The Washington Post and the Wall Street Journal report that Russian government hackers obtained details of U.S. cyber capabilities from the personal computer of a National Security Agency employee who had taken classified material home. He was running Kaspersky antivirus software. Apparently, the compromised secrets could enable the Russian government to thwart U.S. cyber operations, both defensive and offensive.
News reports regarding this story have understandably focused on the damage to U.S. cyber capabilities. I have no particular inside knowledge of the specific information leaked to the Russians, but if these reports are true, the compromise was particularly severe. However, as concerned as I am about the compromised information, I observe that such information is often of transient value to an adversary, or at least should be treated that way.
Of more concern to me is the idea that Kaspersky software has the capability to inspect the media of any computer running it for interesting files and to forward such files to Russian intelligence. This raises at least two groups of questions.
First, what is the nature of the algorithm that searches stored files on my computer? For example, does it look for documents that have the phrase “Top Secret” on them? Does it seek to decrypt my encrypted files? Does it go after my deleted files? Does it do keyword searches for documents containing the word “nuclear”? Is it looking for pornography stored on my computer so the Russians can blackmail me? Reading my email? And so on.
Second, how widely deployed is Kaspersky software on non-U.S.-government computers? This includes personal computers of U.S. government employees, of course, but also the work and/or personal computers of many in the private sector. What kinds of information have been taken from those computers? And what is the potential for mischief or malfeasance with that information being compromised?
Taken together, these questions speak to an even more serious compromise: the fact that the Russians are able to mine and are mining the documents, one by one, on the computers of every single Kasperksy user. Kaspersky software is used by 400 million individuals and is the most popular European security software vendor. I suspect the information derived from that scale of operation is much more significant than what they got from one user, important though he may be.
Lastly, no public information has been revealed about what Kaspersky anti-virus software actually does once installed, despite the fact that the Department of Homeland Security (DHS) has initiated a ban on Kaspersky products within the federal government. DHS only said that “Kaspersky anti-virus products and solutions provide broad access to files and elevated privileges on the computers on which the software is installed, which can be exploited by malicious cyber actors to compromise those information systems.”
The detailed U.S. government analysis of what Kaspersky products actually do while running is presumably classified, but it seems to me that there’s no reason someone without a security clearance couldn’t set up a computer, populate it with fake classified documents, and monitor what the computer sends out and where it sends it. A comparison with another computer, similar in every way but with no fake classified documents, could provide an interesting control. What a cool student project that would be.