Show the proof, or cut it out with the Kaspersky Lab Russia rumors

By nature of the job, security professionals tend to be skeptical and overly suspicious, but the good ones are also good at weighing the evidence before making their decisions. Which is why it’s so perplexing that rumors about Moscow-based security company Kaspersky Lab being in bed with the Russian government keeps swirling, absent any proof. 

Report after report over the past few months show various figures in the U.S. government concerned about ties between Kaspersky Lab executives and the Russian government. The chiefs of five U.S. intelligence agencies (including the National Security Agency [NSA] and Central Intelligence Agency [CIA]) and the acting director of the Federal Bureau of Investigation (FBI) said they don’t recommend using Kaspersky Lab software during a Senate intelligence committee meeting in the spring.

This summer, the company was removed from the list of approved vendors for the federal bureaucracy. The Senate is considering banning Kaspersky Lab products from the Pentagon in its draft of the National Defense Authorization Act, and the clause is expected to make it into the final version of the bill. The latest voice to join the chorus: Rob Joyce, the current White House cybersecurity coordinator, who this week said he doesn’t use Kaspersky Lab software and that consumers should avoid using the antivirus.

While the barrage of negative headlines is bad news for the company, these reports are even more damaging for enterprises around the world trying to determine whether they should rely on Kaspersky Lab products to protect their systems. And—this is key—enterprises are being forced to make this decision without any shred evidence indicating why they should be suspicious.

Let’s repeat that: the U.S. government has yet to disclose why it is concerned there may be hidden backdoors in Kaspersky Lab products, that Russian intelligence agencies may be able to use Kaspersky Lab’s antivirus software to collect valuable information on users around the world, or that company’s executives may be vulnerable to Russian government influence.

What does the government know, and why isn’t it sharing it? It can’t be because the government doesn’t disclose its cyber discoveries. Just this week, the Department of Homeland Security (DHS), in conjunction with the FBI, published IP addresses and descriptions of malware used by the “cyber actors of the North Korean government” to launch distributed denial-of-service attacks around the world. Earlier this year, the DHS released evidence compiled by intelligence agencies pointing to Russian malicious cyberactivity, codenamed Grizzly Steppe. But the government’s case against Kaspersky Lab appears to be limited to a persistent and insidious whisper campaign.

Vincent Stewart, director of the Defense Intelligence Agency (DIA), said during the Senate intelligence committee hearing in the spring the DIA was “tracking Kaspersky and their software.” At the same hearing, Michael Rogers, director of the NSA said he was “personally involved” in probing Kaspersky Lab’s code at his agency. So what did these agencies find? Nothing, as far as we know.

Kaspersky Lab CEO and founder Eugene Kaspersky have repeatedly denied that his company had any inappropriate relationships with the Russian government. “[A]s a private company, Kaspersky Lab and I have no ties to any government, and we have never helped, nor will help, any government in the world with their cyber-espionage efforts (cyber-espionage is what we’re fighting!),” Kaspersky wrote on his blog earlier this summer. He has also volunteered to hand over the source code for the U.S. government to audit, but it doesn’t appear the U.S. government has taken him up on that offer.

Practical politics, bad infosec

If the government has any evidence—or even compelling reasons for being suspicious—it should be sharing that, because many companies and consumers rely on Kaspersky Lab products. The fact that the government hasn’t done so makes it likely this is all just geo politics: Distrust the Russian government, distrust all Russians.

That attitude, that level of distrust, makes for good spies, but terrible security professionals. Buying technology—security technology, especially, relies on evaluating the technical merits of the product or service, considering the relevant business requirements, and deploying the technology that addresses those requirements. There is no room for rumors or innuendo, and that’s how it should be. The technology is solid, as independent testing laboratories around the world consistently award Kaspersky Lab high scores. Why wouldn’t you want the best tech protecting your users?

