If Eugene Kaspersky had attended Wednesday's House hearing on the risk his company's anti-virus software poses to the U.S. federal government, he would have faced an unfriendly reception.
But the founder and CEO of Moscow-based Kaspersky Lab wasn't invited to testify, although the chairman of the House Science, Space and Technology Oversight Subcommittee - Rep. Darin LaHood, R-Ill. - said the panel would "entertain" the possibility of inviting him to a future hearing.
"Because of the persistent nature of the threat, all software is vulnerable."
The anti-Kaspersky tenor at the hearing - perhaps justified, perhaps not - was bipartisan. "I am glad that the U.S. government has realized this," the ranking Democrat on the panel, Rep. Don Beyer of Virginia, said of security concerns surrounding Kaspersky Lab's anti-virus software, which led to a ban of the software on U.S. government computers (see Kaspersky Software Ordered Removed From US Gov't Computers ).
Rep. Lamar Smith, R-Texas, the chairman of the full committee, said recent remarks by Kaspersky have done little to alleviate concerns about the insecurity of Kaspersky Lab products. "While once considered reputable, Kaspersky Lab, its founder and their Russian ties have created a significant risk to U.S. security," Smith said. "According to several media investigations, these connections have allowed Kaspersky Lab to be exploited not only by the Russian government but also by criminal hackers around the world."
Hours before the start of the hearing, Kaspersky Lab issued a preliminary report of an internal probe that discovered a consumer version of its software running on the home computer of a contractor working for the National Security Agency identified variants of Equation Group advanced persistent threat malware source code (see Kaspersky Lab Says It Spotted APT Code, Quickly Deleted It). The Equation Group is believed to be associated with the NSA's Tailored Access Operations offensive hacking group.
Proof Lacking on Kaspersky's Complicity
For the U.S. intelligence establishment and many lawmakers, there seems to be little doubt that Russian intelligence exploited Kaspersky Lab's anti-virus software to cull classified information from an NSA contractor's personal computer. What's unclear - and no evidence was provided at the hearing - is whether Kaspersky himself or his company worked with Russian intelligence to exploit the anti-virus software.
But as several of the expert witnesses at the hearing noted, it's not just Kaspersky Lab's anti-virus software that's susceptible to exploitation.
"Because of the persistent nature of the threat, all [anti-virus] software is vulnerable," said David Shive, CIO at the General Services Administration, the federal agency that's enforcing the government ban of Kaspersky products. "That's why CIOs have the obligation to assess those software [products] before they enter them into service and into their agencies."
Sean Kanuck, director of future conflict and cybersecurity at the think tank International Institute for Strategic Studies, said all anti-virus software includes features that could be exploited by nefarious actors.
"Quite frankly, in my experience, foreign intelligence actors and criminals alike, once they find out who has access to the network they seek to access, they'll attempt to derive ways to exploit that path, and it's a matter of intent and resources," Kanuck told the subcommittee. "I do not believe there's any network or any product that is perfectly secure. It's all a risk management issue."
Why Wasn't NSA Notified?
One panel member, Rep. Barry Loudermilk, R-Ga., cited an article published by the Associated Press on Wednesday in which Kaspersky, in a brief interview, acknowledged the discovery by his company of malware on the NSA contractor's computer and said he then ordered his subordinates to delete it. Loudermilk suggested that instead, Kaspersky Lab should have notified the NSA upon discovering malware.
But Kanuck pointed out that Kaspersky might not have been legally subject to a secrecy agreement with the U.S. government to report the malware. Still, Kanuck said, "I'm personally a little surprised that knowing the scrutiny his firm is under, that he might not have taken an opportunity to return it to the U.S. government and try to get in our good favor."
Loudermilk quickly interjected: "Maybe redeem himself, you know, to show good will."
Loudermilk focused on two references in the AP article that said the hacked Kaspersky software enabled the sending of classified material to Moscow. "The scan didn't just treat the infection," the AP article said. "It also triggered an alert for Equation Group files the worker had left in a compressed archive, which was then spirited to Moscow for analysis."
The congressman implied that the reference to Moscow meant Russian intelligence. "After seeing they're classified NSA documents, [Kaspersky] determines not to notify the NSA, but sends them to Moscow, and then says I'm going to have them deleted," Loudermilk said. "That's pretty suspect to me."
There's a bit of ambiguity here. It's unclear whether the malware was programmed by the attackers to send the documents to Moscow (read: Russian intelligence). And it's not clear whether the term "Moscow" referred to Kaspersky Lab's headquarters or Russian intelligence.
Regardless, the exploitation of Kaspersky Lab anti-virus software allegedly being behind a major breach that has resulted in Russia gaining access to some of the NSA's most sensitive secrets.
Hearings such as the one held Wednesday aren't meant to uncover critical details, but mostly to educate lawmakers on the underlying issues. Additonal hearings, though, could feature experts with direct knowledge of this hack and Kaspersky's involvement. Let's hope that Eugene Kaspersky's name appears on those witness lists.