In a weird case of Spy Vs Spy Vs Spy, Israeli intelligence officials have discovered that Russian intelligence agents have been searching for code names of American intelligence programs. Hacking into antivirus provider Kaspersky Lab’s systems, the Israeli officials found evidence that Russian agents have been looking for information related to American intelligence agencies.
The gist of it is that Kaspersky’s antivirus products are installed in 400 million systems around the world, and most of the company’s revenue – $374 million of $633 million a year – comes from the United States and Western Europe. Among these users are more than two dozen U.S. security and intelligence agencies, including their employees and contractors that use them at home. Just last week, the Wall Street Journal reported that an N.S.A. contractor had his home system hacked into (he uses Kaspersky antivirus, naturally), and had classified material stolen from the system.
Meanwhile, Kaspersky Lab issued a statement Tuesday afternoon that was essentially an echo of what it’s been claiming all along:
“Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage efforts.”
Kaspersky Lab also said it “respectfully requests any relevant, verifiable information that would enable the company to begin an investigation at the earliest opportunity.”
The real problem here is that any antivirus software must necessarily have access to all of a system’s files and resources. That’s the way it scans for, identifies and neutralizes threats to the system and its contents. The problem with that is, a professional hacker – Russian or not – can get past the blocks and compromise the data.
Whether or not Kaspersky Lab is, in any way, responsible for the incident is not the question here. The N.S.A. already knows that such a system can be compromised, because it has used this method for its own purposes in the past. One former N.S.A. operator and the co-founder of Area1Security, Blake Darché, says this:
“Antivirus is the ultimate backdoor. It provides consistent, reliable and remote access that can be used for any purpose, from launching a destructive attack to conducting espionage on thousands or even millions of users.”
So, it’s not just Kaspersky should be under the microscope here. The only reasons they are is because they’re the largest providers, and they’re Russian. Last month, The Department of Homeland Security issued a mandate to all federal executive branch agencies that Kaspersky products should be removed from their systems within 90 days. But is that going to solve the problem, or even completely mitigate the threat? Such an edict would imply that no antivirus software from any company is inherently reliable, and that’s the hard truth.
On the other hand, if you don’t use antivirus software on individual machines, it could help spread malware through whatever network that machine is connected to.
The issue here is that if Israeli officials could hack into Kaspersky’s system and stay undetected for a long time, which they did because Kaspersky’s researchers only found evidence of this much later, then it’s equally possible that a professional hacker with the right tools could compromise any antivirus software.
Even if the allegations that Kaspersky is somehow allowing the Kremlin to feed off its data are true, it still doesn’t answer the question: how safe are other antivirus products? The very nature of the product leaves the data open for attack. Again, if Israeli hackers can stay undetected within Kaspersky’s system for any length of time, what’s the guarantee that some other state-sponsored hackers won’t be able to do the same with another another security company’s antivirus products?
In Kaspersky’s case, irrespective of whether or not the company is guilty as charged, the allegations alone could have a huge negative impact on its top line. The company doesn’t seem to be worried about its income from the U.S. government, though. According to CEO and founder Eugene Kaspersky earlier this month:
“It isn’t much money. We have never even participated in government tenders in America. So I’m not afraid of a drop in sales. Even if it would happen, I am sure that we will be able to compensate it.”
But the American public is now in a state of confusion. On the one hand, retailers like Best Buy have said that they will no longer carry Kaspersky products in their inventory. On the other hand, security experts are telling the public that for general consumers, the software is still fine to use.
The Hard Truth about the American Psyche
It’s a hard hypothesis to put forward, but America is almost constantly in a state of panic over security ever since 9/11 happened. At first, the fear was of physical harm, but now it has extended to the realm of the digital. The fact of the matter is, in most cases, the information on the average Joe’s computer holds little value to state-sponsored actors. Governments and corporate entities do need to be cautious, but any news about hacking tends to elicit a disproportionate reaction from the public, and more so if there’s a Russian link to spice up the story. But it doesn’t even matter who the “bad guy” is; the public tends to blow things out of proportion.
To give you an example of how this plays out in the domestic market, the E. coli virus panic from last year hit burrito maker Chipotle Mexican Grill in a bad way, wiping out billions of dollars in market capitalization. More relevant to this article is the fact that it blamed the CDC for setting off “a drumbeat of news stories” that eventually led to public panic. The CDC dismissed these allegations, but that’s not the point. The point is, when a government agency publicly announces something, the media takes it and runs with it, and eventually the public tends to sit up and take notice. As it should, I might add. Unfortunately, as I said earlier, the public’s response in this type of situation is often irrational, bordering on panic-level behavior.
Coming back to the original problem, it’s not my place to say whether or not the N.S.A. or Best Buy or anyone else was right to disconnect themselves from Kaspersky’s products because of alleged ties with Russian intelligence or the government. But the impact on the general population is rarely given a thought to in such cases.
Please share your thoughts on this matter in the comments section. I’d love to hear well-reasoned views even if they’re dissonant with my own.