Kaspersky and the FSB

There was an interesting article in the Moscow Times today "The Specter of Kaspersky Looms Over Russian Cybersecurity Firms". I have highlighted a few passages from the article below, and encourage you to read the entire article if you work, travel, or communicate with friends, family, or business associates in Russia. Although it is no surprise to the Russians, all communications in Russia are monitored by the FSB, and the Russian government maintains escrowed encryption keys that allow the FSB to access all encrypted communication. This ability to monitor communications and have access to escrowed encryption keys is the goal and intent of the FBI in America, in their "Going Dark" debate.

Russian hackers have also struck fear in Western governments and voters. U.S. authorities have accused them of breaking into the servers of the Democratic National Committee and the emails of Hillary Clinton’s campaign staff.

Kaspersky Lab, Russia’s most successful cybersecurity firm and the only one to have established a firm presence abroad, has been accused of cooperating with Russia’s Federal Security Service (FSB) - one of the intelligence agencies accused of directing the hacks.

As a large cybersecurity firm, Kaspersky is a natural ally of Russian intelligence agencies in catching cybercrooks. It is a role that Eugene Kaspersky, the co-founder of the company that carries his name, has welcomed.

That the company has a relationship with intelligence agencies is not unusual, says Mark Galeotti, the coordinator of the Center for European Security at the Institute of International Relations Prague.
"Any major cybersecurity company will have a relationship with the intelligence agency in its country," he says. "If Kaspersky was based in Manchester, it would have a connection with British intelligence."

Until recently, Kaspersky’s close connection with the FSB was not a major worry in the United States.

As Soldatov explains, prior to allegations that it interfered in the 2016 U.S. presidential elections, the FSB was well regarded in the West. In the war against terror, the agency was viewed as an ally, especially after it tried to warn the United States about the Boston bombers.
Whether or not Kaspersky believes his company has helped the FSB spy, however, might be besides the point.

There are legal structures in Russia that render the work of cybersecurity companies transparent to the FSB, says Soldatov. As he puts it, for cybersecurity firms based in the country, the agency is "impossible to escape." That’s because encryption developers are required to procure a license from the FSB that "allows the agency access to everything they do."

There are also laws that allow the Russian government to surveil the country’s internet service providers through a system called the System of Operative-Investigative Measures, or SORM. In October, an American industry official who was briefed by the FBI on Kaspersky Lab pointed to that system as a key concern.

"Whether Kaspersky is working directly for the Russian government or not doesn’t matter; their internet service providers are subject to monitoring," he told the Washington Post. "So virtually anything shared with Kaspersky could become the property of the Russian government."

And a lot is shared with Kaspersky. Because, by definition, antivirus software is invasive. When users download it to their computers, they give the software free reign to rifle through their data for malware. What is recognized as malware is then sent back to Kaspersky headquarters in Moscow, where it is analyzed for threats.

There are also informal structures in Russia the firms must navigate, says Soldatov. These are the so-called siloviki - officials from the country’s military and security agencies, like the FSB, who have their own interests to satisfy.

The agency could have easily planted its own people in the company, says Michael Kofman, a researcher at the Washington-based Wilson Center focusing on security in Russia. "The most effective resource is an organization that doesn't know it's being used," he says.

In effect, Galeotti says, there is simply not much a cybersecurity firm in Russia can do to maintain its autonomy. "If you’re operating in Russia," he says, "you have to accept all the rules of the game."