By Sean Kanuck, IISS Director of Future Conflict and Cyber Security
On October 25, the United States House of Representatives scrutinised the risk posed by Kaspersky Lab products to the federal government. The Department of Homeland Security’s demand for federal agencies to remove all Kaspersky-branded products from their computer systems, and the alleged exploitation of Kaspersky networks by Israeli and/or Russian government agents, may warrant a congressional inquiry. But a much broader discussion about managing the risk associated with IT systems is needed on both sides of the Atlantic. Governments and companies who blacklist one compromised vendor run the risk of treating the symptoms not the disease, and ignoring the inherent risks of cyber products.
In my testimony at the hearing, I stressed the need to fully assess the technical features of hardware and software solutions used for critical infrastructure in the public and private sectors. Kaspersky’s products – like several other commercial security offerings – are designed to provide complete, remote monitoring of all activity on a client’s network.
That fact carries two important implications for governments and other organisations:
- Cyber security vendors with similar access to thousands of client networks essentially become cyber intelligence aggregators, able to analyse trends and detect anomalies.
- The advertised remote access to client networks obviates the need for exploitative individuals or organisations to introduce clandestine back doors, making these products ideal conduits for intelligence collection.
A key point I made in my testimony was that willful collaboration between Kaspersky Lab and a foreign intelligence service may be the wrong issue to focus on. Law enforcement and counter-intelligence agencies would certainly care about such complicity; but from an information risk management perspective, it may be irrelevant. If a third party can compromise the commercial vector, then the inherent access of a corporate service provider becomes an undeniable vulnerability of the customer.
Moreover, well-resourced and highly determined adversaries will seek to compromise whichever IT products are in use, regardless of their country of origin. Banning Kaspersky products may simply shift the path of exploitative activity, rather than eliminating the threat. Members of Congress and governments in general should seriously consider the danger posed by criminal and state-sponsored hackers, including those from Russia.
If authorities do not fully appreciate the nature of these threatening forces, steps to counter their methods – such as removing and banning Kaspersky products – can fast become a game of whack-a-mole, with more attacks popping up through other routes. No IT system is perfectly secure, so governments must focus on improving the resiliency of public organisations in the face of continued cyber challenges. Such resilience comprises both better defences against penetration and backup measures that allow operations to continue when primary systems are degraded.