EARLIER THIS SUMMER the House Science Committee sent letters to 22 US government agencies requesting information on their use of Kaspersky Lab security products. As the federal government continues to investigate claims of ties between the Trump administration and Russia, officials in Washington have expressed concern that the government’s use of software from Kaspersky Lab—a well-known security vendor based in Russia—could compromise domestic intelligence. This request represents the most recent action in an aggressive campaign by Congress to review the possible security implications of using Kaspersky software for government infrastructure.
Already, the General Services Administration (GSA) has ordered the removal of Kaspersky software platforms from its catalogues of approved vendors. Meanwhile, the Senate is considering a draft bill of the 2018 National Defense Acquisition Authorization (known as the NDAA, it specifies the size of and uses for the fiscal year 2018 US Defense Department budget) that would bar the use of Kaspersky products in the military. While Congress certainly has a responsibility to maintain the security of government systems, such a blanket ban contributes to a growing protectionist trend in government technology procurement and threatens innovation.
Procurement choices have implications far beyond lost contracts. The move to strip out Kaspersky products from government systems is likely to have a chilling effect on government contractors and consumers. As the GSA evaluates the practices of contractors and suppliers in the government supply chain, use of Kaspersky products may prove to be a penalizing, if not disqualifying, factor for companies during the proposal evaluation process. The House Science Committee letters specifically request the names of any US government contractors or subcontractors that use Kaspersky products.
While the NDAA only targets software, Kaspersky technology is also integrated into the hardware and software products of companies like Juniper and Microsoft. It’s not clear whether the NDAA ban would bar use of products that incorporate Kaspersky technology. If it does, other tech companies might move away from partnerships with the company, which would be a blow to its business in the US.
Yet there has been no demonstrable evidence that Kaspersky is influenced by Russian authorities, nor that Russian intelligence services have cajoled the company into installing backdoors. Kaspersky Lab’s most significant, verifiable connections with Russian intelligence services are CEO Eugene Kaspersky’s education at a KGB cryptography institute and his stint in Soviet military intelligence more than 20 years ago.
Still, it is not unreasonable to think that Kaspersky Lab may have ties with Russian intelligence. The company employs former intelligence officers, and Russia’s relationship-based business climate means that it’s unlikely Kaspersky Lab could have succeeded without relationships with senior government officials.
However, it’s a charge that could be levied at many technology companies, especially cybersecurity firms. As the digital economy has grown, international intelligence agencies and technology firms have formed a sort of intelligence-industrial complex. After exiting US intelligence services, many former officers and cryptographers transition to jobs with big tech firms, hired for those skills they learned in the service or specifically for their strong personal relationships with government officials.
European powers are no different, with French intelligence service DGSE maintaining informal information-sharing relationships with French tech firms, and French companies often receiving economic espionage from DGSE. In Israel, the Israeli Defense Forces Unit 8200, an intelligence service, is known as a de-facto technology incubator, with Unit 8200 alumni often exiting the service to immediately funded tech startups, most often focused on cybersecurity.
Observing the ties and interests of intelligence services with foreign technology firms, other countries have decided to preference homegrown companies. Since 2014, Russian president Vladimir Putin has pushed for the country to become technologically independent from Western companies. The Kremlin is currently supporting a plan to remove foreign software from government offices and state-owned companies. Meanwhile, the Cyberspace Administration of China just released the final version of its measure to conduct cybersecurity reviews of network products and services used in key sectors. WTO members are already raising concerns that the vaguely defined regulations discriminate against non-domestic companies and technologies.
These protectionism concerns are legitimate. Congress should consider the market implications of a blanket ban; like any protectionist barrier, this type of restriction is likely to diminish domestic competitiveness, reduce availability of inexpensive goods and services, and prompt foreign retribution against US firms.
Most concerning, such measures will likely restrict consumer access to innovation. Kaspersky is an industry leader on endpoint security and cyber threat intelligence. Security researchers often rely on the company’s high-quality analysis of cyber threat groups, especially those from Russia. Today, the issue is one company, but plenty of technology firms have ties to intelligence services and governments. If this ban moves ahead, it is easy to foresee its use against Chinese, French, or Israeli firms. If such bans come, these firms’ national governments will be sure to make US tech firms share the pain, with retributive discrimination against US products.
If the US government has concerns beyond mere association with foreign intelligence services, if it truly believes certain technology products maintain vulnerabilities for foreign governments, officials should work with firms to provide a transparent process for reviewing such issues. Kaspersky has indicated its willingness to submit its products to review.
In 2010, in order to demonstrate to British security agency GCHQ that the Chinese government did not mandate backdoors in its telecom equipment, the Chinese firm Huawei built the Huawei Cybersecurity Evaluation Center to provide security audits and inspections of Huawei products. While the organization initially faced criticisms about objectivity, subsequent operational changes produced an auditing organization which, for the time being, satisfies British government concerns about possible vulnerabilities in the Chinese telecom company’s products. Rather than implementing blanket bans on products, the US government should pursue a similar compromise with suspect firms. Such a move could allay government fears and protect open US technology markets.
Ultimately, if the US wants to eliminate the threat of government-mandated vulnerabilities in foreign technology products, it should broker an arrangement at the diplomatic level. Microsoft, in its recently proposed Digital Geneva Convention, called on all governments to stop offensive operations against civilian networks and infrastructure. While such an agreement may be far off, an intermediate step in that direction might be for governments to cease mandates for vulnerabilities and backdoors in domestically produced software and hardware. An agreement against backdoor installation would provide relief for US, Chinese and Russian governments—and allow technology firms to reengage in truly free trade.