The FBI’s attack on Kaspersky Labs reached a new level last week when the Wall Street Journal published an article claiming that Kaspersky anti-virus software was exploited by Russian intelligence to exfiltrate information from an NSA contractor or employee. The person in question took sensitive information home on an unsecured computer that was running Kaspersky AV. The focus on Kaspersky lets the NSA off the hook for allowing yet another NSA insider to sneak classified material outside of the NSA network and put it on an unsecured computer. But the implications of this incident go far beyond the fate of a single Russia-domiciled security company. While there are many gaps in our knowledge, there is no doubt that, whatever Kaspersky’s level of culpability, this is largely a geopolitical conflict in which we and the Internet are pawns.
What is known?
Kaspersky AV products have won awards and high ratings from independent security testing labs for both home and business products. Kaspersky products, like those of any other security vendor in the world, have access and privileges to the systems they protect. Often the software surveils your computer or network and reports back to the AV company what it discovers. The implied, and not well-developed or substantiated argument in the WSJ article is that Kaspersky software detected special malware held by the NSA for breaking into other countries’ computers, and that Kaspersky notified the Russian intelligence agencies of its presence on this computer, allowing them to target the person.
But there is no direct evidence that Kaspersky did this, or that it is an agent of the Russian government or cooperating with them. According to Ars Technica’s Dan Goodin, “The [WSJ] report is based on unnamed people the publication says had knowledge of the matter, and it provides no evidence to support its claim. What’s more, the lack of detail leaves open the possibility that, even if Kaspersky’s AV did help Russia home in on the highly sensitive code and documents, the disclosure was the inadvertent result of a software bug, and no one from Kaspersky Lab cooperated with the attackers in any way.” In September 2015, Google Project Zero researcher Tavis Ormandy said his cursory examination of Kaspersky AV exposed multiple vulnerabilities; Kaspersky has since patched them. But over the years, Ormandy has discovered equally severe code-execution vulnerabilities in AV software from a host of Kaspersky competitors.
Why is this being leaked now?
The timing is suspicious. The contractor removed the material from the NSA some time in 2014 or 2015. The material was allegedly stolen by Russian hackers in 2015, and the NSA discovered this problem in the first three months of 2016, about 18 months ago. So why is this story just being released now? The WSJ article seems part of an orchestrated campaign by certain elements of the deep state to capitalize on current anti-Russian sentiment to fuel a cyber Cold War. Indeed, an article in CyberScoop says that even some people in the US intelligence community are critical of the way the FBI is handling the Kaspersky affair. “They believe the FBI has engaged in deliberate media leaks and overblown classified congressional briefings to build the case against Kaspersky.” One former NSA employee, Jake Williams, founder of Rendition Infosec, said some weeks ago “The data released so far against Kaspersky is weak and inconclusive and applies to many U.S. information security companies. Making claims without substance to back those claims will just lead to speculation that U.S. companies are involved in similar activities. Rebuking these claims is made difficult since the burden of ‘proof’ established by the U.S. is so low.”
Retaliation, alignment and “fragmentation”
The Kaspersky incident shows that in the ongoing securitization of the Internet, elements within the US government are migrating toward a techno-nationalism similar to that of the Russian and Chinese governments . The problem is that this triggers a dynamic that can have really bad effects on the global internet. It’s bad enough that people are stopped at the border solely because of their national origin; if we start treating all technology this way how can global interoperability and a competitive market survive? The American attack on Kaspersky is echoed in Putin’s claim that the Internet itself was a “CIA project.”
The U.S. government’s handling of the Kaspersky case will likely cause trouble for U.S. companies. Putin has recently made moves to “compel Russian companies to purchase and deploy software that is created only by Russian technology firms rather than foreign competitors.” China of course is taking a similar tack, and even Germany has information security experts singing from the same nationalist hymnal.
Some people say this is leading to the “fragmentation” of the Internet, but that is the wrong label for this phenomenon. A better term is alignment, in which nation-states seek to overlay territorial jurisdiction and national controls upon the global internet. The Internet created a digital economy that transcended nation-state borders. Yet this tremendous accomplishment is threatened by the tacit economic nationalism caused by the intersection of cybersecurity policies and great power rivalries. If the world’s major governments continue to militarize cyberspace and do not allow their consumers to use equipment, software or content platforms simply because they are produced by foreign nationals, then the world is essentially abandoning the internet as a model for global interoperability, and reverting again to the national post, telephone and telegraph monopolies of the 19th century.