcement about prohibiting Kaspersky Lab software on U.S. government systems – the concern is that the risk is too high that there is either formal or informal information sharing between Kaspersky Labs and the Russian security services. There’s even an aspect of Russian law that to some extent requires this kind of cooperation. And it’s hard to imagine a Russian company becoming as successful as Kaspersky Labs without some kind of “arrangement” with the Russian government. I suspect there will be more reporting in the weeks and months ahead about how the security services may have gained access to this specific information.
TCB: Does the NSA or CIA similarly target antivirus companies, including American ones, for espionage purposes?
Sulmeyer: The Apple FBI incident in 2015 is telling – it can be quite challenging for the U.S. government to gain access to information that tech companies have when companies don’t want to provide it.
It’s also worth noting that the Chinese government demands access to source code and other sensitive data from companies who want to sell their products in China. Sometimes companies give in, sometimes they balk. It very much depends on economics and the leverage the country in question has.
TCB: What is the potential economic fallout for companies that have Kaspersky software on their networks? Will they be able to adequately remove it considering that Kaspersky tech often comes built into certain commercial products? What are the recommended next steps for such companies?
Sulmeyer: Cybersecurity is about risk reduction. The first step is to understand what data is most important to the company, and what risks the company is willing to take with that data. Some companies might be more risk tolerant, others less.
Just because a computer comes with software pre-installed does not mean it cannot be removed, although the lengths to which the customer has to go to do so may be more or less depending on how aggressive the pre-installation was.
For companies that do business or want to do business with the U.S. government especially, they will want to have a hard look at removing this software from their enterprise – there are plenty of good alternatives.
TCB: Will the Kaspersky ban on U.S. federal networks even protect against this kind of security breach considering that it was gleaned from a private computer? Is this more of an insider threat issue?
Sulmeyer: There are multiple stories within the big story. One is certainly an insider threat problem, which is related to the role that contractors play in our national security establishment. Generally, contractors do not conduct “inherently governmental functions.” We need to re-think the role of contractors as one part of the insider threat problem, given how much access contractors evidently have across the national security establishment to important data.
This should not diminish another part of the story – the impact of sensitive data falling into the wrong hands. If this information fell into the hands of an allied government, it would obviously be a very different story. So the Kaspersky-Russian security service nexus remains a crucial part of this.