On Wednesday, the Department of Homeland Security (DHS) issued a binding directive compelling all federal civilian departments and agencies to identify and develop a plan to end any use of and remove any Moscow-based Kaspersky Lab products from their computer systems. “The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” read the statement issued by DHS. “The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”
Kaspersky has some 400 million users worldwide, half of which might not even know they are running the company’s software – it is embedded in everything from firewalls to telecommunications equipment. The U.S. and Western Europe make up some $374 million, or 60 percent, of the company’s $633 million in sales last year.
Fears have existed for years that the software could provide a backdoor for Russian intelligence to monitor users within the U.S. federal government, or compel Kaspersky to provide government access to data stored in servers within or transiting through Russian sovereign territory – which is likely most, if not all, of Kaspersky data, due to Russian localization laws.
The Russian cyber company has offered to provide its source code for the U.S. government to inspect, but there have been no reports that the U.S. has taken Kaspersky up on the offer. And, in reviewing the code, the U.S. could potentially set a problematic precedent by which foreign governments may claim the right do similarly inspect U.S. technology companies’ software.
The U.S. has walked a fine line in this area. The U.S. intelligence community has access to U.S. tech company data under FISA 702 authorities, according to documents released by former NSA contractor Edward Snowden. If foreign governments, particularly tech competitors, such as China, Russia, and India, are able to investigate U.S. companies’ source code, it could lead to bans, intellectual property theft, or even facilitate backdoor implants for their governments.
The Cipher Brief spoke with Rick Ledgett, the former Deputy Director of the NSA, Steven Hall and John Sipher, both former members of the CIA’s Senior Intelligence Service, and Rhea Siers, the former NSA Deputy Associate Director for Policy, about their thoughts on the DHS decision to phase out all Kaspersky products on federal networks.
TCB: The Department of Homeland Security has suggested that Kaspersky officials have ties Russian intelligence. What could these ties entail and how would it enable Russian intelligence collection on federal computer networks?
Rick Ledgett: Antivirus (A/V) programs – the primary product of Kaspersky – are essentially software tools that reside on your computer and have access to all files and programs on that computer. The A/V software scans for signatures of malicious software, known as malware, and removes or neutralizes it, and sends a report of what it has done back to the A/V company, in this case, Kaspersky. It can also send samples of interesting/unusual malware back to the company. So it’s easy to see how that could be turned into something nefarious.
Instead of scanning for malware, it could scan for documents that say “proprietary” or “confidential” or “secret” or any other term of interest, and send them back to the company. Another way the A/V could be used is to implant nefarious software into computers. Because A/V programs need to be updated frequently with new signatures and criteria for scanning for malware, they have permission to “write” software to the customers’ computers. Again, this could be used for nefarious purposes like implanting a computer with software that would exploit or even destroy it. Kaspersky’s ties to the Russian government, as well as Russian regulations that apply to all Russian companies, could allow the Russian government to demand Kaspersky do just that.
Steve Hall: We have to be careful when we are asking what is a very normal question for Western democracies, which is, what is the tie between X,Y, or Z company – whether it is Facebook, whether it is Twitter or whether it is Kaspersky Lab – to a government, because we have a tendency to think in terms of what are the rules or regulations with regard to Western governments interacting with private corporations, especially ones that are in sensitive sectors, such as in IT and technology.
But we have to remember those distinctions do not exist in any way shape or form in Russia. There is no rule of law in Russia. There is this sense of regulations, but at the end day, it is Russian President Vladimir Putin, and it is the Russian government – specifically the security and intelligence services of Russia – that make the call. This applies to any entity, to include Eugene Kaspersky’s company, if any part of it is in Russia – financially or physically. If Eugene Kaspersky has family members or his own personal funds and bank accounts in Russia, then all of those things are held hostage by Vladimir Putin and the security services.
So a call can be made to Kaspersky – “hey, we need you to do this, we know you sold software to the Americans and so now we need you to make that software useful.” Even if Kaspersky didn’t want to do it for whatever reason, it doesn’t matter, because as guys like Mikhail Khodorkovsky, a now exiled Russian businessman, found out, if you go against Putin and if you and you go against the government, things can go very badly for you, no matter how rich you are, no matter how big your company is.
So whether or not there are any actual provable ties between Kaspersky and the Russian government is almost irrelevant. The most important part is that Kaspersky is under the complete influence of Vladimir Putin.
John Sipher: The use of Kaspersky products potentially enables Russian access into federal systems. Software can have sophisticated and subtle flaws and weaknesses that can be used by a hostile actor. Even if the products purchased by federal users is secure at first, periodic upgrades can introduce back-doors and other problems.
