Congressional concern is climbing—not for the first time—about government agencies using an anti-virus tool made by the respected but Russia-based security firm Kaspersky Lab. The dustup is a case study in why securing government systems is devilishly complicated.
The fracas comes as congressional Democrats are squaring off against President Donald Trump over possible collusion between Russian intelligence agencies and members of his campaign. It also follows a presidential campaign upended by a Russian government influence operation and amid a deluge of leaks from U.S. intelligence agencies.
The competing priorities of security, intelligence, diplomacy and budget constraints play a role in the melee. So, too, do the rival power centers of a government that’s struggled for years, often unsuccessfully, to manage cybersecurity and technology buying in a unified way.
This is the basic paradox: On one hand, top intelligence officials at the FBI, CIA and the National Security Agency tell members of Congress that Kaspersky Lab can’t be trusted, that they wouldn’t put its products on their personal computers, let alone the nation’s. On the other hand, federal agencies still use the Moscow-headquartered anti-virus software. During the past decade, it’s plugged into systems at the Consumer Product Safety Commission, the Treasury Department, the National Institutes of Health and U.S. embassies, among other locations, contracting data shows.
Kaspersky anti-virus also frequently protects state, local and tribal government computers, former officials told Nextgov.
It may even be on some non-national security systems at the Homeland Security Department, according to testimony from Homeland Security Secretary John Kelly, though it’s generally barred from intelligence and national security systems throughout government, according to official testimony.
This disparity between official concern about the Kaspersky company and the prevalence of the firm’s anti-virus on government systems highlights two fundamental facts.
First, anti-virus is both immensely useful and extremely powerful. If used for nefarious purposes, it’s capable of pilfering nearly any file from a computer system or loading malware onto that same system. It can do all of this undetected unless a system administrator is monitoring it extremely closely and perhaps not even then.
Second, despite widespread alarm over government data breaches at the White House, the State Department, the Pentagon and the Office of Personnel Management, the government is a long way from being able to impose uniform security standards on all of its computers.
Government officials are deeply concerned about the possibility of nefarious activity by the Russian-based company, which several smaller agencies have purchased through third parties and bundlers as part of larger computer security packages, three former Obama administration cybersecurity officials confirmed to Nextgov.
Such concerns have been aired numerous times before, most recently by Buzzfeed in May.
At least part of this concern centers around the possibility of undue influence by the Russian government on Kaspersky and the fact that, like other anti-virus firms, Kaspersky is typically capable of moving files from a customer’s systems to its own systems or to a computer cloud in order to analyze those files for infections. While this capability can sometimes be minimized or unplugged, the prospect of U.S. government data hitting a server in Russia is enough to make officials very nervous, former officials say.
“While the Kaspersky product is good and effective for basic AV services, because of some unknown factors as to where information is transmitted back to Kaspersky systems under certain configurations of the product, many felt very uncomfortable endorsing Kaspersky for use on national security systems,” one former official said.
Allegations vs. Evidence
There’s no public evidence of collusion between Kaspersky and the Russian government, and U.S. officials have never publicly alleged such interference, though it’s common for intelligence agencies to keep such evidence under wraps to avoid revealing intelligence sources and methods.
The company flatly denied any collusion in a May statement, saying “Kaspersky Lab has no ties to any government, and the company has never helped, nor will help, any government in the world with its cyber espionage efforts.” The company also firmly denied sharing any customer data with Russian authorities.
How Much Damage Could Anti-Virus Do?
Thus far, the public does not know any specifics about what’s led intelligence officials to express concern about Kaspersky’s independence. The public doesn’t know how troubling that intelligence is or how confident officials are in their conclusions. What is known is that anti-virus, if used for nefarious purposes, could be extremely powerful and nearly undetectable.
At its most basic level, anti-virus does its work by regularly scanning every single file and system on a computer. Because it does this on the computer itself rather than at the periphery of an entire network, there usually aren’t other systems monitoring the work of the anti-virus. The digital security systems DHS provides to federal agencies, known as Einstein and Continuous Diagnostics and Mitigation, for example, sit on the periphery of agency networks, not at the device level.
When the anti-virus finds something suspicious in a file, it will quarantine that file for additional, automated investigation. When it spots a known vulnerability in a particular system, it will protect against it.
If the anti-virus sees something that looks suspicious but isn’t a known infection—say, for instance, a file that may be infected with polymorphic malware constantly changing its particular digital signature—it may encrypt that file and transport it to the AV company’s own systems for investigation. If the file is genuinely malicious, the company will alert its other customers to protect them. The faster and more frequently those updates come out, the more valuable an anti-virus is for its customers.
So, what could an anti-virus do if compromised by or beholden to a customer’s adversary? A lot.
It could install something malicious on a computer that poses as a security update, security researchers say. Even easier, it could decline to install certain updates that protect against preferred attack vectors of a particular adversary.
It would also be relatively easy to skip certain updates for only a subset of customers, security researchers say.
Where Does the U.S. Government Go From Here?
Full article: In an Era of Russian Hacks, the U.S. is Still Installing Russian Software on Government Systems (NextGov)