Wednesday, July 12, 2017

What Kaspersky Means for Cyber Policy


Kaspersky has officially and unofficially denied any wrongdoing of any kind. But on the other hand, the recent actions by the US Government have not been subtle. The question is whether you believe McCain and Rubio and the IC over Eugene Kaspersky. It is clear from public reports that there is damning, but classified evidence which the US has no intention of releasing.

And there will be impact from the ban: While it's true that government agencies are "free" to still buy Kaspersky products, its unlikely any agency will do so, other than as a migration plan onto a GSA approved product.

If you've been to any US conference recently you've seen the sad sad Huawei booth, run by a "reseller" who would just as soon have the Huawei name removed from his equipment lines and unread brochures. This is what awaits Kaspersky in the US market, and there does not seem to be a way to fight it.

While this action only directly affects US Agencies (further bans may follow in legislation), it would be difficult to be a US Bank (aka, Critical Infrastructure) and continue using their software, and this could have widespread repercussions (as almost all banks are tightly connected and that is a huge market to lose for Kaspersky). Likewise, cyber insurance plans may require migrating off Kaspersky as a "known risk".

Examining what Kaspersky could have done to generate this reaction, you also have to note there are no mitigating factors available for recourse. The offer of looking at the source code means nothing since Kaspersky's AV is by definition a self-updating rootkit. So let's go over the kinds of things it  could have been:

  • Hack Back assistance (aka, "Active Countermeasures", as hinted at in the Bloomberg Report)
  • HUMINT cooperation (i.e. especially at their yearly Security Analyst Conference)
  • Influence operations (aka, ThreatPost, which is an interesting side venture for an AV)

The USG has not said what Kaspersky did that was so bad. What we've said is one clear thing: There is a line. Don't cross it.

As most of my friends say: It's about time.

No comments:

Post a Comment