Rhea Siers: There’s been a lot of speculation and reporting on this – including allegations that Kaspersky not only provides the FSB, Russia’s primary security service, with intelligence on the locations of hackers, but also assisted Russian police in the investigations and maybe even participated in actual raids.
Bottom line: if you have suspicions of current Kaspersky ties with the FSB – though these have not been publicly disclosed – why would you want them sitting in your networks? Critics of the DHS action won’t be satisfied until they see some direct evidence – the question is whether the U.S. government is willing to share any existing evidence publicly. It’s the repeat of a scenario we’ve seen a lot of in cyber attribution situations – the U.S. government doesn’t want to endanger sources and methods but the cyber industry wants proof.
TCB: Kaspersky has long been considered close to the Kremlin, but continued to be an approved vendor for the U.S. government. What has changed – why now?
Ledgett: I don’t believe this is a political move, but more the culmination of a lot of great work by people in the intelligence community and cybersecurity community. There has been an accrual of information, some of it very sensitive, that led the U.S. government to be more definitive than before about the threat posed by Kaspersky.
Hall: That is an excellent question and I don’t think that anything has changed except for perhaps that the U.S. government, and perhaps U.S. citizens in general, have a better feel for what the Russians are really capable of on the cyber front. Again, this is a problem that oftentimes Western countries, to include the United States, have. We go into this and Kaspersky tells us “no, no, no, no. We have no connections with any government.” Kaspersky has argued in the past that it has actually had a negative impact on Vladimir Putin and the Russian government – which I am skeptical about. Basically, we just looked at this guy as a businessman, who does some very good work because the Russians are very good at cyber things, and we said “well he is telling us he has no connection to the Russian government, then perhaps that’s true.” That is somewhat naïve on our part and I think it was a serious mistake.
Siers: Well, it was never an approved vendor for NSA, among others. At recent hearings, every single intelligence agency chief said no – they would never utilize Kaspersky products in their agency. The Trump Administration has indicated that they weighed the risk – one assumes that calculus could include recent Russian operations targeting the U.S. election, long known risks and exposures and the alleged expansion of Kaspersky’s products into the energy sector. And one assumes, of course, they had access to intelligence information that supports their conclusion.
TCB: How will the U.S. decision to ban a foreign tech company affect the competitiveness of U.S. tech companies abroad? Could this cause economic backlash or lead countries to seek protectionist policies against U.S. companies?
Ledgett: It’s important to note that the Kaspersky ban is based on solid evidence. It won’t be shared publicly because of the sources and methods involved, so that leaves room for Kaspersky and apologists to say there’s no basis. That’s not true. So that’s different from a retaliatory policy or one based solely on associations; the U.S. doesn’t operate that way. That said, there is certainly the possibility that U.S. tech companies could face retaliation in some countries.
Hall: That is certainly a perspective that is used in nightmarish tones by the Russians. It is something that the Russians very much want us to believe. Again, this is something that the Russians are excellent at – looking at the way the West does things, this sense of fair play that we have, and this sense of if you have a good or the best product then you ought to be the one to compete with others. Of course none of those things really exist inside of Russia, but Russia, specifically Putin, understands that that is how things work in the West. So they know the appeal to this sense of fair play, or the appeal to this sense that things could go very badly for American companies.
The bottom line is that if you look at the amount of sales of an American tech firm, say Cisco Systems, inside of Russia compared to how much the Russians need the U.S. market, it is incomparable. We ought not to allow ourselves to be bullied by some sense of things going badly for American companies. Let’s not forget that last year, the Russians authored a cyber attack on U.S. democracy. This is a Russian cyber company. This falls squarely under the category of: when you do something, there are consequences. This is one of these consequences.
With regard to the Chinese, I am also not particularly concerned because the Chinese are not going to link their wagon to the Russians. We are not going to have a Chinese-Russian bloc that is going to all of a sudden boycott U.S. technology, which is some of the leading stuff in the world. The Chinese aren’t going to do that to themselves.
Sipher: Yes. This is a potential problem. The U.S. government is going to have to provide some assessment to back up their decision.
Siers: Well, this has already happened – in fact, China has excluded Kaspersky and Symantec from its list of approved anti-virus vendors. The Obama Administration went to the World Trade Organization over Chinese banking regulations that excluded foreign technology companies, claiming discrimination against foreign firms. The danger of backlash exists and once again, one assumes this was part of the difficult calculus underlying this decision.