On Kaspersky

By Nicholas Weaver
Tuesday, July 25, 2017, 2:39 PM

Kaspersky Lab is an excellent company with a solid reputation for building good security products. For most users, there is no meaningful distinction between Kaspersky, Symantec, or F-Secure as sources for antivirus and related tools. All are good options.

But that is only true for most users. GSA recently removed Kaspersky from the allowed vendor list and many states still use Kaspersky software. This is greatly troubling. Kaspersky software should be banned from all governmental computers, defense contractors, and related assets. Why?

The issue is not the matter of rumored cooperation between Kaspersky and the Russian FSB—that relationship isn’t necessarily different from Symantec’s relationship with the FBI. Modern computer crimes and computer forensics touch hundreds of investigations and law enforcement agencies, even the FBI and FSB, lack the necessary expertise and rely on private companies. The problem here is a more fundamental risk—that of a government-mandated malicious update.

Software updates are the keystone of modern computer security. In security software, updates are especially important because they not only remove vulnerabilities but also enable defenses against new threats. Antivirus software also generally runs with elevated privileges, effectively “God mode.” This means that if an attacker is able to take control of antivirus software, they gain control over the victim’s computer.

This is one reason why software updates can be so dangerous. A (presumably Russian government) attacker pushed out a corrupted update for MeDoc— first to gain a foothold into most businesses which pay Ukrainian taxes and only later to launch the NotPetya worm. An attacker compromising an update channel, such as in the NotPetya case, is very serious. But depending on the relevant jurisdiction, governments could potentially force their own companies to provide a sabotaged update by invoking local “legal” authority, no hacking required.

In the U.S., despite the unwise effort to do something similar in the case involving the San Bernardino attacker’s iPhone, I am not aware of any precedent for the government successfully compelling a software company to ship out a malicious update. Nevertheless, those who count the U.S. government as an adversary always hesitate when using U.S. products. It is true that the only constraints on such activity in the current state of the law—which could change—and the considerable reputational damage company deploying a government-mandated would surely face.

This same logic applies, to an exponentially higher degree in places with a weaker rule or law or less government transparency. Anyone who views the Chinese government as an adversary should avoid Huawei and those who count the Russian government as an adversary should not install Kaspersky products. The US Government, naturally, treats both of those countries as possible adversaries. There is not currently evidence that anything has occurred yet, but it is simply sound practice to plan for unseen or future capabilities of our adversaries.

This is why it is shocking me that U.S. government used Kaspersky Lab’s products—including on DOD systems. Kaspersky and Huawei both make good products, but they just shouldn’t be in the networks of US federal, state, and local government. The risks are simply too high.