Russian anti-virus CEO offers up code for US govt scrutiny

July 2, 2017 by Raphael Satter And Veronika Silchenko
Eugene Kaspersky, Russian antivirus programs developer and chief executive of Russia's Kaspersky Lab, watches trough a window decorated with programming code's symbols at his company's headquarters in Moscow, Russia, Saturday, July 1, 2017. Kaspersky says he's ready to have his company's source code examined by U.S. government officials to help dispel long-lingering suspicions about his company's ties to the Kremlin. (AP Photo/Pavel Golovkin)

The chief executive of Russia's Kaspersky Lab says he's ready to have his company's source code examined by U.S. government officials to help dispel long-lingering suspicions about his company's ties to the Kremlin.

In an interview with The Associated Press at his Moscow headquarters, Eugene Kaspersky said Saturday that he's also ready to move part of his research work to the U.S. to help counter rumors that he said were first started more than two decades ago out of professional jealousy.

"If the United States needs, we can disclose the ," he said, adding that he was ready to testify before U.S. lawmakers as well. "Anything I can do to prove that we don't behave maliciously I will do it."

Kaspersky, a mathematical engineer who attended a KGB-sponsored school and once worked for Russia's Ministry of Defense, has long been eyed suspiciously by some competitors, particularly as his anti-virus products became popular in the U.S. market. Some speculate that Kaspersky, an engaging speaker and a fixture of the conference circuit, kept his Soviet-era intelligence connections. Others say it's unlikely that his could operate independently in Russia, where the economy is dominated by state-owned companies and the power of spy agencies has expanded dramatically under President Vladimir Putin.

No firm evidence has ever been produced to back up the claims. But this has not stopped what was once gossip at tech conferences from escalating into public accusations from American politicians and intelligence officials amid rising concerns over Russian interference in the United States.

Eugene Kaspersky, Russian antivirus programs developer and chief executive of Russia's Kaspersky Lab, watches trough a window decorated with programming code's symbols at his company's headquarters in Moscow, Russia, Saturday, July 1, 2017. Kaspersky says he's ready to have his company's source code examined by U.S. government officials to help dispel long-lingering suspicions about his company's ties to the Kremlin. (AP Photo/Pavel Golovkin)

Senior U.S. intelligence officials have suggested Congress steer well clear of Kaspersky's products and lawmakers are weighing a proposal to ban the company from the Pentagon. Law enforcement seems to be taking a hard look at the company as well. On Wednesday, NBC news reported that at least a dozen U.S. employees of Kaspersky were visited at their homes by FBI agents.

Kaspersky confirmed the NBC report, although he said he didn't know what the focus of the FBI's questioning was. He did say his relationship with the FBI was now shot.

"Unfortunately, now the links to the FBI are completely ruined," he said, noting that his company cooperated with both U.S. and Russian law enforcement. "It means that if some serious crime happens that needs Russian law enforcement to cooperate with FBI, unfortunately it's not possible."

The FBI declined to comment, but agents are unlikely to lose much sleep over that; Kaspersky allowed that cooperation between Russia and the United States on cybercrime has often been "far from perfect."

Still, lawmakers' moves to single out the company for special punishment worries even Kaspersky's critics, who note that it would set an unfavorable precedent for American technology firms—many of whom are known to work closely with the U.S. National Security Agency.

Eugene Kaspersky, Russian antivirus programs developer and chief executive of Russia's Kaspersky Lab, poses for a photo on a balcony at his company's headquarters in Moscow, Russia, Saturday, July 1, 2017. Kaspersky says he's ready to have his company's source code examined by U.S. government officials to help dispel long-lingering suspicions about his company's ties to the Kremlin. (AP Photo/Pavel Golovkin)

Kaspersky defended his work during the interview, saying he never benefited from official protection of any kind.

"I do understand why we look strange. Because for Russia it's very unusual, a Russian IT that's very successful everywhere around the world. But it's true," he said.

Kaspersky said his company does exclusively defensive work, although under questioning he allowed that some unnamed governments had tried to nudge him toward hacking—what he calls "the dark side."

"There were several times it was close to that," he said, adding that the officials involved weren't Russian. He said in one case a discussion about defensive cybersecurity cooperation "turned to the offensive."

"I stopped that immediately. I don't even want to talk about it," he said.

Eugene Kaspersky, Russian antivirus programs developer and chief executive of Russia's Kaspersky Lab, talks during an interview at his company's headquarters in Moscow, Russia, Saturday, July 1, 2017. Kaspersky says he's ready to have his company's source code examined by U.S. government officials to help dispel long-lingering suspicions about his company's ties to the Kremlin. (AP Photo/Pavel Golovkin)

Kaspersky's offer to have his code audited may not quiet all the skeptics, some of whom are concerned less about the integrity of the company's software and more about the company's staff and the data they gather. Like many cybersecurity outfits in the U.S. and elsewhere, some Kaspersky employees come from espionage backgrounds.

