Would you hand your house keys to a private security company, giving its employees the right to see anything you do in your home, sort through your belongings and open your post? Put like that, the answer would be “probably not” — especially if the company concerned is based in Russia and founded by a former KGB officer.
The claim, published in this newspaper yesterday, that Kaspersky Lab software is being used by the Kremlin to hack into western companies looks compelling. The company’s founder, Evgeny Kaspersky, is a former KGB cryptographer who celebrates the Russian secret police holiday on December 20 and still keeps his old uniform in his office cupboard. Amid growing concerns, the American and British governments last year banned Kaspersky software from their computers. The real scandal is that the British authorities are not making the same recommendation to the rest of us.
I have always been amazed that people would voluntarily install Russian-made software on their computers. But the Kaspersky story is complicated. All antivirus software is necessarily intrusive. When we install these programs, we give them the power to identify and purge viruses on our machines, and to prevent new ones arriving. They scan every file on a computer and check it against a list of known “malware” — malicious software that can steal your password, force you to watch unwanted advertisements, send spam emails to your friends, or scramble your data and demand a ransom. Anything suspicious is logged, quarantined and deleted.
After the initial spring clean, the antivirus software then monitors electronic visitors who may come bearing unwelcome gifts. It scans email attachments before you download them, and vets new software before allowing you to install it. The results of this snooping are usually sent to headquarters to allow the software manufacturers to investigate new threats and fine-tune their products to deal with them.
In these respects Kaspersky Lab’s antivirus software is just like its competitors. The main distinctive feature is a positive one: it works well.
Advertisement
The problem — if the whistleblower behind the latest claims is to be believed — is that Kaspersky has fallen under the Russian authorities’ thumb, potentially compromising tens of millions of computers around the world. The only known casualty of this is America’s National Security Agency, the counterpart to Britain’s GCHQ. A rogue NSA employee is said to have taken home some top-secret hacking tools and kept them on a computer which was protected by Kaspersky software. The antivirus program, quite rightly, identified these programs as potential malware and sent details to Moscow, from where they reached the Russian intelligence agency.
For critics, this is not just a one-off but symptomatic of Kaspersky’s collusion with the Kremlin (which the company’s managers strenuously deny). If so, the company is doomed.
It may seem implausible that the company would hasten its own destruction by betraying its customers to the government. But any business based in Russia is vulnerable to government pressure. The more successful and influential it is, the greater the risk. A successful software company whose products are installed on tens of millions of computers around the world is a conspicuous target. Even if Mr Kaspersky does not willingly help the Kremlin, the Russian authorities have plenty of ways of using and abusing his company’s capabilities.
Many customers will decide that they would rather not take the risk. Other antivirus software is pretty much as good (and the latest version of Windows includes a state-of-the-art antivirus capability, so buying a separate product is unnecessary).
But shunning Kaspersky products will not make us much safer. Countries with high-end cyber capabilities such as Britain, China, France, Iran, Israel and the US have abundant means of breaking into almost any computer — for example with bogus software “updates”. Much of Britain’s communications run on equipment made by Huawei, a Chinese company founded by a military officer which is banned from bidding for government contracts in America. We take a much softer approach. A bunch of ex-GCHQ types, based at a building in Banbury called “the Cell”, scrutinise Huawei products to see if anything is amiss.
Advertisement
That may work, though modern chips and software are so complex that concealing a sneaky extra capability is easy. For most of us, though, the problem is not high-end attacks by Russia and China, but the threats which abound from other quarters, resulting from three decades in which we have put convenience and low cost ahead of computer security.
In particular, the multibillion-pound cybercrime epidemic shows no sign of abating. The cost of doing business for criminals is low, the rewards huge, and the risk of being caught slim. Banks should be the front line of our defence; instead they act as the criminals’ accomplices, helping them get away with the loot. Companies collect prodigious amounts of our personal data and are astonishingly careless about the way they store it. Most computer users still fail to take the simplest precautions to protect themselves.
Fixing these problems is going to be tedious and costly for everyone. Bin your Kaspersky software by all means. But don’t stop there.