Security Experts:

Trust Your Security Vendor, 'They Have Access to Everything You Do,' Says F-Secure Research Chief

The DHS ban on government agencies using Kaspersky Lab's security products has reverberated around the security industry. The concern is not simply whether the Moscow-based security firm has colluded with Russian intelligence, but how many other security firms could, through their own products, potentially collude with their own national intelligence agencies.

This is bad news for security since security is built on trust; and without trust there is no security. Kaspersky Lab has denied any collusion and has offered to do anything possible, from testifying before Congress to third-party code reviews, to prove its innocence. At the same time, there is no actual proof of collusion; just a statement that the possibility is a cause for concern.

On Tuesday, at a media briefing in London, Eugene Kaspersky said he had never been asked by Russia to spy on its behalf. "If the Russian government comes to me and asks me to (do) anything wrong, or my employees, I will move the business out of Russia. We never helped the espionage agencies, the Russians or any other nation."

The DHS statement bans government agencies from using Kaspersky Lab products, saying, "The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security."

Herein lies the problem. Before developing anti-virus software and forming Kaspersky Lab, Eugene Kaspersky studied cryptology at a KGB and defense-funded school, and later worked at Russia's Ministry of Defense as a cryptologist. So the link -- and therefore the risk -- exists. At the same time, however, any glance through LinkedIn's staff profiles for U.S. security firms will return a large number of senior employees with an NSA, CIA, FBI or State Department background, with many U.S. security firms boasting about their former government and military hires. Connections alone do not necessarily imply collusion.

The Wall Street Journal (WSJ) separately published an unsubstantiated claim that an NSA employee had been breached by Russian state-backed hackers via a vulnerability in a Kaspersky Lab product; and that they targeted the employee "after identifying the files through the contractor's use of" Kaspersky Lab AV. No proof of this is provided, but the implication is that Kaspersky Lab did not pass confidential files directly to Russian intelligence, but merely informed them of their presence on the employee's computer.

However, if the Kaspersky-Russian intelligence link is a concern, then by implication users should consider the potential for a McAfee and Symantec link with the NSA, and a Sophos link with GCHQ. In an attempt to counter any potentially growing lack of trust in security products in general, F-Secure's Chief Research Officer, Mikko Hypponen, has talked today about how his own company handles confidential user information.

There are two riders to his comments. First of all, F-Secure is a competitor to Kaspersky Lab; and secondly, F-Secure is not Kaspersky Lab. Nevertheless, insights into how one major anti-virus firm operates will inevitably provide some insights into how any other major AV firm operates.

Hypponen avoids or obfuscates his response to any direct question of possible Kaspersky Lab collusion with Russia. For example, he says, "Let's just state for the record that it's a great company and a great security product. These are world class researchers." 

Asked later if he thought Kaspersky Lab "colluded with Russian intelligence, do you think they were breached, hacked, infiltrated?", he replied, "I don't know. It's all speculation, as are all the stories on this. So far everything's been speculation." He notes, however, that links with law enforcement are commonplace. Law enforcement agencies (LEAs) frequently ask security firms for assistance in the fight against cybercrime, and researchers commonly pass back data on discovered C&C servers.

He does, however, explain how F-Secure treats information about user files. First of all, almost all security firms collect this data -- it's simply how they work. The amount of data that needs to be analyzed to keep users safe simply cannot bedone on a local machine without reducing its operation to a crawl. Anti-virus and network anomaly products tend to collect data and send it to cloud servers for analysis by powerful machine-learning algorithms.

But F-Secure, and most likely all other security vendors, go to great lengths to anonymize and protect the information they collect. First of all, this is good practice; but secondly, privacy regulations in many jurisdictions could cause serious complications. GDPR, for example, requires that only necessary data be collected; and personal data is not necessary for the analysis of executable files.

The files that are collected are analyzed for any indication of malware. If they are found to be benevolent, they are deleted. This resonates with Kaspersky Lab's comments following the WSJ report. Its software found the NSA files on the employee's computer, did not recognize them as good files and uploaded them for further analysis. Here they were analyzed and determined to be 'sensitive' -- at which point they were deleted.

Unfortunately, this cannot disprove the possibility that someone in Kaspersky Lab then sent a quiet word to Russian intelligence saying, 'Hey guys, you might want to take a close look at this guy's computer.' But for that to have happened, Kaspersky Lab will have had to collect personal data as well as anonymized files.

Hypponen cannot say that Kaspersky Lab didn't do it; but he makes his opinion clear. He does, however, agree with the DHS. "Would I recommend using a foreign security product in US agencies, especially a Russian product? Probably I wouldn't. But for home users and users like that, it is a great product."

In the end, it's a question of who do you trust the most: your own government or a security firm that can only exist through trust?

"Choose your vendors carefully, because, in theory, they have access to everything you do," Hypponen said, adding that "when you are running low level software, like security software, you do have to trust your vendor."

But he clearly does not personally believe that Kaspersky Lab is guilty of any malicious behavior. "Why? Because that would be so short-sighted. If you do that and you get caught, your company is toast, and it should be toast. That's a bad business decision. If it's the Russian government using a local security company as their way of gaining access to information, that's short-sighted too. Because Kaspersky Lab is the biggest software success story out of Russia since Tetris."

Related: The Increasing Effect of Geopolitics on Cybersecurity 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.