Rather significant news broke out on 13 June with the EU taking initial steps toward a potential ban on Kaspersky software on EU-controlled networks. The specific language used, as translated by The Register:
- Calls on the EU to perform a comprehensive review of software, IT and communications equipment and infrastructure used in the institutions in order to exclude potentially dangerous programmes and devices, and to ban the ones that have been confirmed as malicious, such as Kaspersky Lab
On its face, this only recommends a REVIEW of software except near the end when it explicitly calls out for a ban and those “confirmed as malicious” – which now seems to include Kaspersky. I’ve weighed in on this topic a few times, adopting a questioning outlook for how US actions against Kaspersky have been framed and advertised (even if I think the US government is firmly within its rights to determine what software can and cannot run on its systems). Essentially, the “confirmed as malicious” part sticks out with such public messaging for a popular product across enterprise and consumer environments in the absence of concrete evidence.
While there may be very legitimate and accurate reasons for the US, the UK, the Netherlands, and now the EU (again, EU institutions only, not member states) to bar Kaspersky software from their networks, the way this has been communicated and justified is just strange – and potentially harmful to everyone in the information security space. The ever-resounding call to “we have reasons, but they’re classified” only goes so far when dealing with actions that impact a multinational company, and when government actions still leave consumers and businesses at potential risk.
To digress momentarily, many will offer “sources and methods” as the reason why a definitive justification for this labeling has not been provided to the public. Yet, given how publicly this entire matter has played out, presumably Kaspersky and the FSB/SVR/GRU/whoever is believed to be in operations with them have figured out roughly where such information could come from. The very act of decreeing Kaspersky (and Kaspersky alone – I do not see similar actions against Chinese or former Israeli Unit 8200-backed organizations) as “confirmed malicious” would seem to have already burned these sources to the ground.
Moving back to the main argument, there may be a litany of legitimate, pressing reasons to ban this software – especially from sensitive networks – but the messaging is unclear. The result is a status quo where one could plausibly argue that software bans can be and are justified simply by not liking a company or the country where the company is domiciled. The implications of this are potentially startling – so the rest of Asia blacklists Qihoo360, China shuns TrendMicro, Czechia avoids ESET, etc. etc. Given the paucity of publicly-available evidence for the Kaspersky actions, such decisions – curious and in some cases stupid as they would seem – are no less justified than what we are faced with. Essentially, an indiscriminate, evidence-free discrimination on national origin grounds appears to have been introduced into the security product market.
But before considering matters solely in light of Kaspersky, there was another, similar (in my mind) item that did not seem to attract much attention. Specifically, a matter initially reported by Cyberscoop, quoting Kevin Mandia, CEO of FireEye:
Mandia, for example, told CyberScoop that before publishing a public threat intelligence report, FireEye will typically tip off intelligence officials from the Five Eyes alliance about the release. If FireEye detects malware on a customer’s system that researchers think is from the U.S. or an allied country, it will remove it. But Mandia said such malware ought to be stealthier.
While the above action certainly does not reach the status of actively aiding and abetting nation-state attacks against paying customers, it does seem to represent actions in bad faith. As taken strictly as stated above, this might indicate simply giving a “heads up” to certain intelligence agencies before publishing, but the Twitter post related to the same is a bit more ambiguous:
This statement goes beyond indications of simple notification, to potentially sharing how/why/where items were caught. From the perspective of a malicious actor, such information would be exceedingly valuable to clean up command and control (C2), destroy implants, refine malware to evade detection, and take other action prior to public notification. All in all, this would appear to be really snarky – and while potentially patriotic (if you happen to be a US/UK/CA/AU/NZ citizen), acting in bad faith for private-sector clients. For example, I’m guessing Belgacom and members of the SWIFT financial transactions system might feel slightly miffed – if they are FireEye customers – that a security provider placed certain, narrowly-defined national interests above theirs.
And yet – the above statements resulted in little or no action, criticism, or concern. There is one line of thought – which is somewhat justified – that FVEY intrusions generally do not result in wanton destruction, theft, or damage. Yet at the same time, such activities yielded capabilities rapidly turned to malicious use: from STUXNET code reuse through WannaCry deploying an (alleged) NSA-developed exploit. Ultimately, such behavior is malware, is designed to circumvent or otherwise compromise the legitimate operation of a system, and steal information designed to be kept secret.
