In a memorable episode of “The Sopranos,” Tony and two lieutenants murder a colleague they discovered has turned FBI informant. They shoot him on his boat and shove his weighted body into the ocean off New Jersey. In the pre-whack interrogation, they discover he’d flipped more than a year earlier. Thus, the damage was done.
This show came to mind when reading the Homeland Security binding operational directive to whack the cybersecurity software company Kaspersky Lab. The BOD has the cybersecurity world quivering; DHS gives agencies 90 days to remove Kaspersky products and software from their networks. Agencies have now less than 30 days to identify what Kaspersky products they use before they begin removing them.
Talk about a fire drill.
If Kaspersky is evil, then it’s got another 90 days to exfiltrate sensitive information, beyond the many years it’s already been doing so. If it’s totally above board, it’s getting unfairly caught up in broader political questions concerning Russia.
But the Kaspersky question has been spreading for months. A Senate provision in the Defense Authorization bill would ban the company from selling to the government. FBI agents visited the homes of Kaspersky employees, according to several published reports. National Security Agency director Adm. Mike Rogers told senators he was personally involved in watching Kaspersky. Eugene Kaspersky himself has offered to let U.S. federal officials examine its source code.
DHS says it’s concerned that, under Russian law, intelligence agencies there have access to data about U.S. federal networks generated by Kaspersky software. DHS cites ties to the Russian government and certain Kaspersky officials. Kaspersky rebuts DHS’s contentions. DHS has given Kaspersky the chance to provide a written response. More might come out at a House Science Committee hearing later this month where Kaskpersky, DHS, the National Institute of Standards and Technology and others have been invited to testify.
To me, this affair raises several more questions. For instance:
What does DHS or any other agency know about the Kaspersky Lab network? The company describes it as its main cloud system for threat analytics. Kaspersky’s cloud servers are “distributed across the globe.” Did any agency check to ensure that federal data never ended up on a cloud server in China or Russia? They would ask that of any other cloud services company.
If DHS believes the worst about Kaspersky, how can it ensure that, once ostensibly removed, advanced persistent threats won’t be left behind to do future mischief?
What is the plan for replacing whatever functionality Kaspersky Lab products provided, and how are agencies expected to pay for it?
Will some sort of trade punch-counterpunch result from this incident? Russia ranks low on the list of U.S. trading partners. But it’s more than just vodka. The U.S. runs a $8.7 billion or so trade deficit with Russia, to which U.S. companies export around $5.8 billion worth of stuff, according to Census figures. Trade with Russia has dropped by about half in the last four years.
DHS took a highly visible action while providing little detail. We don’t know if something tangible happened or if the agency is just covering its keister. It should come clean, or at least cleaner, with what it knows. Many U.S. corporations that use Kaspersky Lab products would also like to know.