In all the recent bombshell reports about the Kaspersky anti-virus software, it’s easy to focus on the Russian threat and miss the general context: every government that employs hackers tries to weaponise antivirus software. Government departments certainly need to consider that in choosing their own software; whether that’s something the average computer user should worry about is a different matter.
In The Washington Post’s report that confirms Kaspersky Lab’s carefully worded suspicion, made public in 2015, that it had been hacked by Israeli intelligence, there is this casual passage:
The NSA bans its analysts from using Kaspersky antivirus at the agency, in large part because the agency has exploited antivirus software for its own foreign hacking operations and knows the same technique is used by its adversaries.
The Israeli hack itself would be reason enough for the US National Security Agency or any other intelligence agency to ban Kaspersky products. It happens to other antivirus packages, too. Recently, the South Korean military discovered it had been hacked, presumably by North Korean intelligence, using Hauri antivirus software.
Anti-malware packages are desirable targets for spy services because they have legitimate access to all the files on a computer’s hard drive. They’re also the last defence: users as a rule don’t run any other program to detect malware inside the antivirus software itself. So it’s likely that, whatever brand of antivirus you use and whichever country it’s based in, spies from one country or another have attempted to hack it — and perhaps succeeded.
Once that’s been established, the next question for a user to ask is what you fear more: that kind of foreign or domestic government attention or the more mundane kind of criminal threat. Are you more worried that Russia, Israel, the US or North Korea will scan your personal files or that the contents of your hard drive will be rendered unusable by ransomware? Is your concern that the Russians might read your kids’ school essays and find out your movie preferences or that your computer might be mobilised as part of a botnet, with its performance suffering accordingly?
For most ordinary users, the answer is obvious: the non-state criminal threats are worse. That’s why Interpol this week signed a new information sharing agreement with Kaspersky despite all the revelations in the US media: the international police cooperation organisation deals mainly with non-state actors, including profit-seeking hackers, rather than with the warring intelligence services. The companies that develop the antivirus products are undeniably effective in working against the “low” kind of crime.
Military secrets
If you’re not an interesting target to governments, it makes no sense to react to store chains’ and other antivirus producer offers to replace Kaspersky products on your computer. For one thing, the replacement, too, could be compromised, perhaps also by Russian intelligence. For another, it doesn’t really matter unless you’re an NSA analyst or the keeper of important trade or military secrets.
In that case, of course, your employer is likely already taking special care of your security, establishing strict rules about copying certain kinds of information to computers outside its network as well as working with multiple security providers and in-house developers to secure sensitive data. If for some reason that’s not the case and there’s sensitive stuff on your home machines, there’s a relatively easy solution: move it to the cloud. Cloud computing leaders — Amazon, Microsoft and Google — are trying to outdo each other in the security field. Security is a key selling point for corporate customers and breaches are costly in reputational terms, so individual users can trust these companies to keep their data as safe as they do their own.
That, of course, is no ironclad guarantee. But, unless you’re a cybersecurity expert, it makes more sense to put trust in Google or Microsoft than in your own skill at protecting your home network — as long as you don’t fall victim to phishing and give up your access data.
Going a step further, users of Google’s cloud-based Chrome OS system don’t need an antivirus product because it minimises the possibility of running malicious outside applications. In general, this year more than three-quarters of malware programs were distributed for the Windows operating system, some 6% for Android and the rest for other platforms. For the users of those other platforms — strains of Linux, ChromeOS, even Apple’s MacOS and iOS — installing an antivirus isn’t an essential precaution. Adrian Ludwig, responsible for Android security at Google, earlier this year advised users against doing it, saying it was pointless for 99% of them.
The campaign against Kaspersky in the US is fraught with unfortunate consequences for the cybersecurity industry, as it begins to drop all pretense of being an international community. Cybersecurity firms will now inevitably be seen — not just by intelligence services, but also by the general public — as potential tools in the hands of the nation states in which they are based. Perhaps the only silver lining is that the campaign may make consumers give a thought to their private security priorities and the tools needed to meet them. — (c) 2017 Bloomberg LP
