The US government is lashing out at Kaspersky Lab over concerns the cybersecurity company would willingly collaborate with foreign government entities that would pose a serious threat to the US. The case begs key questions on building trust in cybersecurity companies, enabling an effective global collaboration and fostering further local innovation.
How well do we trust cybersecurity companies?
Our businesses and the organisations we work for are very likely to be facing cyber-attacks. The subject presents a very serious global risk. Individuals and organisations rely on a flourishing cybersecurity industry to better manage the risk with technologies and services.
The Cybersecurity Ventures market research group predicts that global spending on cybersecurity products and services will exceed $1 trillion USD cumulatively from 2017 to 2021. This is a big business. The group also tracks a large number of cybersecurity companies and maintains a list of the top 500 world hottest and most innovative. It is already a big list for only a part of the industry. Such companies range from large multinational corporations to small, local and specialised businesses.
The cybersecurity industry is very competitive. Organisations typically subscribe to a variety of cybersecurity companies that they select based on criteria including technical and non-technical items and importantly trust.
Trust is a big deal with cybersecurity companies. Businesses place some serious trust in the cybersecurity companies they rely on to protect valuable information and processes. They trust the security controls they buy to be effective and efficient. They also trust the cybersecurity companies will not take or lose their data or be of any threat to their business, whether directly or indirectly through third-parties including foreign state government entities.
The 2016 Ponemon’s Data Risk in the Third-Party Ecosystem research reveals key findings on how most organisations fail to efficiently manage data risk with third-parties (incl. cybersecurity companies). For example:
- 49% of organisations confirm they experienced a data breach caused by one of their vendors;
- 55% rely upon the third-party to notify their organisation when their data is shared with their other parties;
- 58% say they are not able to determine if vendors’ safeguards and security policies are sufficient to prevent a data breach.
We may want to trust cybersecurity companies as well as we trust our banks, but it is not that easy. Cybersecurity technologies can be quite intrusive and knowing of our data. They can also be hacked themselves (RSA, Hacking Team, Kaspersky, Bitdefender, Lastpass, OneLogin, Cellebrite, etc.) and attract the unwanted attention of cyber-offensive government entities.
Kaspersky Lab vs US Government
Kaspersky Lab is a renowned cybersecurity company, which specialises in technologies for consumers and organisations. It recently ranked fourth in a global ranking of antivirus vendors by revenue. It is the third largest vendor of consumer IT security software worldwide and the fifth largest vendor of enterprise endpoint protection. Kaspersky has about 400 million users and has the largest market-share of cybersecurity software vendors in Europe. It provides services to organisations in both public and private sectors, including US and Australian federal government entities. It does more than 85% of its revenue internationally.
Kaspersky benefits from the trust of many individuals and organisations to run their software. It is also the only company listed in the Cybersecurity Ventures top 500 that originates from Russia.
The US government has recently revised its position towards Kaspersky and the case has quickly turned into a very mediatised display of suspicions and allegations worthy of McCarthyism.
In May, the US Senate Intelligence Committee raised an “important national security issue” over suspected links between Kaspersky and the Russian government which could threaten US infrastructure. It urged the intelligence community to address potential risks posed by the company’s powerful market position. The FBI was reported to run a counterintelligence investigation looking into the nature of Kaspersky’s relationship to the Russian government, and they reportedly interviewed some Kaspersky employees working in the US in relation to the suspicion.
In July, the US government removed Kaspersky products from the US General Services Administration (GSA)’s list of approved vendors for contracts that cover information technology services and digital photographic equipment. While US government entities can currently still buy Kaspersky’s products, they can only do so outside of the GSA process. Allegations were made that the company has been working closely with the FSB, a Russian intelligence entity. Kaspersky would have developed security technologies for the FSB and would have been of assistance in cybersecurity initiatives including sensitive “active countermeasures” according to a report from Bloomberg BusinessWeek. Some key Kaspersky staff have also been reported to be former KGB officers.
A US congress committee also reportedly raised a warning of possible “nefarious activities against the United States” and requested 22 government agencies to provide all documents and communications with Kaspersky since 2013, including any internal risk assessments and lists of any systems, contractors and sub-contractors using Kaspersky products.
In September, some reports suggested the US Senate was looking to mandate a full, government-wide ban on the use of all Kaspersky products. ABC News quoted a US senator on: “The strong ties between Kaspersky Lab and the Kremlin are very alarming and well-documented. While much of this information is classified, there is ample publicly available information to justify Congress passing my amendment to ban the use of Kaspersky across the federal government” and “Using Kaspersky software on federal computers is a national security vulnerability and invites further Russian cyber intrusion”.
The FBI is also reported to actively advise US private sector companies, in private briefings, against the use of Kaspersky software over the concern of a threat to the US.
Rob Joyce, the Trump administration’s cybersecurity coordinator also advised the public not to use Kaspersky’s products.
