In a two-pronged charm offensive Kaspersky Lab, and Eugene Kaspersky in particular, held two consecutive events yesterday to bolster the company's position as a reliable and responsible contributor to global cyber-security – and specifically defend against charges that the company and its founder are in some way agents of the Russian state.
First came a cross-industry panel on Ransomware aimed at ensuring an informed, realistic public understanding of the threat, achieving a balance to foster concern, without spilling over to paralysed fear, and then informing what they might do about it so as to feel empowered to act.
Then came Eugene Kaspersky's defence against what he described as a coordinated US media and government attack designed and orchestrated, with money and lobbyists, commenting that, ”The scale of this attack means there is some very big money behind it.”
The attack referred to is the reports that Kaspersky products were used to expose NSA hacking tools, leading to a US government ban on the use of Kaspersky products, and extensive subsequent negative reporting of the issue, capitalised on by competitors. So much so that Kaspersky told reporters it has had a negative impact of between minus five or minus eight percent on revenue compared to the previous year in the US & Canada while it was experiencing double digit growth in rest of world apart from Western Europe where it was zero growth. With some US$ 700 million of global revenue, of which 25 percent is in the US, that puts the impact of the negative press at up to US$ 14 million in the past year.
UK national press and international agencies were tough in their questioning, pressing with repeat questions along the lines of, “You were trained by the KGB and served in the military. They say, once in the KGB, always in the KGB. If you are leaned on by the FSB (Russia's successor to the USSR's KGB), surely you can't refuse working for them? Have you provided products and services for the Russian intelligence agencies such as the FSB, have you ever spied for them? Have you ever been asked to spy for them?
Kaspersky responded that his company does assist law enforcement around the world, so it does supply such services to UK counter-criminal intelligence, and the FSB's anti-criminal activity. But he was adamant that, “We never helped espionage agencies. We've never been asked by the Russian government for intelligence, apart from [in relation to] defence from particular attacks. And we only share information if the device is within Russian borders, not if it's held outside.
“The FSB never asked us to spy. I have been asked in other countries, not Russia, to take more offensive action and I ended the conversation. I stay on the defensive part.
“If Russia asks me to spy I will move the business out of Russia.”
“We don't do anything wrong. We just do our job much better than our competitors and I am not going to change our behaviour, and these media attacks will never stop us.”
Kaspersky acknowledged that it was a fact that his education was at a KGB college studying cryptography and that is now a cryptographic academy, then he worked as a software engineer for the Russian Military “not even a cryptographer.”
He emphasised, “We are providing our tech and services to fight malware and stop attacks, not to spy on our customers.”
Kaspersky characterised the current controversy as ‘The code wars episode 2', with episode one being the attacks in 2012 based on Kaspersky having a Moscow office and using a sauna, with accusations he insists were, “Not facts, just opinions, with no hard data.”
This year there have been FBI visits to employees in the US and visits to partners in the US “spreading rumours and wrong information about the company,” and while there has been no action since the second week of October, Kaspersky says the company is still feeling the negative impact.”
“It was a big surprise for me when we were facing such a Tsunami of negative press.” He went on to ask, what are reasons for this media assault? One by one he considered and dismissed possible explanations, including general global geopolitical turbulence, internal US political turbulence to use against the NSA, “but we are not big enough to have that impact.”
The possibility of it being due to competitors was considered, noting the 2010/2011 attacks on China's Huawei, when seeking to launch national broadband in Australia, it was claimed its products had backdoors, working for China, CISCO won the contract and no backdoors were found. But Kaspersky contracts are not the same size.
Other theories were that it could be a combination of all that, or something not known or understood, or, in Kaspersky's words, “Because we are the best.”
Kaspersky said that while there was perhaps 80 percent factual information in the reports, a further 20 percent untrue information was responsible for the negative spin. He acknowledged, “We assist Russian intelligence to fight cyber-crime and conduct international investigation of cyber crime – which is undertaken by the FSB into cyber-gangs. We assist them, provide technical information, the logic of malware etc. We are working with national and international law enforcement including say the UK. But the use of word Russian, makes it appear as if we were a contractor for FSB espionage – and that's not true. Some of our guys may follow agents on arrests, it's true, because they need our specialist support on these. Most probably the FSB uses our products, the same as are used in the rest of world.”
The big argument in Kaspersky's favour is the lack of evidence to the contrary. As Kaspersky points out, “Its possible to check what we do. As we communicate with our customers, we distribute the same code for the whole world so professionals can download, unpack and read it, so in 20 years, they've found nothing wrong with our products and services. They do unpack it, I'm sure, as its possible – we don't do any tricks to hide the functionality.”
