Following a U.S. government-wide ban last month and recent news reports alleging that Kaspersky Lab enabled Russian intelligence to swipe highly classified NSA material from an employee’s private computer, questions have begun to swirl regarding the Moscow-based company’s relationship with the Kremlin. The Cipher Brief’s Levi Maxey spoke with Chris Inglis, the former Deputy Director of the NSA, about how Russian hackers could have utilized Kaspersky and why distrust in the company is merely one part of a much larger discussion on the cyber espionage threat emanating from an authoritarian Russia.
The Cipher Brief: What are some of the possible ways that Russian intelligence could have been alerted to Kaspersky identifying classified material on an NSA contractor’s computer?
Chris Inglis: First, we can’t use a Western mindset, or for that matter, a rule of law mindset. It may well have been that it happened at the bottom of the company or outside of the company, as opposed to someone who is a company official, with their general counsel present, making a strategic choice to find and provide this information for the benefit of the Russian government. So, if in fact this was something that was discovered, and a follow-up occurred using means provided by Kaspersky, it could well be that that happened down in the bowels of the organization.
By the same token, you have to be somewhat realistic about what it means to be in the Russian nation-state. It tends to be that the priority given there is for state purposes as opposed to individual or corporate purposes. Given the way surveillance works in Russia – as opposed to the U.S. – that is enough to make it so. Those are two possibilities, but there is probably infinite number of others in-between.
TCB: So essentially it doesn’t matter if they were able to monitor the internet traffic or hack Kaspersky’s software or recruit an insider, the Kremlin could have simply demanded it based on the political environment in Russia?
Inglis: They could have. Now, the idea that Kaspersky would use that trusted position that they and a few other security companies occupy to conduct routine surveillance across a broad swath of end-users is hard to imagine. First, that is egregious. And second, it is hard to do – it is a pretty comprehensive set of activities to be mindful of. I suspect, without knowing, that it is not likely.
But let’s say this thing was found because something interesting triggered – anomaly detection is what the software is designed to do – and when it goes back for further examination is when they discover the opportunity to use that for more than serving the customer’s needs. It might well be that it was an opportunistic thing and not as a matter of Kaspersky’s broader policy – or anybody’s policy – to serve the Russian government’s surveillance interests.
TCB: It is interesting that you don’t think that Russian intelligence would use Kaspersky for just general cyber espionage, but only for major cases of anomaly detection reported to them. Would it not be practical to target anti-virus companies to piggyback off their access to so many customers?
Inglis: Sure it would. But Kaspersky is pretty good – that company has some really good expertise. I would have to assume that if they are good at defending other people’s enterprises, they are just as good at defending their own enterprise. If they are not, that would be a bit of surprise and a disappointment. So having said that, I give low probability that somebody on an enduring basis hacked Kaspersky and is using them to essentially prosecute an engine for surveillance.
That leaves the possibility then that Kaspersky does surveillance on behalf of the Russian government on an enduring basis. That’s not impossible, however it is also hard to imagine. As Benjamin Franklin said, one person can keep a secret, two people almost never do. So it is just hard to imagine that would be something that they would perpetrate or get away with.
So that leaves me with the third possibility that if, in fact the Wall Street Journal has got this right, this was an opportunity for the Russian government and a pleasant surprise that fell into their lap, and they exercised it. But it is not, as a matter of course, something they do at every workstation across various users that use Kaspersky software.
TCB: What is the role of geopolitics in determining whether to include certain software in computer systems – not only for the U.S. government, but also U.S. companies and even private citizens?
Inglis: Nation-states collaborate, compete, and conflict routinely, so those geopolitics aren’t as interesting to me as the political system within a country of interest. If you are dealing with a company that is hosted in Europe where the rule of law is quite strong, you should have less concern that there is going to be an illicit relationship between a private tech company and the government.
But if you are dealing with a company that is in Russia, then you should be very concerned. And that has less to do with the geopolitics of the moment than the enduring principles of the state and how rule of law is exercised. In Russia, the purpose of power is to employ it, whereas in the West, the purpose of power is to protect the citizens who gave it to you in the first place.
TCB: So essentially, if the whole idea is that Kaspersky doesn’t necessarily need to have malicious intent to be suspect, is it rather a distrust of the Russian political system?
Inglis: It is more about the government of Russia than it is about an element that happens to reside in Russia – Kaspersky. And a key question for consumers of their software is whether Kaspersky is from Russia or is of Russia. Hypothetically, if they caught Kaspersky in a strategic play, the question is: is this an insider gone rogue who has used that privilege – for whatever reason – to either meet a mandate from the government or make a little money on the side?
Customers are probably worried then about the true nature of Kaspersky and how they would defend international principles as opposed to Russian prerogatives. And Kaspersky has to be worried about whether they have an insider problem under those two scenarios.
TCB: Kaspersky has published extensive reports on Russian cyber espionage campaigns. Given the alleged relationship with Russian intelligence, is this something that they had to be given the okay for?
Inglis: If you want to go the conspiracy route, which I don’t necessarily subscribe to, you might say that what’s good for one is good for the other. So those two do not necessarily contradict each other.
TCB: Is there any way that Kaspersky can regain the trust of the U.S. government?
Inglis: Kaspersky has two challenges at this point. They are based in Russia and probably will be for some time. If they move, they are essentially moving away from the intellectual capital that they found in Russia. But two, there is a smoking gun. Whether the bullet came from that gun or not, we don’t know. The U.S. government has made the case that they have got a smoking gun and that is a hard thing to escape.
And, you can’t escape it by saying “you can look at my code.” This isn’t about the code, it’s about what the humans are doing. They do have privileged access to all these systems on a global basis. The question is to what end do they use that privileged access? You can’t do code walks, you can’t say “come visit my headquarters,” you can’t make emphatic assertions at the microphone to get past that. It is something deeper that unpins the distrust, and that is hard to build back.
Let’s take the narrowly framed hypothetical that it is an insider. Let’s say Kaspersky catches that insider and there is something equivalent to a public execution, and they say, “see, we have dealt with the problem.” That might go a step in the right direction of building back the public’s confidence, but in a world of choices where you don’t have to use Kaspersky’s software, it is still going to be a hard sell.