Kaspersky’s integrity and trustworthiness is a cybersecurity business-critical asset that is currently heavily tested by the US government, and which is scrutinised in the media. Some of its competition is also trying to exploit the situation. Bitdefender, a competitor to Kaspersky originating from Romania, recently took it to launch an opportunistic marketing campaign based on “Restore your confidence in security solutions” and “Concerned about renewing Kaspersky? – Call here to replace Kaspersky with no increase in cost” overlaying a picture of a Trojan horse and a help desk operator ready to take cybersecurity vendor distrust away.
At the time of writing this article, no evidence of any wrongdoing by Kaspersky has been publicly produced. The suspicions could eventually be substantiated, but the cybersecurity company could also be a victim caught in the midst of a geopolitical rift between the US and Russia at a time reminding of the cold war.
Kaspersky has publicly responded to the allegations with the intent of clearing the doubt on its trustworthiness. It has offered to disclose its products source code to the US government as a sign of transparency. It also seems to run business as usual despite a campaign of McCarthyism proportion against it.
However questionable the approaches of the US government and Bitdefender could be against Kaspersky, there is merit in calling bluff to the trust we place in all cybersecurity companies.
How to build trust in cybersecurity companies?
The basic answer to the question is to perform a due diligence of the cybersecurity companies considered, as we would do for any other third-parties, and to perform a due diligence of the systems, solutions and services we consider acquiring from them on a case by case basis. The suggested due diligence processes typically involve:
- An initial risk assessment;
- The implementation of third-party risk management security controls; and
- An on-going governance and risk management process.
There is a range of guidance and resources available such as from ISO 27001/2, NIST (e.g. SP800-161), the Google’s Vendor Security Assessment Questionnaire (VSAQ) and many others. Organisations may conduct the risk assessment themselves or with the assistance of trusted cybersecurity advisors.
Lists of government evaluated cybersecurity vendors and products are available to make due diligence processes easier. For example, the Australian government publishes the Evaluated Products List (EPL), which is maintained for local government agencies and it is publicly available for anybody to consult. It includes some cybersecurity companies and products, which should probably be good enough to use with confidence also in most private sector organisations. However, the EPL is not comprehensive at all. It does not include all trustworthy vendors and products and does not replace a due diligence process.
Organisations with a high level of maturity in risk management, and reputable Managed Security Services Providers, are typically well equipped in cybersecurity resources and invest in their own rigorous suppliers’ risk assessments and products’ certification processes.
Less resourceful organisations can however struggle in conducting their own meaningful assessments. A minimum level of due diligence is still advisable in addition to sourcing advice from trusted independent parties and procuring products and services through reputable cybersecurity providers and resellers.
Most organisations would however be hopeless in effectively assessing on their own a suspected level of risk as it is allegedly in question with Kaspersky in the US. For such risks, we can only rely on the advice of the government and the collaborative input of the wider cybersecurity community.
What to think of foreign cybersecurity companies entertaining business relationships with their own governments or employing former intelligence and military personnel? It seems to be a problem for the US government looking at Kaspersky. What should the rest of the world then think of US cybersecurity companies such as Symantec, FireEye/Mandiant and CrowdStrike just to name a few? Should they be distrusted and banned in other countries such as in Australia?
The precedent created by the case of Kaspersky vs US government raises a critical issue of international trust and collaboration across the cybersecurity industry. The international collaboration of government and cybersecurity companies has proven to be very effective in dealing with large-scale cyber-attacks. I like McAfee’ slogan of “Together is power”. Some refer to cybersecurity as a “Team Sport”, which I like to see as a global collaborative team sport and not a competitive one.
Constraining the effective global cybersecurity collaboration, by banning cybersecurity vendors over geopolitical sensitivity for example, will not benefit anybody.
We may need to think differently about the global cybersecurity industry and how we manage a well needed effective collaboration. The following principles may help:
- Transparency, from cybersecurity companies and the government. Kaspersky’s offer to share its source code with the US government is an interesting proposition. Government should also be more forthcoming with any factual risk assessment relating to technologies and avoid any debatable allegations assimilated with geopolitical issues. Further uptake in open-source technologies could also be beneficial.
- Benchmarking, from independent parties and moderated open communities. Many analysts provide elements of vendor comparison (e.g. quadrants), but they fall short of addressing the core issue of trust in my opinion. A good example would be the comparison of VPN services providers on thatoneprivacysite.net, albeit not from an independent or moderated community.
- Regulations. Further government industry regulation would be beneficial.
Scott Handsaker, the CEO of CyRise, an Australian cybersecurity startup accelerator, shared in a recent roadshow his observation on the local uptake of Australian cybersecurity technologies. Australian cybersecurity startups would find it easier to sell their products in the US to large and very security demanding organisations, rather than at home to smaller organisations. He also suggested that unless things change, many Australian cyber security startups may be forced to head to the US or other places in order to grow their businesses.
The Australian market would appear to be dubious towards local cybersecurity innovation. This is quite interesting and perhaps counter-intuitive, because we could expect local sensitive technologies to be further trusted than foreign ones.
We have a fantastic cybersecurity innovation potential down-under. Bugcrowd and Upguard are some great examples of it. We would all benefit from better cybersecurity by investing further trust and interest in home cybersecurity brands, which would in turn foster even further local innovation.
Featured image credit: Max Pepper/CNN Money