Published by The Lawfare Institute
in Cooperation With
Kaspersky Lab has been under intense fire recently for allegedly using, or allowing Russian government agents to use, its signature anti-virus software to retrieve supposed National Security Agency tools from the home computer of an NSA employee. This follows activities from the U.S. government including Sen. Jeanne Shaheen's proposed legislation to ban Kaspersky products from use by the government and a binding operational directive from the Department of Homeland Security that does the same. It's safe to say that Kaspersky's reputation has been negatively affected, and CEO Eugene Kaspersky has been strident in his declarations of innocence. He has also proposed some transparency initiatives designed to increase consumer confidence in Kaspersky products; chief among them is a plan to have a cross section of security experts—private sector and government—review source code and look for vulnerabilities or back doors.
On the face of it this sounds like a good move, but in reality it doesn't address the alleged activity. To understand why, it's important to know a little about how anti-virus software works. When you download any anti-virus software and click on the very long end-user license agreement, somewhere in there you agree to give that software access to all the files on your computer and all the files that will be sent to and from your computer. This is necessary for the anti-virus software to scan those files for code, or malware, being used by criminal or other hackers and to protect you against them. You also agree to allow the anti-virus vendor to update the software on your computer, which is required to keep up with the latest malware. And finally, you agree to let the anti-virus software transmit files of interest back to the anti-virus vendor, so they can analyze new malware and improve their ability to recognize it and protect you and other users. This all makes perfect sense for legitimate anti-virus companies, but it's also a potential gold mine if misused. Instead of looking for signatures of malware, the software can be instructed to look for things like "secret" or "confidential" or "proprietary"—literally anything the vendor desires. Any files of interest can be pulled back to headquarters under the pretext of analyzing potential malware.
So that is what Kaspersky has been accused of doing: using (or allowing to be used) its legitimate, privileged access to a customer's computer to identify and retrieve files that were not malware. Eugene Kaspersky's proposal to have experts analyze Kaspersky anti-virus code is irrelevant in this case, because the code is doing exactly what it has been designed to do, but in a way that is inconsistent with what customers expect and are paying for. It's not the code itself, it's the use of the code. The experts will find that the code does exactly what it's supposed to do, and he knows that.
If Eugene Kaspersky really wanted to assuage the fears of customers and potential customers, he would instead have all communications between the company's servers and the 400 million or so installations on client machines go through an independent monitoring center. That way evaluators could see what commands and software updates were going from Kaspersky headquarters to those clients and what was being sent back in response. Of course, the evaluators would need to sign non-disclosure agreements to protect Kaspersky's intellectual property, but they would be expected to reveal any actual misuse of the software. It's a bold idea, but it's the only way anyone can be sure of what the company is actually doing, and the only real way to regain trust in the marketplace. Let's see if he does it.