Anti-Virus Conspiracy Theories Cut Both WaysCan Governments Compel Domestic Cybersecurity Firms to Spread Attacks?
Can a government compel a domestic anti-virus firm to ignore state-sponsored malware, or even add backdoors to software or hardware products, without getting caught?
That is one relevant question following a reported probe being conducted by the FBI into the operations of Moscow-based anti-virus firm Kaspersky Lab, as well as warnings over U.S. government use of the firm's software sounded by the Department of Homeland Security and the Senate Intelligence Committee (see Russia Threatens Retaliation If US Bans Kaspersky Lab).
"You have to have trust in the vendor."
In response to the reported probe, Eugene Kaspersky, who heads the anti-virus firm, has offered to testify before Congress, as well as to share source code with the U.S. government.
But these questions run deeper than code checks, says Jake Williams, a cybersecurity consultant and former NSA employee who's questioned the perspective of an NBC News report that equated Eugene Kaspersky having grown up in Soviet Russia with his working for the authorities.
Rather, it's a question of who can be trusted, Williams says.
But a code audit doesn't solve the real problem. You have to have trust in the vendor far after the build time.— Jake Williams (@MalwareJake) July 4, 2017
A Question of Trust
As a famous philosopher once said: "Trust is earned, not given away."
Hence it's also worth noting that Kaspersky Lab isn't a new kid on the block. It was formed 20 years ago by Kaspersky, and since then has earned a reputation for building well-respected software as well as producing top-notch research into cybercriminals and nation-state attacks.
Kaspersky Lab - a private business with offices in 37 countries - made a concerted enterprise sales push in the United States beginning in 2014 after setting up an office in Washington in 2013 to improve its ability to sell to the U.S. government. At the same time, it's also worked with law enforcement agencies, via Europol and Interpol, to take down cybercrime rings, and it helped found the No More Ransom portal to provide free ransomware decryption tools.
That Whitelisting Question
When it comes to trust, the narrative coming out of the U.S. government overlooks a few relevant facts.
For starters, we've been here before, thanks to the Snowden revelations into National Security Agency programs that subverted U.S. technology companies, apparently without their knowledge or consent.
So in 2013, Dutch digital rights group Bits of Freedom sent a letter to leading anti-virus firms in a variety of countries, asking if they would ever "whitelist" - as in, purposefully ignore or allow - any piece of malware, for example, in response to a demand by their government. The letter was signed by 25 leading privacy and information security experts.
"Since we learned that the NSA has surreptitiously weakened internet security so it could more easily eavesdrop, we've been wondering if it's done anything to anti-virus products," letter signatory Bruce Schneier said in a blog post at the time.
Seven firms - Avira, ESET, F-Secure, Kaspersky Lab, Norman Shark, Panda, and Trend Micro - quickly responded to Bits of Freedom, saying they would not do so under any circumstances, as I reported at the time. Not long after, Avast, AVG (now owned by Avast), Bitdefender, Bullguard, McAfee, Microsoft and Symantec told me they would likewise never whitelist malware.
How Security Firms Work
Whitelisting questions were again raised after the discovery of advanced cyber espionage malware named Regin.
On Nov. 23, 2014, U.S.-based anti-virus firm Symantec released the first detailed technical report into Regin, leading to Helsinki-based firm F-Secure and Kaspersky Lab quickly following suit.
The timing of those security alerts and the fact that Regin attacks appeared to date from 2008 prompted questions about whether U.S., Finnish and Russian security firms had been covering up the malware. A further wrinkle: Some experts suspect Regin was built by the U.S. and Britain, and infections were reportedly tied to hack attacks against Belgian telecommunications firm Belgacom and the European Parliament.
But the firms responded by saying that Regin attacks had been launched in such small quantities - apparently being highly targeted - that they got lost in the massive volume of malware detected every day. Furthermore, it was only thanks to the firms working together that they eventually unmasked the malware (see AV Firms Defend Regin Alert Timing).
The same happened with Stuxnet - which went undetected for a year - and later DuQu and Flame, all of which reportedly trace to a U.S.-Israeli exploit-code factory.
Conspiracies Are Prone to Failure
In case a theme isn't clear here, it's that the Russian government isn't the only cybersecurity threat in the world.
But that doesn't mean any given country's cybersecurity firms are a threat.
Back in 2012, for example, Schneier said it was highly unlikely that a government would attempt to compel any domestic cybersecurity firms to whitelist malware, simply because related knowledge would be so difficult to contain. "My guess is that the NSA has not done this, nor has any other government intelligence or law enforcement agency," Schneier said. "My reasoning is that anti-virus is a very international industry, and while a government might get its own companies to play along, it would not be able to influence international companies."
Mikko Hypponen, chief research officer at F-Secure, also in 2012 said anti-virus firms collectively "want to detect malware, regardless of its source or purpose," and that "politics don't even enter the discussion, nor should they."
Hypponen added that no matter how targeted malware might be, bystanders too often suffer: "Any malware, even targeted, can get out of hand and cause "collateral damage" to machines that aren't the intended victim. But he also warned that "consumer-grade anti-virus products can't protect well against targeted malware created by well-resourced nation-states with bulging budgets."
No Compulsion Required
That's the crux: Intelligence agencies don't need to compel anyone to build backdoors into their products. Instead, they can find or purchase information about exploitable bugs in software, write exploits and launch highly targeted attacks that leverage these exploits (see Yes Virginia, Even Security Software Has Flaws).
Not compelling firms that develop or maintain the targeted software would naturally make these operations more stealthy. After all, conspiracies are notoriously tricky to keep secret.
Witness the Equation Group - apparently the NSA - attack tools that have been leaked by Shadow Brokers. After Shadow Brokers in January name-dropped tools that it was going to leak, such as EternalBlue, the NSA appears to have tipped off Microsoft to the underlying exploits, leading to heavy-duty security updates in March (see No Coincidence: Microsoft's Timely Equation Group Fixes).
https://t.co/b8hIZWvhVj— Mikko Hypponen (@mikko) June 29, 2017
A software company from USA analyzing an exploit against them.
An intelligence agency from USA wrote that exploit.
More recently, the NotPetya malware outbreak shows how attackers - Ukraine blames Russia, which denies the allegations - subverted a small accounting software maker's update server to spread backdoored software for months (see Police Seize Backdoored Firm's Servers to Stop Attacks).
Who Can You Trust?
Of course, saying that no Russian-built products should be used by U.S. government agencies might seem to be an obvious take-no-chances course of action.
But the supply chain landscape is not so clear.
The U.S. Government Accountability Office, for example, says it doesn't know how many products used by the government may include Kaspersky Lab components. For what it's worth, the Russian government notes that it's a big user of U.S.-built hardware and software. It would no doubt have to be, for Microsoft Windows alone.
Given the difficulty faced by governments that might want to compel domestic cybersecurity firms to conform to their will, and the death sentence businesses face if such collusion were to be revealed, let's take a risk-based approach. In short, let's talk about specific companies and their track records as separate as possible from political and diplomatic considerations.