To reinforce this argument, the company is undertaking a global transparency initiative with transparency centres in Europe, the US and Asia, which will have Kaspersky's source code, date and history of updates etc for respective governments and agencies to inspect and review. It will also start a bug bounty programme to find any errors in its code or updates.
Kaspersky also reiterated the history of the Equation group (NSA hackers) tools found by Kaspersky, again emphasising that it was only found twice and it was deleted – having run for a week after the Kaspersky products were reactivated by the unknown user. But as Der Spiegel already reported on this being US state sponsored malware and shadow borkers released them, this was not viewed as the main cause. Another possible reason cited was the August 2016 discovery by Kaspersky of the native English- speaking malware Remsec/Project Sauron, a massive infection impacting many Russian government departments.
SC Media UK asked Eugene Kaspersky if, given that technically the Kaspersky products could be misused, and the Russian government could theoretically exert pressure, was it not just prudent risk reduction for the US government to ban the use of Kaspersky products and services. Kaspersky responded, “ I can respect if the US government decides not to make our product available for US government – and we have almost zero [installations] in the US government and its agencies. But with us it's not just made about not being used in government, it's about the media, making [a negative impact] in the market and impacting [Kaspersky's] businesses.”
He went on to note how software is now international – the software running our phones or our power stations could be made anywhere in the world and is unlikely to have been made in our own country. “Software can be made anywhere. Our transparency centre, opening the source code, shows we are not afraid of others inspecting it. Others looking at it will cry.”
It is policy, but journalists did point out that ultimately it is it down do Eugene Kaspersky to implement the policy that if classified information is found , it must be deleted. “We have had that twice in 20 years,” he added.
Ultimately, however, it comes down to human discretion and trust. Kaspersky acknowledged, that if US employees found classified information, it wasn't possible to guarantee they will delete it (and by implication, if Russian employees found classified information), but the instruction is to do so.
In the second event Kaspersky Labs general manager UK & Ireland, Adam Maskatiya, Eugene Kaspersky, and David Emm, Kaspersky principal security researcher, held a panel discussion jointly with Raj Samani of McAfee and the anti-ransomware joint initiative with Kaspersky, NoMoreRansom and Sarah Martinez of GetSafeOnline, to ask what can be done to alert the public to the dangers they face without causing them to freeze in fear.
For the cyber-security industry, 2017 has been a year in which we saw the resurgence of Ransomware, particularly with WannaCry and Petya/NotPetya, but for the general public – who are our employees and customers – they have allowed it to pass them by, as too technical or daunting to deal with.
People need protection, including decryption tools, and they want to receive the information they need about attacks, thus striking a balance between things that alarm them and give them the means to feel empowered, not paralysed.
Eugene Kaspersky kicked off by explaining how over the last couple of years ransomware has become one of the most visible cyber-security problems, with Wannacry the first network worm for nine years, since Conflicker.
“No such vulnerability in network protocols had been seen for nine years. It allowed a combination of pandemics, with ransomware and cyber-warfare tools in the same package, thus it was such a big shock. This very effective self-replicating malware combined with cyber-warfare is just an indicator and enabler for other ransomware gangs to ‘improve their business' so it's an example for the bad guys of what can happen. They are improving their skills,” warned Kaspersky.
He added that it's not just a tool to encrypt – it's the logic behind it - send a phishing email, look for online bank accounts, and if found, steal from them, and if they are not found, give control to the ransomware.
“So it has different malware for the two scenarios. Thus it has business logic; it's not just stupid guys doing a bad job – its smart guys who are criminals behind this new generation of malware.”
It was suggested that in the future ransomware will have a massive impact on physical infrastructure as the next generation of ransomware will be optimised to deliver targeted attacks on infrastructure and will have a visible impact on physical ifnrastruture.
Samani added that ransowmware has already been shown to have an impact on real life – with 6,312 medical procedures impacted by a piece of code in the WannaCry attack, and even turning off of internet access for patients had a negative impact. These examples, “Show that this is not an IT issue. We are dependent on technology,” adding that the founding of NoMoreRansom was when society stood up and said, No more. And it has subsequently saved millions of pounds of potential losses.
It was reported that ransomware a quarter of Ransomware attacks are on business, and three quarters on consumers, but most people do not think they are likely to be hit.
Martiz agreed that there was growing awareness of what Ransomware is, but a big problem is to have a coherent message of what it is and what you do to protect yourselves. She commented, “People switch off if they think it's highly technical, but here are some basic things you can do to protect yourself. They get so confused as to what is real and what isn't they do nothing.
It was also noted that an important aim is not just to protect the businesses, but also to ruin the bad guys' business. Technology has made it easy for them. We need to make it less economic and put a greater threat on their liberty.