ra2 studio - Fotolia

Kaspersky ban: The risks to global software

While Kaspersky defends allegations of collusion with Russian spooks, what are the wider implications to software globalisation?

The US’s decision to kick Kaspersky Lab out of government systems has potential ramifications across the IT world.

On 13 September, US acting secretary of homeland security Elaine Duke issued a binding operational directive (BOD) instructing Federal Executive Branch departments and agencies to identify and remove Kaspersky products from their information systems in the next 30 days.

The Department of Homeland Security stated: “The department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks.

“The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalise on access provided by Kaspersky products to compromise federal information and information systems directly implicates US national security.”

In response, the company’s CEO, Eugene Kaspersky, blogged: “Despite today’s tense geopolitical situation, Kaspersky Lab has continued do what it does best: focusing on protecting our customers from cyber threats regardless of where those threats may come from. The functionality of our products depends entirely on the code of our applications and the records in our databases – no mysterious magic here (just like there’s no mysterious magic with all other software companies’ products). And all our products and databases are all openly accessible on public servers.”

Kaspersky said the company’s products do send data on malware objects to the cloud for further analysis, if the user has decided to go for this option, and added: “This is how any antivirus worth its salt works.”

As Computer Weekly has reported previously, Kaspersky Lab has launched a global transparency initiative, in which it said it would provide source code for third-party review.

The issues raised by Kaspersky affect not just Russian software, but products from any commercial software company that operates globally with distributed teams of developers who wants to continue to sell globally.

Read more about Kaspersky Lab’s US ban

In response to a question from Computer Weekly on the US administration’s more nationalistic stance and its potential impact on the technology industry, Abby Kearns, executive director at Cloud Foundry, said: “We are such a globalised world.  There isn’t anything we do in tech that doesn’t directly influence or touch someone in a different country and I don’t see how we could ever move away from that. Putting up walls and controls just stifles innovation. For me, open source represents a community of diverse people from all around the world and I would like to see more diversity. In open source, there is no way to get around this.”

A recent survey of code and contributors on the GitHub open source repository found that it has 24 million users across 200 countries. And while it has accrued more than one million new developers from the US since 2016, it has also added 700,000 new members from China. Overall, GitHub said 6.7 million developers have joined up since 2016, illustrating the global reach not just of its repositories, but also the international footprint of open source software.

Leading open source providers appear to be confident that the checks and balances they have in place can be used to prove their code is clean and does not contain hidden backdoors into foreign intelligence agencies.

OpenStack, for instance, has global reach among developers. The open source cloud platform is supported by Mirantis, founded in Moscow, and Chinese network equipment giant Huawei, whose equipment has been banned from US federal contracts, is a gold member of the OpenStack Foundation.

Effective strategy

Jonathan Bryce, executive director of the OpenStack Foundation, told Computer Weekly: “Open source is actually an effective strategy to mitigate issues like this. Kaspersky’s code is proprietary, which limits users’ ability to understand how it works. Open source software, by contrast, lets users see what is in the source code and even contribute to that source code, all in an open, public community of developers.

“This means that users can gain an in-depth understanding of how the software works. In an open source software project, challenges like the one facing Kaspersky’s users are, by design, less likely to happen, and this is one of the recent drivers for government adoption of open source worldwide.”

In effect, Bryce believes the level of peer review in the open source community means it is highly unlikely that a rogue developer, working on behalf of a foreign intelligence agency, could inject malicious code or a backdoor into open source products.

But as HeartBleed demonstrated, a vulnerability in core open source technology such as OpenSSL, which found its way into the code in 2011, was only discovered three years later. The fact that open source code can be scrutinised should pacify those who feel concerned that their private and commercially sensitive information may be harvested by foreign intelligence agencies.

But the bigger issue facing society is the role software companies now play in working with such agencies. As Eugene Kaspersky said on Sky News recently: “They say that I have a strong relationship with Russian intelligence. So, technically speaking, if we have a relationship with the FSB cyber crime department [Russia’s federal security service], or if we cooperate with agencies like the FBI, it means we have that relationship with ‘intelligence’.”

Read more on IT strategy