Over the last couple of weeks, there's been a disturbing trend of governments demanding that private tech companies share their source code if they want to do business. Now, the US government is giving the same ultimatum and it's getting what it wants.
On Sunday, the CEO of security firm Kaspersky Labs, Eugene Kaspersky, told the Associated Press that he's willing to show the US government his company's source code. "Anything I can do to prove that we don't behave maliciously I will do it," Kaspersky said while insisting that he's open to testifying before Congress as well.
The company's willingness to share its source code comes after a proposal was put forth in the Senate that "prohibits the [Defence Department] from using software platforms developed by Kaspersky Lab." It goes on to say, "The Secretary of Defence shall ensure that any network connection between … the Department of Defence and a department or agency of the United States Government that is using or hosting on its networks a software platform [associated with Kaspersky Lab] is immediately severed."
Jeanne Shaheen, a New Hampshire Democrat tells ABC News, that there is "a consensus in Congress and among administration officials that Kaspersky Lab cannot be trusted to protect critical infrastructure." The fears follow years of suspicion from the FBI that Kaspersky Labs is too close to the Russian government. The company is based in Russia but has worked with both Moscow and the FBI in the past, often serving as a go-between to help the two governments cooperate. "As a private company, Kaspersky Lab has no ties to any government, and the company has never helped, nor will help, any government in the world with its cyberespionage efforts," an official statement from Kaspersky Labs reads.
The proposal prompted an official response from Russian Communications Minister Nikolay Nikiforov. He warned that any "unilateral political sanctions" would prompt retaliation from Russia. He emphasised that his government uses "a huge proportion of American software and hardware solutions in the IT sphere, even in very sensitive areas."
The fight over source code comes at a moment when Americans are deeply distrustful of the Russian government. The Russians alleged involvement in the hacking of the 2016 election combined with numerous suspicious ties to our president's campaign has everyone on edge. But setting the precedent of gaining trust through source code access is dangerous, as is capitulating to those demands.
Russia has been making the same requests of private companies recently. Major technology companies like Cisco, IBM, Hewlett Packard Enterprise, McAfee, and SAP have agreed to give the Russian government access to "code for security products such as firewalls, anti-virus applications and software containing encryption," according to Reuters. Security firm Symantec pointedly refused to cooperate with Russian demands last week. "It poses a risk to the integrity of our products that we are not willing to accept," a Symantec spokesperson said in a statement.
The risks are the same whether it's the US or Russia being given access to source code. It gives these governments an opportunity to locate security vulnerabilities that they might not be able to find otherwise. Obviously, Russia has been accused of numerous cyberattacks lately, including the Yahoo email breach and the hacking of the DNC. But the US also hoarded security vulnerabilities for years to use as cyberweapons. Recent global outbreaks in ransomware have been traced back to tools from the NSA that were leaked by a group known as the Shadow Brokers. In a statement following the WannaCry ransomware attacks, Microsoft said "an equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen." It's obvious that the US can't be trusted with this knowledge and companies shouldn't help them gain it.
Lawmakers have every right to worry about Kaspersky Labs' products being used on official government systems. If they have some sort of knowledge that we don't, they should cut ties. But setting this sort of precedent is not a good sign. Kaspersky agreeing to the demand is not a good sign. Numerous western companies doing the same for Russia is not a good sign.
In the same way that experts say that you shouldn't pay the ransom when hit by ransomware, tech companies need to block this coercion before it gets out of control.