For weeks, one of the world’s top security firms has been dogged by reports of government espionage. According to a string of reports, Kaspersky Lab’s antivirus software was used as part of a sophisticated effort by Russian intelligence to steal classified NSA documents. The software had flagged classified materials brought home by a luckless NSA contractor, and used the antivirus system to transmit the materials back to Kaspersky’s headquarters in Moscow. When Israeli agents broke into Kaspersky’s network for a separate operation in 2015, they found a hidden cache of NSA tools, and tipped off the US government that something was wrong. Was a popular antivirus program being used to steal government secrets?
Today, Kaspersky came out with its fullest explanation yet of what happened. The company admits that it retrieved and analyzed the files, but says there was a valid reason to flag them. The contractor was running a pirated and cracked version of Microsoft Office, which included a key generator that was infected with malware. (Just to pause a moment for the counterintelligence folks out there: yes, he put classified documents on a home computer that was running pirated software infected with malware.) While Kaspersky was cleaning up the malware, the company says it flagged the archived NSA files as suspicious and sent them back to headquarters for analysis.
It’s a plausible explanation, accounting for how the files ended up being sent back to Moscow without the company either colluding with or being compromised by the Russian government. The post may not convince everyone (denials never do), but if you’re inclined to believe Kaspersky is on the level, it explains how the company ended up in possession of classified NSA files.
But while Kaspersky’s explanation answers the most urgent questions, it’s left experts in government and the corporate world with profound doubts about Kaspersky and the antivirus industry at large. Kaspersky is still at the head of the industry, doing groundbreaking work on the BadRabbit ransomware just yesterday, but the new questions about collusion have proven hard to shake. Worse for the industry, it’s reminded customers exactly how much power an antivirus program has — and how much trust is required every time you install one.
The very nature of antivirus software makes it difficult to tell the difference between espionage and regular security work. In order to do its job at all, an antivirus program needs access to every file on your computer. That’s the whole point: if there’s any folder that’s off limits, all the malware will just hide in that folder. Antivirus software is also designed to work on devices that are already compromised, so AV scanners need more powerful permissions than almost any other program running on your machine. Lots of malware will try to outwit scanners by hiding in certain processes or forbidding certain sections of the hard drive, so a high level of access is crucial for doing the basic work of antivirus scanning.
It’s also not unusual for an antivirus system to copy a particular file and send it back to headquarters. Most antivirus programs are looking for known malware, running a list of signatures against existing files. But as viruses have gotten more sophisticated, antivirus programs have also started looking for suspicious behavior, too. If a given program seems like it might be a virus, programs will often send a copy to the firm’s research division for further analysis, giving the company a chance to spot new types of malware early and add them to the list. The rules for which files get flagged are closely guarded, and for good reason. If you could predict which files an antivirus program would flag, you’ll design your malware program to avoid those signals and never get flagged.
None of this is nefarious or even suspicious, but it leaves antivirus manufacturers in an incredibly powerful position. If you’re running an antivirus program (which you should be), that program has root access to every process running on your device, and will routinely and silently take files off your computer to send back to a central research lab. There is, quite literally, almost nothing it cannot do to your computer.
That setup makes it hard to distinguish between espionage and the everyday work of security. When US and Israeli intelligence agents looked at the incident, they saw Kaspersky seizing and exfiltrating sensitive files; when Kaspersky investigated the same thing, the company saw a suspicious file being flagged and quarantined for further analysis. It’s hard to blame the intelligence service for reacting the way they did — those files should never have been on an unclassified computer, let alone sent back to a research lab in Moscow — but it’s entirely plausible that Kaspersky’s software did nothing out of the ordinary. We still don’t know what happened: there’s room for real doubts about Kaspersky’s explanation and the unnamed intelligence officers quoted in the original piece. But after months of growing suspicion, both sides could have been acting in good faith all along, and still let state secrets get out into the wild.
And so, we come back to the question of trust. The mere possibility of this kind of hack is enough to raise doubts. At a House subcommittee panel this morning, IISS cyber director Sean Kanuck told congress that “foreign cyber exploitation of Kaspersky Lab products remains a sincere concern for US federal networks.” That’s unpleasant for Kaspersky to hear, but it’s hard to disagree with. Now that we know this is possible, shouldn’t we be concerned? Given the choice between an antivirus firm based in Moscow and an antivirus firm based in California, shouldn’t we weigh our options?
You can see where this road goes, both for Kaspersky and the tech world at large. We like to think of the internet as an international space, an idea that often bleeds over to technology more broadly. For years, no one questioned the wisdom of international web services, using Chinese-made hardware designed in America to power server farms across the world. As trust breaks down, we’re seeing that internationalism splinter, with more localized data and explicitly national services. Today, that’s a problem for Kaspersky in the US, but as the European Union cracks down on data sharing, Google and Microsoft are beginning to see similar problems in Europe. At the heart of all of it is this question of trust: how can we trust our data to a company thousands of miles away? If we really can’t, we’ll have to remake much of the internet as we know it.