Understanding the US Government/Kaspersky Lab Controversy

Unless you’ve been living under a rock during the past few months, you’ve probably heard that US politicians, citing undisclosed intelligence reports, have voiced concerns about the security of government computers that use Kaspersky Lab’s anti-virus product. In fact, the Department of Homeland Security has issued a ban on using this product on government computers, giving a deadline of 30 days to complete the inventory of computers using it and up to 90 days to get rid of it and replace it with something else.

Kaspersky Lab has vigorously denied the accusations. Eugene Kaspersky himself has offered to testify before the US Senate and answer any questions on this subject, and has even offered to the US government the source code of his product for inspection.

So, who is right and what does all this mean? Are the US politicians incompetent fear-mongers without a clue (stop shouting "YES!!!" in the background, you there) who are using the worsening of US/Russia relations to support protectionist policies — or is Kaspersky Lab running a clever espionage operation with the goal to infiltrate the US government and should you stay away from their product? As usual, neither of these two extreme views is correct and the truth is somewhere in the middle.

Before we begin examining the facts and the falsehoods around this story, let me state my own credentials, so that you understand that I know what I am talking about. I have nearly three decades of experience in computer viruses, malware, and anti-virus programs. Half of this time (15 years) was spent working in the anti-virus industry (for FRISK Software International; the company that made the anti-virus product F-PROT and which was later acquired by Cyren). I've written a Ph.D. thesis on the subject (“Methodology of Computer Anti-Virus Research”, 1997, University of Hamburg, Germany), which thesis for many years was used by several anti-virus companies to train their new employees. I practically invented competent and independent anti-virus testing while I was working at the University of Hamburg. I have analyzed several anti-virus products, in order to see what makes them “tick”. I have designed dozens of small anti-virus programs at the beginning of my career and later, designed the macro malware scanning engine in F-PROT. So, when talking about malware and anti-virus products, I definitely know what I am talking about.

Based on my personal expertise and experience with the product, I can state with confidence that Kaspersky Anti-Virus is one of the best anti-virus product in the world. At least it is, if you measure “quality” by the ability of the product to protect from malware. If you measure quality of an anti-virus product by some other criteria — like design of the user interface, memory footprint, speed, etc., your mileage may vary — not because the product is particularly inferior by these criteria but because I find these criteria secondary-to-irrelevant in an anti-virus product, so I don't bother evaluating anti-virus products according to them. Besides, some of them are very subjective and what one person might love, another might find insufferable.

All in all, I would be more worried about the security of those US government computers that do not have Kaspersky Anti-Virus installed than about the security of those that do. What, then, appears to be the problem?

Some (mostly journalists) point to the “connections” of Eugene Kaspersky himself to the Russian intelligence. Usually, they point as “proof” the fact that he has graduated from KGB’s school of cryptography and has served in the armed forces of the Soviet Union (yes, it was still called like that way back then). I am sure that some of Eugene’s former colleagues went to make a career in the military, intelligence, politics, industry and many other places, and that he still greets them if he meets them on the street. But that doesn’t mean that he is working for them to undermine the US government. In fact, after he ended his military service, he could not leave Russia for another ten years — which was rather annoying, because he was already an anti-virus researcher with a world-wide reputation at the time, yet he couldn’t attend anti-virus conferences. You would think that if he was groomed as a Russian spy, he’d be given free access to the West.

At the same time, having “connections” to government, law enforcement, and intelligence officials is nothing unusual for the top people who work in the field of information security. The number of such people is relatively scarce and the private sector pays much better, so they work mostly there — which means that governments suffer from an acute lack of such talent and, naturally, they seek to establish contacts with the information security community in order to obtain information they cannot obtain themselves. There is nothing unusual or sinister in this — neither in Russia, nor in the USA, nor anywhere else. Several anti-virus researchers from the USA that I personally know have “contacts” — or even friends — at the FBI. Several US infosec companies employ — or are even headed by — former NSA employees. My own boss has contacts at the Bulgarian agency for fighting organized of crime (which also does counter-intelligence work). This doesn’t mean that these people, or the products of their companies, are untrustworthy.

On the other hand, I have seen people explain Eugene Kaspersky’s military career with the fact that Russia has draft (mandatory military service). This, too, is incorrect. The draft is for grunts, while Eugene was an officer, and this is voluntary.

Other Kaspersky Lab detractors are citing “secret intelligence” that the USA must undoubtedly have.

Of course, this is the same person who implied that Marcus Hutchins was involved in the creation of WannaCry and didn’t really discover the kill-switch by accident, so it is probably best to ignore his opinion.

So, what exactly seems to be the problem?

To begin with, it is undoubtedly perfectly clear to anyone with a brain in the US intelligence community that Kaspersky Anti-Virus does not have any “backdoors”. If they have any doubts, they could always accept Kaspersky’s offer to examine the source code. This is common practice with governments when trust is involved. For instance, McAfee have provided the source code of their anti-virus product for inspection to the Russian government and Microsoft have provided the source code of Windows to the Chinese government for inspection.

The real problem is that Kaspersky Anti-Virus, like almost every other contemporary anti-virus product, can update itself over the Internet. It has to be able to do so, in order to implement new detection methods if the new malware that appears requires them. It is not just a matter of updating the “virus signatures” (man, I hate this term!). The database used by the product contains executable code that can do pretty much anything that is doable by software. (Again, this is not unique to Kaspersky’s product, although it was one of the anti-virus products that pioneered this in the early 90s. For instance, McAfee’s product employs a proprietary programming language, called VIRTRAN. Database entries containing programs written in it again can do pretty much anything on the machine on which the product is running, if that thing can be done by software at all.)

