Slashdot Mirror
Should Kaspersky Lab Show Its Source Code To The US Government? (gizmodo.com)
Today the CEO of Kaspersky Lab said he's willing to show the company's source code to the U.S. government, testify before Congress, and even move part of his research work to the U.S. to dispel suspicious about his company. The Associated Press reports:
Kaspersky, a mathematical engineer who attended a KGB-sponsored school and once worked for Russia's Ministry of Defense, has long been eyed suspiciously by his competitors, particularly as his anti-virus products became popular in the U.S. market. Some speculate that Kaspersky, an engaging speaker and a fixture of the conference circuit, kept his Soviet-era intelligence connections. Others say it's unlikely that his company could operate independently in Russia, where the economy is dominated by state-owned companies and the power of spy agencies has expanded dramatically under President Vladimir Putin. No firm evidence has ever been produced to back up the claims...
Like many cybersecurity outfits in the U.S. and elsewhere, some Kaspersky employees are former spies. Kaspersky acknowledged having ex-Russian intelligence workers on his staff, mainly "in our sales department for their relationship with the government sector." But he added that his company's internal network was too segregated for a single rogue employee to abuse it. "It's almost not possible," he said. "Because to do that, you have to have not just one person in the company, but a group of people that have access to different parts of our technological processes. It's too complicated." And he insisted his company would never knowingly cooperate with any country's offensive cyber operations.
A key Democrat on the Senate Armed Services Committee has told ABC that "a consensus in Congress and among administration officials that Kaspersky Lab cannot be trusted to protect critical infrastructure." Meanwhile, Slashdot reader Kiralan shares this article from Gizmodo noting Kaspersky Lab "has worked with both Moscow and the FBI in the past, often serving as a go-between to help the two governments cooperate." But setting the precedent of gaining trust through source code access is dangerous, as is capitulating to those demands. Russia has been making the same requests of private companies recently. Major technology companies like Cisco, IBM, Hewlett Packard Enterprise, McAfee, and SAP have agreed to give the Russian government access to "code for security products such as firewalls, anti-virus applications and software containing encryption," according to Reuters. Security firm Symantec pointedly refused to cooperate with Russian demands last week. "It poses a risk to the integrity of our products that we are not willing to accept," a Symantec spokesperson said in a statement.
Like many cybersecurity outfits in the U.S. and elsewhere, some Kaspersky employees are former spies. Kaspersky acknowledged having ex-Russian intelligence workers on his staff, mainly "in our sales department for their relationship with the government sector." But he added that his company's internal network was too segregated for a single rogue employee to abuse it. "It's almost not possible," he said. "Because to do that, you have to have not just one person in the company, but a group of people that have access to different parts of our technological processes. It's too complicated." And he insisted his company would never knowingly cooperate with any country's offensive cyber operations.
A key Democrat on the Senate Armed Services Committee has told ABC that "a consensus in Congress and among administration officials that Kaspersky Lab cannot be trusted to protect critical infrastructure." Meanwhile, Slashdot reader Kiralan shares this article from Gizmodo noting Kaspersky Lab "has worked with both Moscow and the FBI in the past, often serving as a go-between to help the two governments cooperate." But setting the precedent of gaining trust through source code access is dangerous, as is capitulating to those demands. Russia has been making the same requests of private companies recently. Major technology companies like Cisco, IBM, Hewlett Packard Enterprise, McAfee, and SAP have agreed to give the Russian government access to "code for security products such as firewalls, anti-virus applications and software containing encryption," according to Reuters. Security firm Symantec pointedly refused to cooperate with Russian demands last week. "It poses a risk to the integrity of our products that we are not willing to accept," a Symantec spokesperson said in a statement.
Why should anyone trust closed source security software in the first place?
Even if Kaspersky shows the source today and intends to be completely upright in their dealings, they are still susceptible to govt interference. The govt could nully them into doing it's bidding, or could plant it's own people on the team.
Just as I understand China not wanting to take MS at it's word, we should probably not rely on these guys.
A thousand pounds of wood moving at 300 feet per minute. Don't get in the way.
The real value of anti-virus software is not the source code, it's the data--the signatures it looks for to spot malware. I'm fine with them keeping their database proprietary. But why not make the source code freely available...unless they have something to hide!
What happens when you buy American? The "American" company that has it's actual headquarters in Ireland or the Bahamas (on paper at least) shifts it's profits into a Swiss bank account and then funnels the money back via a subsidiary in the Netherlands, helping no-one but their C-level executives.
The same argument then applied to every country who buys anything FROM the USA.
There is over US$2 Trillion in exports to be put at risk by other countries doing the same.
Does the USA really want to be locked out of 80% of the worlds economy and 94% of the worlds customers ?
So the federal government should only buy American where comparable American products exist?
But you start playing the protectionist game and other countries' governments may return the favor you've shown to their economies by ordering non American whenever a comparable product exists.
How well do you think Lockheed and Boeing will do when they're shut out of all European defense contracts because EADS, British Aerospace and SAAB all make comparable products?
How much do you think the already massively cost overrunning F-35 will cost when you can only spread the development cost over US only sales? It's a project that only got off the ground because they figured in export sales to people like the U.K.
It seems ironic that one faction within the US believes that a free market with minimal government involvement to skew that market is the key to success... except when it's politically expedient to add extra federal process to avoid a free market.
"Kaspersky Lab cannot be trusted to protect critical infrastructure"
Whereas the US government is totally trustworthy. /sarc
Enjoy life! This is not a dress rehearsal.