Last week, news broke that hackers working for the Russian government acquired American intelligence programs by exploiting weaknesses in Kaspersky Lab, a software security program used by several agencies in the United States government. According to the Wall Street Journal, the hackers successfully acquired “details of how the U.S. penetrates foreign computer networks and defends against cyberattacks,” including “details about how the NSA [National Security Agency] penetrates foreign computer networks, the computer code it uses for such spying and how it defends networks inside the U.S.”
The same report described the breach as having occurred because an NSA contractor, who used Kaspersky Lab antivirus software on his home computer, removed classified material from his work computer and put it on his home computer, thus leaving the information susceptible to attack. There is no indication that the individual sought to aid the Russian government in any capacity. This reportedly occurred in 2015, although it was not known until last spring. Israeli intelligence officials informed the United States that Russians used Kaspersky “to aggressively scan for American government classified programs, and pull[ed] any findings back to Russian intelligence systems.” Although Kaspersky denies knowledge of or involvement in Russian espionage efforts, many in the national intelligence community have speculated that the company “is a proxy of the Russian government”—or if not a proxy, certainly capable of assisting the Russian government.
Nearly two dozen American agencies use or have used Kaspersky’s software. This group includes the State Department, the Department of Defense, the Department of Justice, and the Army, Navy, and Air Force—and each of these agencies hold highly classified and sensitive information. Interestingly, the NSA “bans its analysts from using Kaspersky antivirus at the agency, in large part because the agency has exploited antivirus software for its own foreign hacking operations and knows the same technique is used by its adversaries”—yet it was still through an NSA contractor that the Russian hackers were able to access the sensitive information. There is also the question as to why other agencies used Kaspersky even though the NSA was aware of significant, compromising flaws in its antivirus software. In fact, a former NSA operator noted that antivirus software is “the ultimate backdoor,” meaning that it can be used to perform devastating attacks and executing espionage operations.
On September 13, the Department of Homeland Security announced a mandatory order requiring all agencies using Kaspersky products to remove the software within ninety days. Of particular note, the mandate noted: “The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.” Perhaps not surprisingly, the Russian embassy responded the following day, lamenting the “regrettable” decision delaying the “restoration of bilateral ties.” About a month later, the public learned via the Wall Street Journal report that Russian hackers acquired highly classified information.
Among a multitude of concerns, the revelation that Russian hackers acquired American national security secrets forces the United States to consider an important question: who do we trust with our cybersecurity?
For a country that is already in an adversarial relationship with Russia, the fact that Russia was able to obtain national security secrets relating to our cyber defenses and capabilities puts additional strain on the relationship. Moreover, why are government agencies—particularly ones that handle classified information relating to foreign policy, defense, and grand strategy—trusting antivirus software made by a company which is suspected to be “a proxy of the Russian government” and whose founder was educated at a KGB-sponsored school? Why have American agencies used antivirus software of questionable security when antivirus programs already pose a vulnerability? Additionally, if the NSA does not trust the antivirus software enough to use on its computers, why were other agencies permitted to use it?
Presumably, there will be more information that will continue to shed light on the situation. The United States government should use this as an opportunity for serious reflection on who it trusts to protect sensitive and classified information. To be fair, even if Kaspersky software was not used on any government computer, it may not have been enough to prevent this problem. That does not, however, excuse the government from not taking common-sense measures to ensure that its information is as secure as possible.