After reports that highly classified intelligence material was taken from a NSA contractor’s private computer through the individual’s use of Kaspersky Lab’s antivirus software, all eyes turned to the Moscow-based company’s relationship with Russian intelligence and the Kremlin. As private companies using the antivirus software scramble to assess their exposure, The Cipher Brief caught up with former GCHQ Director Robert Hannigan after he attended the Cambridge Cyber Summit in Boston to ask how the UK views this threat and how business should think about protecting itself.
The Cipher Brief: What is the relationship between Russian companies and the Russian security services?
Robert Hannigan: There are two answers to this. Officially, Russian legislation gives the intelligence services very extensive powers to compel Russian companies to cooperate and, thanks to Russian data localization laws, this covers a very wide range of companies and data. Given the nature of the Russian state, and the absence of an independent judiciary, no company is going to contest such a request. But focusing on the legislation really misses the point.
It's simply inconceivable that a Russian company would say 'no' to an approach by the FSB: it would be reckless to refuse. So, this is not so much about cyber but about authoritarian state control and corruption.
TCB: Why has it taken so long for the U.S. government to wake up to the threat of Kaspersky? Did you face a similar struggle in Britain?
Hannigan: I'm not sure it has taken so long in the United States. The intelligence picture has built up over time and we have learned more on both sides of the Atlantic, the more we look. I guess we weren't looking so hard in the years when Russian cyber aggression was not so blatant. I think the timing of the U.S. Department of Homeland Security (DHS) decision was driven by a buildup of solid evidence. The U.S. administration obviously took the view that, just because it's not possible to expose this evidence in public, doesn't mean they can hold back from warning people. I agree with that. If anything, we in Europe have been slower and I think the implications of the DHS move are only just beginning to sink in.
Now that the U.S. administration has gone public, I think businesses in Europe will be asking their governments for urgent advice.
TCB: How has the UK sought to mitigate the threat posed by Russian-based companies like Kaspersky? Is it similarly banned from UK government networks? Do UK companies rely on Kaspersky software to the extent U.S. companies do and is this likely to change?
Hannigan: The security agencies on both sides of the Atlantic have never used Kaspersky products on their networks. UK government networks have not used Kaspersky to my knowledge, though there isn't a DHS-style directive in place. Given the recent experience of France, Germany and other European partners of Russian intelligence interference, I know those governments will be having similar conversations. On the back of the DHS directive, I imagine everyone will be thinking hard about products that have Kaspersky antivirus embedded and assessing the risk.
The private sector is another matter, especially the finance sector. They will be urgently asking questions, because Kaspersky is widely used across many sectors. It's a fairly good anti-virus product, attractively priced and well-marketed. The DHS directive doesn't necessarily dispute this, it simply points to the risk of “added value” from Russian intelligence.
TCB: What are possible ways that Russian intelligence may have been alerted to the NSA material in the contractor’s private computer (i.e. direct cooperation, an FSB insider in Kaspersky, or FSB picking up signals intelligence, etc.)?
Hannigan: I really can't comment on a U.S. investigation.
TCB: What could the economic fallout be for companies that rely on Kaspersky software? Is there a way to trace whether any of their data has been similarly exfiltrated through the access Kaspersky provides?
Hannigan: Any sensible company outside the U.S. will be looking at the DHS binding directive, and the reported decision of Best Buy to remove Kaspersky from its shelves. They will be assessing the risk of continuing to host or promote a product that the U.S. government has banned from its networks. Given the explicit terms of the DHS directive, expressing concern about "the ties between certain Kaspersky officials and Russian intelligence,” and setting out Russian government capabilities to use Kaspersky, with or without its knowledge, they will also be worrying about the liability they may have if they have exposed their customers to this risk.
On the ability of Western agencies to trace what might have been exfiltrated, you'll understand that I can't comment.
TCB: Is it common for intelligence agencies to piggyback off the access anti-virus software provides for espionage purposes?
Hannigan: Anti-virus software can offer a hostile state huge possibility. When you buy or sign up to an antivirus service, you are inviting that company into your device or your network and exposing your data to it. There is no other way for an anti-virus service to do the job. It has to scan your network for malware and report that back to the company, and it has to update regularly, which means it must have permission to write new software into your computer. It would be useless otherwise. So, you need to be very sure that you trust the product. That means trusting that it works, that it can do the job, but also trusting the jurisdiction from which it operates. What powers, formal or informal, does the state have to compel cooperation? Who oversees those agencies and what safeguards are there? Could you take it to a credible independent court if that trust is being abused?
TCB: Is there any way for Kaspersky to become a trusted vendor among Western governments, or will it be viewed with suspicion as long as it operates out of Russia?
Hannigan: The problem isn't really Kaspersky, it's the nature of the Russian state and how its agencies operate. They see the Russian private sector as an extension of their power. Unless that changes, which is unlikely, Russian companies with access to Western data and networks are going to struggle to be trusted.
Kaspersky is a household name and therefore this directive grabs attention. But this issue goes much wider and I think Western governments and companies are gradually waking up to it. There are a whole range of smaller Russian companies supplying services at the heart of the internet, with access to data and networks which the Russian intelligence services want. The great openness and complexity of the internet economy is a fantastic opportunity for them to build an intelligence machine, either by coercing the private sector or acting without its knowledge. Once they have gathered this intelligence and gained this access, they are not shy about using it for effect. The last few years show that the behavior of Russian agencies is usually worse than our fears.