“Evidence” doesn’t hold up

Despite the fact that these rumors have been around for years, no one has yet to uncover any hint of a smoking gun. Bloomberg Businessweek recently claimed to have leaked emails proving Kaspersky Lab had closer ties to the Russian intelligence agency, FSB, than previously admitted. But all those emails showed was the company had designed a tool for service providers to use fighting distributed denial of service attacks, and that it would assist law enforcement in identifying attackers. 

Assuming that is the correct interpretation of the emails, it’s hard to see the problem. Building anti-DDoS technologies is exactly what good security companies do to protect users. Security companies—even U.S.-based ones– regularly work with law enforcement to track down cybercriminals. That’s pretty much how law enforcement and security researchers worked together to dismantle some of the world’s largest botnets over the past few years.

“Regardless of how the facts are misconstrued to fit in with a hypothetical, false theory, Kaspersky Lab, and its executives, do not have inappropriate ties with any government. The company does regularly work with governments and law enforcement agencies around the world with the sole purpose of fighting cybercrime,” Kaspersky (the man) wrote in response to the Bloomberg report.

“I would be very happy to testify in front of the Senate, to participate in the hearings and to answer any questions they would decide to ask me,” Kaspersky said in an Ask-Me-Anything on Reddit. “I think that due to political reasons, these gentlemen don’t have an option, and are deprived from the opportunity to use the best endpoint security on the market without any real reason or evidence of wrongdoing from our side.”

Another “proof” which keeps coming up is the fact that Eugene Kaspersky was trained by the KGB’s signals-intelligence division during the Cold War. As “past ties” with the government goes, this is weak, since Kaspersky was fulfilling his compulsory military service requirement, something every Russian male of that generation had to do. Israel has mandatory military service, but no one seems to be linking the current crop of Israeli security startups to the Mossad. (Actually, if people are making that accusation, I don’t want to know.)

Many Kaspersky Lab employees are former government employees. That doesn’t seem like a big deal, since every self-respecting security company in the world, even the ones in the United States, recruit employees with intelligence, law enforcement, and military backgrounds. Kevin Mandia, the CEO at FireEye, was a computer security officer in the U.S. Air Force. Gen. Keith Alexander was the director of the National Security Agency and the commander of the U.S. Cyber Command before retiring and setting up a private consulting firm. Shawn Henry, the president of CrowdStrike Services and CSO, is the former executive assistant director of the FBI.

The U.S. government would be outraged—and justifiably so—if other countries decided to ban contracts with U.S. firms employing former government officials, especially without any proof of wrongdoing.

What if this was a U.S. company?

“I think they should look at the decisions the government is making, and then make their own decisions,” said Joyce, the White House’s cybersecurity coordinator. Except that doesn’t make sense because intelligence communities have to consider political implications so their decisions will always be different from what everyone else should do.

There is enough FUD in the market without throwing in politics into decision-making. Organizations should focus on deploying the technology which best addresses their needs. Kaspersky has excellent technology and a top-notch team of security researchers who actively share their discoveries about the latest malware and cyberespionage campaigns, regardless of whether they were conducted by U.S. intelligence agencies or Russian ones. It doesn’t help enterprise security one whit to switch to a lesser-rated security product just because it was Made in the U.S.A.

Punishing Kaspersky Lab because of the hostilities between the U.S. and Russian governments is a big mistake as it puts U.S. security companies at risk for similar retaliatory actions by other countries. It was bad enough when the Snowden revelations caused many European companies to—understandably—be reluctant to use U.S. cloud services. But the U.S. government is potentially setting a bad precedent for other countries to follow if it continues this campaign against Kaspersky Lab.

Now here is a thought: Did any countries ban the use of RSA Security products in their government after a report alleged the company had a secret deal with the NSA to incorporate a weaker, flawed, algorithm into an encryption product? (It’s a tangent, but now I am curious.)

Security practitioners and CISOs around the world are wondering why the U.S. government—hello, NSA, FBI, DoD, U.S. Cyber Command, anyone?—dislikes Kaspersky Lab so much. Enterprise security is critical—reverting to schoolyard behavior and gossiping about the kid different from everyone else isn’t the way toward making good technology decisions.