Spotlight on security: Politics and cyber security, a troubled relationship
The relationships between various countries in the world are worsening, not only with regard to economic and political issues, but also in the field of cybersecurity. The recent bans on Chinese (such as Huawei) and Russian security products (such as Kaspersky Lab) are examples of the troubled relations between politics and cyber security.
Wrongdoers accuse others of wrongdoing
The suggestion by the US government, the EU and some western security services that Kaspersky Lab might be spying on them might appear to some to be a bit ironic. After all, some western intelligence agencies have secretly used unknown exploits to spy on civilians and governments of other countries.
Remember the “Vault 7” WikiLeaks publication in March 2017, in which the incredible “weeping angel” SMART TV spyware was disclosed? This was supposedly a joint effort by the CIA and MI5. Vault 7 contained over 8,000 documents of the CIA’s Center for Cyber Intelligence, disclosing how the CIA used unknown vulnerabilities to create spyware for every device and operating system. For reference, the combined lines of spyware code would approach the volume of a complex, world-wide platform, like Facebook. According to WikiLeaks, “the CIA had created, in effect, its own NSA with even less accountability”.
Maybe the CIA got the green light for this operation after the Prism-program of the NSA was shut down in 2013, following publication by the Washington Post and the Guardian of an NSA presentation on a secret state surveillance program. According to these slides, the US government had “direct access to user data on the servers of Facebook, Google, Apple and other US-giants”.
Speaking of the NSA, does anyone remember Wannacry and Petya, the ransomware based on unknown vulnerabilities stolen by Hackers from the NSA? The Shadow Broker leak also suggested that the NSA developed Stuxnet, considered the most advanced malware ever created. Guess which antivirus company was one of the first to analyze Stuxnet? Correct, Kaspersky Lab.
Could there be a connection between this, and the suggestion that Kaspersky Lab might be involved in spying on some western governments? In 2015 the Intercept, a webzine financed by eBay founder Pierre Omidyar with a mission to “to hold the most powerful governmental and corporate factions accountable” (for their actions), revealed a secret document written by British intelligence agency Government Communications Headquarters (GCHQ). This document was a “warrant renewal request” in which they asked permission to continue their program to “reverse engineer commercial software”, in particular antivirus companies. In section 11 of this “warrant renewal request GPW/1160” Kaspersky Lab is explicitly singled out as a threat for detection of their covert cyber operations:
Is this just a coincidence? This is question everybody has to answer for themselves. No matter what the answer is, this explicit reference clearly mentions (advertises) Kaspersky Lab’s capabilities to detect government engineered malware.
Where there’s smoke there’s fire
When officials of a democratic government accuse a company of doing something wrong, there is a common belief that there must be some truth in the allegations. However, the accusations might not be as evidence-based as you would expect. The Department of Homeland Security actually stated that there was no conclusive evidence of Kaspersky software containing backdoors or spyware.
The advice of the EU-report “to ban the ones that have been confirmed as malicious, such as Kaspersky Lab” is also not backed by concrete evidence. We could not find any evidence in the 23-page report by the EU leading to the ban on Kaspersky Lab products. Yet the conclusion is quoted on the Internet as factual evidence, even by respectable websites such as CSO.com.
When respectable sources copy and redistribute news, the credibility of the content increases. The problem with fake news is that several sources start to copy and quote each other so often, that people stop questioning it and start to accept it as fact.
What happened to the democratic principle that an accused party is innocent until proven guilty? Unlike most other software giants, Eugene Kaspersky offered both US and EU officials third-party access to the source code, so they could audit the code and check for backdoors. Kaspersky Lab is even opening a ‘Transparency centre’ in Switzerland to counter fears that spyware might be included with software updates for Kaspersky Lab products.
Who guards the guardian?
Antivirus products are one of very few types of software that have almost unlimited access to a computer’s operating system, resources and user data. This was demonstrated in the report that we published in 2014 on what data antivirus products send to their central servers (“Data transmissions in Internet Security Products”).
Although computer security software has legitimate grounds for sending information about the user’s PC to its cloud servers, this does not mean that a program should have carte blanche to send data without restrictions. Of course, this issue is not limited to antivirus programs, as the enormous amounts of data collected by Facebook and the recent Facebook privacy breaches demonstrated. The IT industry as a whole (including IoT device vendors) should be monitored with regard to the data they collect and send over the internet.
Politics and cyber security, a troubled relationship.
Why not use third-party test centres to verify a vendor complies with legislation? In 2010 Huawei opened a ‘Cybersecurity test centre’ in the UK to check Huawei’s network equipment on faults and bugs. This test centre is overseen by a UK government board. The General Data Protection Regulation already mentions DPA).
Eugene Kaspersky’s offer to have his software audited, and compile, sign and seal it in neutral Switzerland, deserves consideration. A specialist auditing organization, appointed by a national Data Protection Authority, can check and verify whether an IoT-product confirms to the standards enforced by a countries’ privacy and security regulations.