Patrick Howell O’Neill and Chris Bing recently dropped a very interesting report on yet another possible action against Kaspersky by the US government. In this specific case, possible sanctions are oriented around larger actions against Russia, home of Kaspersky, but stands as yet another public blow to the security company by US authorities.

In many respects, this latest action is almost irrelevant as elements of the US government have strongly advised the private sector for quite some time to drop ties to the firm. Such actions and questions go back several years (based on my own recollections while working in government), and did not just magically appear following accusations of ‘election hacking’. As a result, the US government has taken an aggressive stance against a nominally private, independent company for a significant amount of time, alleging that the company’s foundations and domicile make it uniquely positioned to further the interests of an unfriendly foreign government.

Before proceeding further, let’s take a step back to consider a crucial aspect of the current information security ecosystem. While various public bodies exist to provide information security support to network owners – the vast majority of whom, even in the ‘critical infrastructure’ category, are private businesses – most expertise and trust in this realm resides in private companies. For example (from a US perspective): Mandiant is called upon for incident response, Crowdstrike provides threat intelligence, Carbon Black furnishes endpoint detection, Secureworks provides remediation services, etc. While organizations such as US-CERT, DHS, and NCCIC (again from a US perspective) exist, no one aside from those most strapped for resources seems to really trust these entities unless compelled to do so. As a result, a significant amount of technical ability and responsibility for defending critical information infrastructure falls upon private security companies.

Those most aligned with Ayn Rand and similar libertarian/objectivist types might find little wrong with this picture, but from the perspective of what has defined a ‘state’ since the 17th century, this set of circumstances seems somewhat odd. To paraphrase Max Weber, the ‘state’ is that entity which has a monopoly on legitimate (i.e., sanctioned) violence. Such power includes not only the capability to enforce pain on others, but to compel others to obey and follow an otherwise arbitrary-seeming set of rules. Moving back to the realm of information security, presumably the state would be the entity responsible for establishing and – most significantly – enforcing norms of behavior through an overwhelming control of ‘legitimate violence’ in this realm – yet this is far from the case.

Modern information environments instead are diffuse and spread across multiple domiciles. For example, Amazon may be a US company, but its AWS hosting services are spread throughout the globe and notionally subject to various types of regulation, yet ultimately the service (aside from some universally established norms, such as against child pornography) operates as it sees fit, with its own security and responsibility to maintain this (now) critical service.

The ‘so what’ from the above is that critical, presumably national resources are now dependent upon private sector entities to ensure their continued operation, integrity, and security. AWS is somewhat of an outlier as its parent organization is sufficiently large (and well-resourced) to take most security concerns ‘in house’ – but the ‘long tail’ of critical institutions in a modern world, from electricity providers to payment reconciliation services, likely outsource such responsibility to third parties. From the perspective of the 21st century nation state, investing this power in a potentially hostile – or just external – party seems a risk that decision-makers a hundred years ago (or even thirty years ago) would find baffling and unacceptable.

Kaspersky represents a rather easy and simplistic punching bag at present: a company based in an adversary nation to ‘the West’ whose founder is allegedly linked to that country’s intelligence services. In many respects, banning Kaspersky seems a rather easy decision – at least from a public (i.e., government) procurement perspective. Based on current circumstances, one would likely expect no less when considering firms similarly situated, such as Qihoo 360. But given private-sector dependencies on non-public security solutions to safeguard potentially critical infrastructure, what of potential ‘edge cases’? And where does this vision of national alignment for private companies protecting nominally private interests stop?

For example, I currently work in industrial control security (ICS). The firm I work for, Dragos, is based in the US and employs US citizens and residents. Examining the competition for ICS-specific security solutions, all other pure ICS security firms are based outside the US – they may have US offices, but most employees and resources reside in other countries. Some of these are in relatively uncontroversial countries, such as Switzerland. However, a large proportion of players in this field are based in Israel, many of which have various links (based on employee history) with Israel’s military signals intelligence organization, Unit 8200. All of this may fall into a broader ‘Western’ conception of alignment (e.g., “Hell at least it’s not the Chinese” or similarly unhelpful statements), but are nonetheless foreign in origin.

Taking the Kaspersky situation as precedent, and accepting this precedent as occupying a likely extreme on a continuum of responses, what should one make of other players in the security field? From the US perspective, Israeli intelligence is hardly a ‘friendly’ service (albeit allies of convenience in many circumstances – see Jonathan Pollard and the USS Liberty for examples contrary). If many companies operating in the ICS-specific security field happen to have ties of various sorts to a foreign intelligence service, does that serve as sufficient means to begin strongly suggesting (as in the case of Kaspersky) that organizations shun their offerings in favor of something closer to home? Does a shell office in one country mitigate against all technical personnel residing in a potential hostile country?