In addition, Kaspersky Anti-Virus (like just about any other anti-virus product) is running as a privileged user (SYSTEM) on the machine it is protecting. Again, there is nothing nefarious about this — it does need the privileges, in order to do its job properly: inspect the running processes, terminate them, if necessary, monitor the connections of the computer, and so on.

So, what the US intelligence officials are really afraid of is the combination of these two properties. It means that while the product is perfectly safe to use now, at any time in the future Kaspersky Lab can push an update that would make the product do nefarious things — and it would be able to do pretty much anything, given the privileges it has.

Is this likely to happen? Eugene Kaspersky rightfully points out that doing it would be equivalent to an economic suicide for his company, if it is found out — and it will be found out. He will never do it voluntarily.

But, again, this isn’t what the US intelligence officials are afraid of. They are afraid that the Russian government will either compel Kaspersky to do so against his will (and disregarding the billions of dollars of economic damage this will cause to Russia, because once it becomes known, nobody will buy their software products any more), or will subvert a few key employees at the company to get the malicious update pushed out without Kaspersky’s knowledge.

How likely is this? I am pretty confident that it will never happen in peace time. No matter how valuable information the Russian government might be able to extract (if the malicious update has spying capabilities) and no matter how important would be to sabotage some US program (if the malicious update has destructive capabilities), the blow-back and the damage to the Russian economy would be immense and would make the whole operation not worthwhile.

The only case when such an action is likely to be undertaken is during an ongoing military conflict, where any collateral damage is subordinate to the ultimate goal of defeating the enemy.

Does that mean that the US intelligence community seriously expects Russia to attack militarily the USA (or one of their NATO allies) — or are they planning to attack Russia? Of course not — but there is another factor here that has to be taken into account.

The US officials are talking about the “risks” of using Kaspersky Anti-Virus. Remember that

risk = damage * probability

Thus even if the probability is minuscule, the risk can still be high, if the (perceived) damage is immense. It should be noted, though, that since governments forcing anti-virus companies to push malicious updates during a conflict isn’t exactly a common occurrence (just kidding; it has never happened), both the damage and the probability are estimates and are likely to be higher than real if the party doing the estimating suffers from irrational fear.

The intelligence officials all over the world are paid to be paranoid. It is their job to determine and to evaluate the various risks and to present their conclusions to the politicians, so that the latter can take appropriate decisions.

This is precisely what is taking place here. Nobody is seriously thinking that Kaspersky’s product has a backdoor, or that the Russian government will force them to insert a backdoor tomorrow. But it can be done and the damage to the US government computers on which the product is installed, if it is done, will be immense — so the risk is substantial. Thus the recommendation to remove the product from the government computers.

(This goes both ways, by the way. The Russian intelligence officials are probably having some thoughts about what can happen if the US government uses a National Security Letter to force Microsoft, during a conflict with Russia, to push a malicious update to the Russian computers running Windows. So, yes, banning Kaspersky Anti-Virus on the US government computers makes about as much sense as banning Microsoft Windows on the Russian government computers.)

This also explains why, despite Kaspersky’s repeated calls to present “evidence” that using his product presents a security risk, the US officials have provided none. There is no evidence and their decision isn’t based on existing facts but on fears. They aren’t afraid of what the product does now; they are afraid of what the product can be made to do in the future.

So, yes, as sad as it is, an excellent anti-virus product is a victim of politics — the worsening of the US/Russia relations.

Please note that the US government officials have issued no recommendations to the private sector to avoid the product. If they thought that the product had a backdoor, or was spying on its users, or anything like that, they would have undoubtedly issued such a recommendation. Sadly, despite all this, many private companies will probably decide to stay away from the product — not for good reasons but “just in case”. We’ve already seen Best Buy offer a free replacement of the product to those customers who have bought Kaspersky Anti-Virus from them. Undoubtedly, there will be more.

The net result will be that, because of politics, everybody loses. Kaspersky Lab will lose a large chunk of their revenue. (Only a minuscule part of their revenue comes from the US government but about 25% comes from the US private sector, so the real problem is not that the US government will stop using the product but that the private US companies will stop doing so — either out of fear, or because they are doing business with the US government.) The users in the USA will lose access to one of the best anti-virus products in the world.

Eugene Kaspersky has accepted an invitation to testify before the US Senate. It won’t change anything. His offer to provide the source code for inspection will not change anything, either. Kaspersky cannot guarantee that the Russian government cannot force (or subvert) his company into doing something stupid. The absence of security problems in the code is irrelevant if the code can be changed at will, remotely and automatically. Facts are mostly irrelevant when you are talking to paranoiacs. Kaspersky Lab will be a victim of politics and nothing they can say or do will change that.

In conclusion, I would like to mention the shameful, unethical behavior of several other anti-virus companies. The marketing people of McAfee, Bitdefender, Avira, Malwarebytes, Symantec, VIPRE and others were quick to jump at the opportunity like jackals. They started issuing advertisements, trying to convince the current users of Kaspersky Anti-Virus that the product is not trustworthy (after all, the US government says so) and to switch to theirs.

This is disgusting. I realize that the sales people have no shame, but the anti-virus companies should do a better job of restraining their marketroids. As Peter Kruse put it on Twitter, “we’re competitors, not enemies”:

Our first duty is to help the customers protect themselves from malware — not to present a competing product in a negative light, just so we could sell more of ours.