Kaspersky goes under the bus

So today we got news that the US GSA has removed Kaspersky from the approved list of technology vendors for which US government agencies can procure technology.  This, as you might imagine limits in turn agencies from procuring and deploying Kaspersky products.

Why did they get removed?  Well, the argument is that Kaspersky is based in Russia.  And there have long been rumors that they are closely affiliated with Russian intelligence – maybe even to the extent that the security provided can be (or comes “stock”) deliberately undermined.   Do they have connections with Russian intelligence?  Who knows.  Maybe.  Most security practitioners nowadays have at least a passing, cursory interaction with the intelligence community.  Is the software deliberately compromised?  I doubt it, but a scenario whereby a request from a government representative or intelligence official – such as, for example, refraining from disclosing information about a malware sample for a few days, might to be entirely out of the ream.

Another theory is that they were removed strictly for political reasons.  Maybe because of the optics associated with limiting Russian intelligence interference capability?  I’m not sure I follow this line of argument fully, so I’ll just state that it exists and refrain from further speculation about what it might or might not be.

Either way though, it highlights the reason why it’s not a good idea for governments to become too involved in the business of providing security services or products.  It’s happened before.  Like, for example, do you remember the story of Dual_EC_DRBG?  If you don’t, the deal was that the NSA pushed really hard for a known-weak random number generator to be adopted.  It was – in fact, it was codified by NIST as one of the key standards for generating randomness.  The NSA arguably knew it was broken (hey, at least they can get in, so who cares right?).  Some in the broader community barked at the time, but nevertheless it made it through the process.  And, the US government allegedly paid RSA 10 million dollars to make it the default in the standard cryptography toolkit that everyone used at the time.  So that probably wasn’t good.  It is, in fact, possible that this decision by RSA has something to do with the fact that BSAFE doesn’t have the ubiquity that it once did.

It also highlights I think the conflict of interest that arises by virtue of countries allowing offensive cyberwarfare capabilities from influencing the commercial entities that reside within their sphere of influence.  Is there an answer?  Not sure I know of one.  But it’s another link in the continuing chain of highlighting why government interaction with security tool vendors should be closely scrutinized.

The upshot of this is that Kaspersky probably will suffer a decline as a result of this.  If other government follow suit, they’ll lose some revenue share.  Moreover, if people start to think that Kaspersky has been deliberately compromised or influenced by Russian intelligence, it could really undermine their ability to compete.  Commercial AV is pretty much fungible – if it’s a choice between someone who maybe/maybe-not is in cahoots with a nation state intelligence service vs. another one that costs more or less the same and isn’t, most people will tend to choose the one that doesn’t have any suspicion associated with it.