Kaspersky acknowledged having ex-Russian intelligence workers on his staff, saying that "most probably we have these guys in our sales department for their relationship with the government sector." But he added that his company's internal network was too segregated for a single rogue employee to abuse it.

"It's almost not possible," he said. "Because to do that, you have to have not just one person in the company, but a group of people that have access to different parts of our technological processes. It's too complicated."

And he insisted his company would never knowingly cooperate with any country's offensive cyber operations.

"We stay on the bright side," he said, "And never, never go to the dark side."

An employee of Kaspersky Lab works on computers at the company's headquarters in Moscow, Russia, Saturday, July 1, 2017. The chief executive of Russia's Kaspersky Lab, Eugene Kaspersky, says he's ready to have his company's source code examined by U.S. government officials to help dispel long-lingering suspicions about his company's ties to the Kremlin. (AP Photo/Pavel Golovkin)

Explore further: US intel chiefs express doubts about Kaspersky security software

Related Stories

Alarm grows over global ransomware attacks

May 12, 2017

Security experts expressed alarm Friday over a fast-moving wave of cyberattacks around the world that appeared to exploit a flaw exposed in documents leaked from the US National Security Agency.

Recommended for you

New technique spots warning signs of extreme events

September 22, 2017

Many extreme events—from a rogue wave that rises up from calm waters, to an instability inside a gas turbine, to the sudden extinction of a previously hardy wildlife species—seem to occur without warning. It's often impossible ...

5 comments

Adjust slider to filter visible comments by rank

Display comments: newest first

EmceeSquared
1 / 5 (2) Jul 02, 2017
If the USA government's "defense" department were legitimate, if the NSA were legitimately "national seecurity", then they would certify both open and privately disclosed source code like Kaspersky's as secure. More importantly: voting systems.

But Kaspersky waiting until Trump, or rather трумп, controls the Pentagon makes this "scrutiny" look like evidence that Kaspersky is as controlled by Putin as Trump is.
antialias_physorg
not rated yet Jul 03, 2017
I wish these kind of systems were open source (yes I know: That's not what Kaspersky is talking about. In any case, fully open source is not gonna happen. Companies do want to make a buck, and that's perfectly understandable). But open source would lead to faster identification of bugs and faster fixes.

Code that only a select few have access to is always a problem, as (exploitable) bugs can be kept secret for a long time.

That said antivirus software (and your operating system) in general is a security issue in its own right. It runs with elevated privileges and can be remotely updated - which basically means it can be turned from defensive to offensive at any time.
EmceeSquared
1 / 5 (1) Jul 03, 2017
antialias_physorg:
Code that only a select few have access to is always a problem, as (exploitable) bugs can be kept secret for a long time.


The US Defense Department could require of any product or service that advertises security benefits that it be tested in a lab certified by the Defense Department. Much like the FDA requires medical claims to be tested in labs. Some labs could be government operated, like the FDA/NIH do for medicine. But most could be just certified to test security.

Academia could play a big role here, as it already does in security research. Academia has lots of infrastructure for working under non-disclosure agreements in medicine and other commercial research.

The lab certification could include a phase where the part of what's tested that must remain secret is identified, and the rest open-sourced. Vendors would be incented to open the maximum source because that would generally get a higher test score, because open source is more trustworthy.
antialias_physorg
not rated yet Jul 03, 2017
The US Defense Department could require of any product or service that advertises security benefits that it be tested in a lab certified by the Defense Department.

Sorta. They give you STIGs (security technical implementation guides), and your software must comply with as many of these as possible.

Academia has lots of infrastructure for working under non-disclosure agreements in medicine and other commercial research.

Academia is (mostly) open source.

The lab certification could include a phase where the part of what's tested that must remain secret is identified, and the rest open-sourced.

While this is ideal, reality is that software in medical and security sectors has...erm..."grown by accretion" over the years. Some parts of it is 15 years old or older and fairly monolithic. It's not as modular as one might think.

I have yet to see a single manager who is willing to shell out money for refactoring (and believe me, I've asked...oh how I've asked)
EmceeSquared
1 / 5 (1) Jul 03, 2017
antialias_physorg:
The lab certification could include a phase where the part of what's tested that must remain secret is identified, and the rest open-sourced.

While this is ideal, reality is that software in medical and security sectors has...erm..."grown by accretion" over the years.


I mean the model where medical claims require medical testing, transferred to security claims requiring security testing. Mandatory, as for medicine.

Academia is (mostly) open source.


Huge amounts of academic development and review of commercial products are under NDA, closed source. Though the baseline is open, which encourages the maximum determination of what can be opened among what is reviewed. Academia can pressure security products to protect IP by patent, copyright and trademark instead of by closed source "trade secrets".

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.