SafeUM
Home Blog Services Download Help About Recharge
EN
RU

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
EN
Lang
EN
RU
Archive
TOP Security!
6 Sep 2017

Why the US government shouldn't ban Kaspersky security software

Earlier this summer the House Science Committee sent letters to 22 US government agencies requesting information on their use of Kaspersky Lab security products.

As the federal government continues to investigate claims of ties between the Trump administration and Russia, officials in Washington have expressed concern that the government's use of software from Kaspersky Lab—a well-known security vendor based in Russia—could compromise domestic intelligence.

This request represents the most recent action in an aggressive campaign by Congress to review the possible security implications of using Kaspersky software for government infrastructure. Already, the General Services Administration (GSA) has ordered the removal of Kaspersky software platforms from its catalogues of approved vendors.

Meanwhile, the Senate is considering a draft bill of the 2018 National Defense Acquisition Authorization (known as the NDAA, it specifies the size of and uses for the fiscal year 2018 US Defense Department budget) that would bar the use of Kaspersky products in the military. While Congress certainly has a responsibility to maintain the security of government systems, such a blanket ban contributes to a growing protectionist trend in government technology procurement and threatens innovation.

Procurement choices have implications far beyond lost contracts. The move to strip out Kaspersky products from government systems is likely to have a chilling effect on government contractors and consumers. As the GSA evaluates the practices of contractors and suppliers in the government supply chain, use of Kaspersky products may prove to be a penalizing, if not disqualifying, factor for companies during the proposal evaluation process. The House Science Committee letters specifically request the names of any US government contractors or subcontractors that use Kaspersky products.

While the NDAA only targets software, Kaspersky technology is also integrated into the hardware and software products of companies like Juniper and Microsoft. It's not clear whether the NDAA ban would bar use of products that incorporate Kaspersky technology. If it does, other tech companies might move away from partnerships with the company, which would be a blow to its business in the US.

Yet there has been no demonstrable evidence that Kaspersky is influenced by Russian authorities, nor that Russian intelligence services have cajoled the company into installing backdoors. Kaspersky Lab’s most significant, verifiable connections with Russian intelligence services are CEO Eugene Kaspersky’s education at a KGB cryptography institute and his stint in Soviet military intelligence more than 20 years ago.

Still, it is not unreasonable to think that Kaspersky Lab may have ties with Russian intelligence. The company employs former intelligence officers, and Russia’s relationship-based business climate means that it's unlikely Kaspersky Lab could have succeeded without relationships with senior government officials.

However, it’s a charge that could be levied at many technology companies, especially cybersecurity firms. As the digital economy has grown, international intelligence agencies and technology firms have formed a sort of intelligence-industrial complex. After exiting US intelligence services, many former officers and cryptographers transition to jobs with big tech firms, hired for those skills they learned in the service or specifically for their strong personal relationships with government officials.

European powers are no different, with French intelligence service DGSE maintaining informal information-sharing relationships with French tech firms, and French companies often receiving economic espionage from DGSE. In Israel, the Israeli Defense Forces Unit 8200, an intelligence service, is known as a de-facto technology incubator, with Unit 8200 alumni often exiting the service to immediately funded tech startups, most often focused on cybersecurity.

Observing the ties and interests of intelligence services with foreign technology firms, other countries have decided to preference homegrown companies. Since 2014, Russian president Vladimir Putin has pushed for the country to become technologically independent from Western companies. The Kremlin is currently supporting a plan to remove foreign software from government offices and state-owned companies. Meanwhile, the Cyberspace Administration of China just released the final version of its measure to conduct cybersecurity reviews of network products and services used in key sectors. WTO members are already raising concerns that the vaguely defined regulations discriminate against non-domestic companies and technologies.

These protectionism concerns are legitimate. Congress should consider the market implications of a blanket ban; like any protectionist barrier, this type of restriction is likely to diminish domestic competitiveness, reduce availability of inexpensive goods and services, and prompt foreign retribution against US firms.

Most concerning, such measures will likely restrict consumer access to innovation. Kaspersky is an industry leader on endpoint security and cyber threat intelligence. Security researchers often rely on the company's high-quality analysis of cyber threat groups, especially those from Russia. Today, the issue is one company, but plenty of technology firms have ties to intelligence services and governments. If this ban moves ahead, it is easy to foresee its use against Chinese, French, or Israeli firms. If such bans come, these firms’ national governments will be sure to make US tech firms share the pain, with retributive discrimination against US products.

If the US government has concerns beyond mere association with foreign intelligence services, if it truly believes certain technology products maintain vulnerabilities for foreign governments, officials should work with firms to provide a transparent process for reviewing such issues. Kaspersky has indicated its willingness to submit its products to review.

In 2010, in order to demonstrate to British security agency GCHQ that the Chinese government did not mandate backdoors in its telecom equipment, the Chinese firm Huawei built the Huawei Cybersecurity Evaluation Center to provide security audits and inspections of Huawei products.

While the organization initially faced criticisms about objectivity, subsequent operational changes produced an auditing organization which, for the time being, satisfies British government concerns about possible vulnerabilities in the Chinese telecom company’s products. Rather than implementing blanket bans on products, the US government should pursue a similar compromise with suspect firms. Such a move could allay government fears and protect open US technology markets.

Ultimately, if the US wants to eliminate the threat of government-mandated vulnerabilities in foreign technology products, it should broker an arrangement at the diplomatic level. Microsoft, in its recently proposed Digital Geneva Convention, called on all governments to stop offensive operations against civilian networks and infrastructure.

While such an agreement may be far off, an intermediate step in that direction might be for governments to cease mandates for vulnerabilities and backdoors in domestically produced software and hardware. An agreement against backdoor installation would provide relief for US, Chinese and Russian governments—and allow technology firms to reengage in truly free trade.


Download SafeUM — communicate privately, without advertising and spam.

Tags:
trends Kaspersky Lab data protection
Source:
Wired
336
Other NEWS
20 Apr 2018 safeum news imgage Google boots fake Ad blockers from Chrome web store
20 Apr 2018 safeum news imgage Data firm leaks 48 million user profiles it scraped from Facebook, LinkedIn, others
19 Apr 2018 safeum news imgage Critical unpatched RCE flaw disclosed in LG network storage devices
18 Apr 2018 safeum news imgage Apple is planning to launch a news subscription service
18 Apr 2018 safeum news imgage A big Spanish bank’s customers can now use it to transfer money
17 Apr 2018 safeum news imgage How Android phones hide missed security updates from you
16 Apr 2018 safeum news imgage Google is testing self-destructing emails in new Gmail
16 Apr 2018 safeum news imgage In a leaked memo, Apple warns employees to stop leaking information
13 Apr 2018 safeum news imgage WannaCry ransomware sinkhole data now available to organizations
13 Apr 2018 safeum news imgage Apple must pay $502.6 million to VirnetX, federal jury rules
12 Apr 2018 safeum news imgage Vevo’s YouTube account hack hits popular music videos, causes biggest video ever to disappear
11 Apr 2018 safeum news imgage Homeland security to compile database of journalists, bloggers
10 Apr 2018 safeum news imgage US may tie social media to visa applications
6 Apr 2018 safeum news imgage Mark Zuckerberg on Tim Cook’s criticism of Facebook: It’s “extremely glib and not aligned with the truth”
5 Apr 2018 safeum news imgage A robot’s ransom
All news
SafeUM
Confidential Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015