While current self-interest would make this set of circumstances advantageous, overall I think increasing cyber nationalism would be a horrible situation for the security field. So long as vital information security tasks and capabilities are outsourced to private sector entities, various companies will be involved. Our fortunately global perspective means that various organizations can (and should) compete for such tasks. But aside from obvious and clear conflicts – e.g., a state-owned or -influenced company of a hostile country – letting asset owners and operators decide on what’s best for their organization seems the best and most defensible approach to determining commercial defensive solutions.

HOWEVER – the above statement comes with an important corollary. Very frequently in the information security field, practitioners trumpet their experience with various ‘well-known’ government agencies: the NSA, GCHQ, Unit 8200, etc. This continued credential claim by associating with known intelligence agencies serves the argument of letting firms compete on their merits more harm than good. As an individual who previously worked in government, including the US military, I don’t hide this background – but at the same time, I don’t make this the forefront of my potential contributions to the security field. Rather, I built my experience in certain missions, and now – with no obligation or requirement to past institutions – I wish to apply that experience to new challenges. Too often, security companies seem to bill themselves off of the mysterious agency their founders or employees worked for, undermining the idea that such organizations could reasonably be expected to adopt a ‘customer-first’ approach at the expense of their former masters. Expecting neutral, even-handed treatment would therefore seem to require a different relationship with past affiliations.

A final and vital addition to the above point concerns the behavior of security companies. While cooperating with various entities – including bodies such as public-sector CERTs and related institutions – is vital and necessary to the mission of network defense, providing ‘privileged’ or otherwise surreptitious access to data, metadata, or other information to such parties, especially intelligence agencies, flagrantly violates any sense of trust organizations can place in security companies. While I cannot name any specific circumstances in this space, I do know of organizations and instances where this has been violated – and as a result, companies and nation-states are justifiably concerned about the ultimate allegiance of vendors. While this is an especially hard case to refute and deny (i.e., how do you truly prove a negative statement?), enough anecdotal instances of such behavior exist to cast a pall over the industry.

To close this meandering post, we reside in a technical and legal landscape that seems unique for the modern world, in that entities critical for the survival of nation-states are highly dependent on private organizations for their continued operation. When looking at these private organizations, their roots stretch from the US through Slovakia (ESET), Japan (TrendMicro), and Russia (Kaspersky), among many others. Furthermore, many of these organizations maintain multiple international offices and hire international talent, making relationships and conceptions of ‘home’ even murkier. In many ways, this set of circumstances – given requirements of the network defense mission – are advantageous as it ensures that talent is identified and brought to bear on security problems. While certain restrictions seem not only obvious but necessary (e.g., the US government probably shouldn’t use Kaspersky, and Russian government resources should probably shun Symantec), in other cases decisions are less clear-cut. This may be an unsatisfactory answer, but I feel the best response for individual organizations would be to weigh their decisions in light of perceptions and responses by their stakeholders: for example, a US electric utility should be able to articulate why they have sourced vital software from a vendor associated with a foreign government known to conduct various levels of espionage, and do so in a manner that is understandable and acceptable to their stakeholders. If this argument cannot be made, then procurement decisions should probably be re-evaluated if only because of ‘optics’ surrounding the decision.

Ultimately, this is a very confusing area and, based on my personal history of public service and conception of ‘public goods’, seems both surprising and sub-optimal to be left completely to private sector entities to resolve. A ‘regulate all the things’ approach certainly has its own failings, but when vital strategic interests come into play, letting matters work themselves out in the private sector seems a poor choice. But at the same time, public sector actions in this space seem both heavy-handed and technically inferior to the talent and capability residing in private organizations. Sanctioning a company such as Kaspersky might make sense for narrow strategic interests, but in the very act of doing so a new norm is created where others could presumably apply similar restrictions (or bans) to private companies based on where the majority of that organization’s employees reside. The end result of this process would appear to be continued balkanization of the security space as different ‘blocs’ are left to work only with vendors aligning to their geographic footprint – a situation which seems less than ideal to truly tackling the problems of security overall. Yet I fear this is the direction we are heading. It will be interesting to see how this plays out.

Closing note: Underlying this post is a belief that there is an enduring, non-parochial community of information security researchers, responders, and other personnel dedicated to defending networks irrespective of location or purpose. This idealistic stance is at odds with many realities in this space, but in the end I strongly feel that we really are “all in this together”, and humanity as a whole benefits when talented individuals dedicated themselves to ensuring the security, integrity, and viability of information networks wherever they happen to be located.

Categories: GeneralInfosec