Marcus KolgaCanada should recognize the possible risks of software from Russian firms on our civilian and defence infrastructure, writes Marcus Kolga. Kaspersky Lab’s alleged ties to Russian intelligence has made the use of its software increasingly controversial in the United States.

By Marcus Kolga, Oct. 11, 2017

Few Canadians would imagine that a banal piece of anti-virus software, which comes conveniently bundled on many big box computers sold in Canada, might in fact be hiding a secret virtual door that invites Russian state hackers to snoop through their private emails and files. More worrying, this same door may be open to systems that run our civilian and defence infrastructure.

This is exactly what has happened recently in the US, according to a recent Wall Street Journal report. The report says “hackers working for the Russian government” stole details of classified US cybersecurity policies and defence technologies.

As it goes on to note, “a National Security Agency contractor removed the highly classified material and put it on his home computer.” The contractor and the files were apparently identified “through the contractor’s use of a popular anti-virus software made by Russia-based Kaspersky Labs.”

Further revelations by Israeli intelligence point to a broader and concerted Russian effort to use Kaspersky software as a backdoor globally. Israeli officials reportedly notified their American counterparts on this Russian intrusion through Kaspersky software in their systems.

Nagging allegations about Kaspersky Lab’s links with the Kremlin’s intelligence services have circulated for years.

That provides the context to a New York Times opinion piece by US Democratic Senator Jeanne Shaheen, published last month. In it, she raised concerns about the serious national security threat posed by the presence of software, developed by “Kaspersky Lab, a Moscow-based company with extensive ties to Russian intelligence,” on US government computers.

Already, the US Senate Armed Services Committee had banned the use of this software at the Department of Defense. And Shaheen had successfully introduced an amendment to the FY 18 National Defense Authorization Act requiring the removal of this software from all US government systems. The US Department of Homeland Security had shortly afterwards announced that all federal agencies were required to remove Kaspersky software from computers within 90 days.

Nagging allegations about Kaspersky Lab’s links with the Kremlin’s intelligence services have circulated for years. Company founder, Eugene Kaspersky is a former Soviet military intelligence officer, who strongly believes in strengthening “government regulation of social networks to thwart protest movements.” (Kaspersky currently denies any wrongdoing and refutes the connection.)

At a US Senate Intelligence hearing in May, Senator Marco Rubio asked six top US intelligence officials whether they would feel comfortable using Kaspersky software on their department’s computer systems, to which each answered with a resounding “no.”

In July, Bloomberg reported that emails between the company’s CEO, Eugene Kaspersky and senior staff, referred ominously to a secret project connected to Russia’s FSB – the successor to the Soviet KGB. An FSB security certificate was issued for Kaspersky Lab, which included a number connecting it to a Russian military intelligence unit. Kaspersky, a graduate of the KGB’s elite cryptology institute, wrote that the secret project included “active countermeasures (about which, we keep quiet).”

The same Bloomberg report cites a person familiar with Kaspersky Lab’s anti-DDoS system saying that it consists of two parts. One part reroutes attacking traffic to secondary servers intended to relieve pressure of the main attach. The second part “is more unusual: Kaspersky provides the FSB with real-time intelligence on the hackers’ location and sends experts to accompany the FSB and Russian police when they conduct raids.” This is “what Kaspersky was referring to in the emails, says the person familiar with the system.”

To presume that a regime engaged in international cyber terror and hacking won’t seize the opportunity to enter our civilian and defence infrastructure is dangerously naive.

Despite a statement by Shared Services Canada that it does not “have any Kaspersky software deployed on computers in its inventory,” Canadian government procurement records raise important questions on that statement.

One approved government vendor had secured rights to sell Kaspersky’s software to the Canadian government in 2014, and had sold software and systems to a broad range of federal departments since then, including National Defence.

Another 2015 Public Works tender document issued for the Department of National Defence states that a San Francisco-based company was awarded a contract to specifically provide software for integrated anti-virus scanning. A minimum requirement was an ability to include Kaspersky Lab software, among several others.

The risk that Kaspersky Lab software represents to federal systems may be debated. But to presume that a regime engaged in international cyber terror and hacking won’t seize the opportunity to enter our civilian and defence infrastructure is dangerously naive. Firewalls deployed by federal IT administrators to protect government systems against foreign hackers may not be enough, as firewall software is also part of Kaspersky Lab’s cyber security products. Wired Magazine has reported that “Microsoft, Cisco, and Juniper Networks all embed Kaspersky code in their products.”

Acknowledging and responding to the risks posed by a software company linked to the Kremlin’s intelligence apparatus is not an overreaction, but good policy.

The active threat of Russian state sponsored cyber warfare has expanded exponentially since 2007, when Kremlin hackers targeted and shut down Estonia’s banking and government websites. The expanding list of victims now includes NATO, France, Germany, Ukraine and the US.

Acknowledging and responding to the risks posed by a software company linked to the Kremlin’s intelligence apparatus is not an overreaction, but good policy.

Canada is an active member of NATO and a global defender of democracy and human rights, which conflict with the Kremlin’s interests. As such, we must accept that Canada is in the crosshairs of Vladimir Putin’s army of hackers and cyber terrorists and must act proactively to identify and counter potential risks.

The threat to Canada’s national security is real and the Trudeau government would be wise to follow the US lead by immediately removing all Russian software from federal computers, servers and other devices that could compromise it.

A national computer and software policy, which certifies hardware purchased by the government is free of any code written or sold by nations engaged in malicious hacking and cyberwarfare, is critical to helping ensure the integrity and security of our federal computer systems, sensitive state data and infrastructure.

Marcus Kolga is a senior fellow at the Macdonald-Laurier Institute’s Centre for Advancing Canada’s Interests Abroad.