Who can you trust? Geopolitical cybergame: a new direction

In Chapter III of his classic work, The Art of War, Sun Tzu, the ancient Chinese general, military strategist and philosopher, says, "It is said that if you know your enemies and know yourself you will not be imperiled even in a 100 battles…" To this end nations have been spying on one another for centuries, using every means possible.

Today, modern technology has enabled us to extend the conflict beyond the direct approach of sending spies into countries and companies to obtain information. Through cyber-attacks on computer systems and digital devices, countries are now mining vast amounts of information, invading personal privacy, using espionage to exploit access to industrial systems, and deeply probing government secrets. Action against the Russian anti-virus software provider Kaspersky by the US government highlights the most recent trends in this regard.

Due to ties between AO Kaspersky Lab officials and Russian intelligence agencies, as well as requirements in Russian law that allow its intelligence agencies to request or compel assistance from companies such as Kaspersky to intercept communications passing through Russian networks, US officials are taking action to remove Kaspersky products from US government use. If installed on government computer systems, officials believe Kaspersky anti-virus products and solutions provide, "broad access to government files and elevated privileges on the computers on which the software is installed," opening up opportunities for these systems to be exploited by malicious cyber actors and to compromise those information systems.

On  September 13, the Acting Secretary of Homeland Security Elaine Duke issued a Binding Operational Directive (BOD) for all US government departments and agencies to, "…identify any use or presence of AO Kaspersky Lab products on their information systems, and to develop detailed plans to remove and discontinue present and future use of the products…" within the next 60 days. All departments and agencies are to discontinue use and remove all Kaspersky products by  December 12.

Kaspersky officials immediately fired back, stating that the company is not subject to the Russian laws cited in the directive. They further stated that any information the company receives is protected in accordance with legal requirements and stringent industry standards, including encryption.

Company spokesman Anton Shingarov is quoted as saying, the US ban was "part of a geopolitical game" and "there is no proof provided of any improper ties to the Russian government."

Although a  direct connection to the Russian government may not be apparent, there may be a reason to question the company's government ties. Several years ago, several company executives were replaced by others who had strong ties to the Russian Federalnaya Sluzhba Bezopasnosti, or FSB, the Federal Security Service, the successor organisation to the KGB. It has also been reported that one of the owners of the company graduated from a KGB Academy, and as such may still have ties to the government. In both the cybersecurity arena, as well as the international espionage game, risk must be evaluated based on every conceivable connection, especially when it leads to a lack of trust.  

Is this US government-Kaspersky incident just a geopolitical game words, or is there a specific reason to be concerned? In early October, reports by The New York Times confirmed that Israeli counterintelligence officers had "hacked" into Russian systems and observed Russian government hackers pouring through US-based computers for keywords and codenames linked to US intelligence programmes in real-time. By using Kaspersky anti-virus software as an internal search engine for systems in which the software was installed, hackers were able to scan computers across the US for keywords and phrases. Since Kaspersky products have access to everything stored on a user's computer to search the contents for viruses or other malware, it was an easy step for Russian intelligence to design a search tool to exploit this software process, and discover items of interest.

Israeli intrusion into Kaspersky's corporate systems is reported to have begun in 2014, indicating potential opportunities for Russian officials to have monitored multiple US intelligence systems. US officials then began to dig deeper into ties between Kaspersky and the Russia government, and the potential for additional compromise of information.

Kaspersky officials did not discover the intrusion until mid-2015. They immediately began an internal investigation, publicly reporting their findings in June 2015. They named the new malware platform Duqu 2.0. This malware was an updated version of the infamous 2011 Duqu malware related to the Stuxnet worm found on computers infecting Iranian nuclear facilities. In their report, however, Kaspersky officials did not identify Israel as the source of the intrusion. Kaspersky updated its systems, patching several zero-day Windows kernel vulnerabilities. It subsequently reassured its clients, stating, "Kaspersky Lab is confident that its clients and partners are safe and that there is no impact on the company's products, technologies and services."

Are you at risk?

Computer security researchers from several universities consider the US government decision a prudent step for government and business users. But what does this mean for personal users of Kaspersky software, which account for approximately 5.5% of anti-malware software - tens of millions of users worldwide?

Florida International University cybersecurity researchers confirm that anti-virus software provides a deep sweep of information contained on a computer which may provide reliable, backdoor access to the computer system when manipulated by experts. Obviously, this could be used for nefarious activities such as launching cyber-attacks, data mining business information on the system, and theft of personal and account information. As a personal user, there is probably less urgency to remove software, but it still must be considered, since the anti-virus software has deep access to a user's computer and network, making individuals vulnerable to internal attack and having information exploited. "Anti-virus is the ultimate backdoor," Blake Darché, a former NSA operator and co-founder of Area 1 Security is quoted as saying.

Should you remove Kaspersky? The answer depends on you.   Who can you really trust?

(Iyengar is a distinguished Ryder Professor and Director, School of Computing and Information Sciences, Miami; Miller has been with US Air Force for over two decades and is Coordinator, Discovery Lab, Florida International University)