The news just keeps getting worse for Kaspersky Labs, the Russian-owned software company whose popular antivirus program, long suspected of being a covert tool for Russian intelligence, finds itself at the center of a major espionage case. The story provides a few object lessons for cleared professionals in why there are rules and procedures for information assurance and protection of classified information.
Friday afternoon, the Wall Street Journal broke the news that Russian hackers, working for the Kremlin, had stolen highly classified documents from the home computer of a contractor at the National Security Agency. (NSA) The hackers were able to identify the contractor, and the fact that he worked at NSA, through the Kaspersky antivirus program installed on his home computer.
According to the WSJ, the stolen information allegedly includes details on “how the NSA penetrates foreign computer networks, the computer code it uses for such spying and how it defends networks inside the U.S.” Possessing this information could give the Russians an advantage in its cyber operations against the U.S. and its allies.
Long-held suspicions about kaspersky
In July, ClearanceJobs reported that the General Services Administration had quietly removed Kaspersky’s antivirus program from the list of approved software for government computers. That move transformed into a complete ban in September. It had never been approved for use on computers within the intelligence community, but there were no formal policies regarding home use of the software.
For its part, Kaspersky has dutifully denied any “inappropriate ties” to the Russian government, or any other government. Those denials seem to be increasingly disingenuous. Eugene Kaspersky, the company’s founder, earned his computer science degree from what was called at the time “The Technical Faculty of the KGB Higher School.” The school’s name changed following the fall of the Soviet Union, but it is still a training facility for the FSB, the Russian federal security service descended from the KGB.
The WSJ article notes too that “Russian law can compel the company’s assistance in intercepting communications as they move through Russian computer networks.” Let the NSA try that with any Silicon Valley company.
The obligation to protect classified information
Of course, had the contractor not stupidly — not to mention illegally — taken classified information from the workplace, where it could be properly stored and safeguarded, and put it on his unsecure home computer in the first place, the question of his choice of antivirus software would not be an issue.
How many times do we need to review this? If you work in the intelligence community, you must assume that people are watching all the time. U.S. counterintelligence agents are watching to see who might be a leakier, or be in the position to become a leaker, even an inadvertent one. And this incident illustrates that foreign intelligence services are still actively trying to identify IC employees and exploit that knowledge.
The contractor responsible for the release of this information may have been careful in many other respects. But even if he never told anyone that he worked at the NSA, and never discussed his classified work outside the SCIF, his antivirus software gave him up.
The damage to national security is likely to be severe.