Starting with the initial assessment that a private security company with global reach – Kaspersky – is beholden to a government (Russia), we’ve now moved to another private security with equal if not greater reach – FireEye – potentially coordinating operations with government (US and murkily-described “allied”) operations. In many respects, the two seem somewhat equivalent, yet the former has garnered significant attention (and very significant action), while the latter seems to have been ignored.
Before going further, I have great respect for the researchers and employees of both Kaspersky and FireEye – there are incredibly smart and talented people at both organizations that have devoted themselves to designing and deploying detections and defenses against myriad malware and malicious activity. But what concerns me is for all the efforts of the people “on the ground”, their dedication to the cause is potentially undermined by statements and commitments from above.
While public evidence is unfortunately overall lacking, the mere possibility of private security company collaboration with national governments is alarming. From the perspective of consumers and businesses, these entities cannot assume that their best interest align with those of government agencies charged with gathering intelligence (or potentially delivering disruptive effects) – so the mere possibility of a private security company that would be entrusted with the organization’s well-being responding to another, contrary tasking is alarming.
Before proceeding further, I would like to make a disclosure. After serving in the US military, I worked for Los Alamos National Laboratory (LANL) under the US Department of Energy (DOE). Since leaving DOE, I maintain a presence within LANL as a “guest scientist” and assist with matters such as cybersecurity training, information sharing, and electric grid defense. While this indicates a close and continuing relationship with a government entity, by design and by my express wishes, such activity only extends to community involvement (such as the CyberFire program) and defense of critical infrastructure benefiting all. From the standpoint of malware – irrespective of source – I have stated and stick by my publicly-advertised position that no one belongs in the electric grid or similar critical infrastructure.
That out of the way, I think there’s a general issue in the network defense, private information security industry. So much talent, ideas, and leadership emerges not from universities or commercial institutions, but instead derives not merely from government entities, but those involved in military and intelligence operations. Thus, stories of NSA, Unit 8200, and even KGB pipelines to information security startups, companies, and general talent pools. In essence, there’s something strange and almost off-putting about individuals with strong (and perhaps continuing) ties to national intelligence agencies pivoting to providing security services to private organizations – where do loyalties exist? Can a former Unit 8200 operative, working for a government-seeded startup, act against that same government’s best interests when the client’s needs demand it?
I don’t have good answers to these hypothetical questions, and they likely come down to individual choices and values. From my own perspective, I am pure “white hat”, defend all the things – from US electric grid operations to Iranian wastewater treatment plants – if I’m entrusted with such duty. Others may not think so – or more concerningly, alluding to the point made above, the individuals “on the ground” may have no say in what is handed to them based on the decision-making of those far above them with far closer and more binding ties to national decision-making authorities.
From the perspective of a private company, what is one to do? One could argue, “Go with vendors from your own country” as a safe bet, but this seems poor guidance when the largest private entities have operations spanning the globe and definite interests in at least stability in places looked down upon by their domicile governments. In cases where major, multinational security companies – such as Kaspersky or FireEye – may not have the contracted organization’s best interests at heart, where does one turn? Would a Symantec or an ESET or an Avast be any better or more trustworthy if you need to worry about where a company, entrusted with significant responsibility and potential access to private data, truly places its loyalty?
I have meandered long enough to close by telling you: I don’t have an answer. But the combined items above – one very newsworthy, the other surprisingly less so – leads to a set of circumstances that I think are very dangerous for the security community. Considering that, for better or for worse, the most talent and capability in the defense space rests in private companies, and that private organizations (especially multinationals) will be dependent on such entities for their own security, injecting raw nationalist, political objectives (from Russian interference to FVEY coordination) into security operations is incredibly damaging. How do we, as a field and community, establish and retain credibility and trust? Should security practitioners abide by something like the Hippocratic Oath or some sense of fiduciary duty towards clients to ensure their interests are taken as primary and all others come after? Overall, this is a tough problem and many people – from company CEO’s to political operatives – are only making it harder.