In Worrisome Move, Kaspersky Agrees to Turn Over Source Code to US Government

Photo: Getty
Photo: Getty

Over the last couple of weeks, there’s been a disturbing trend of governments demanding that private tech companies share their source code if they want to do business. Now, the US government is giving the same ultimatum and it’s getting what it wants.


On Sunday, the CEO of security firm Kaspersky Labs, Eugene Kaspersky, told the Associated Press that he’s willing to show the US government his company’s source code. “Anything I can do to prove that we don’t behave maliciously I will do it,” Kaspersky said while insisting that he’s open to testifying before Congress as well.

The company’s willingness to share its source code comes after a proposal was put forth in the Senate that “prohibits the [Defense Department] from using software platforms developed by Kaspersky Lab.” It goes on to say, “The Secretary of Defense shall ensure that any network connection between … the Department of Defense and a department or agency of the United States Government that is using or hosting on its networks a software platform [associated with Kaspersky Lab] is immediately severed.”

Jeanne Shaheen, a New Hampshire Democrat tells ABC News, that there is “a consensus in Congress and among administration officials that Kaspersky Lab cannot be trusted to protect critical infrastructure.” The fears follow years of suspicion from the FBI that Kaspersky Labs is too close to the Russian government. The company is based in Russia but has worked with both Moscow and the FBI in the past, often serving as a go-between to help the two governments cooperate. “As a private company, Kaspersky Lab has no ties to any government, and the company has never helped, nor will help, any government in the world with its cyberespionage efforts,” an official statement from Kaspersky Labs reads.

The proposal prompted an official response from Russian Communications Minister Nikolay Nikiforov. He warned that any “unilateral political sanctions” would prompt retaliation from Russia. He emphasized that his government uses “a huge proportion of American software and hardware solutions in the IT sphere, even in very sensitive areas.”

The fight over source code comes at a moment when Americans are deeply distrustful of the Russian government. The Russians alleged involvement in the hacking of the 2016 election combined with numerous suspicious ties to our president’s campaign has everyone on edge. But setting the precedent of gaining trust through source code access is dangerous, as is capitulating to those demands.


Russia has been making the same requests of private companies recently. Major technology companies like Cisco, IBM, Hewlett Packard Enterprise, McAfee, and SAP have agreed to give the Russian government access to “code for security products such as firewalls, anti-virus applications and software containing encryption,” according to Reuters. Security firm Symantec pointedly refused to cooperate with Russian demands last week. “It poses a risk to the integrity of our products that we are not willing to accept,” a Symantec spokesperson said in a statement.

The risks are the same whether it’s the US or Russia being given access to source code. It gives these governments an opportunity to locate security vulnerabilities that they might not be able to find otherwise. Obviously, Russia has been accused of numerous cyberattacks lately, including the Yahoo email breach and the hacking of the DNC. But the US also hoarded security vulnerabilities for years to use as cyberweapons. Recent global outbreaks in ransomware have been traced back to tools from the NSA that were leaked by a group known as the Shadow Brokers. In a statement following the WannaCry ransomware attacks, Microsoft said “an equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.” It’s obvious that the US can’t be trusted with this knowledge and companies shouldn’t help them gain it.


Lawmakers have every right to worry about Kaspersky Labs’ products being used on official government systems. If they have some sort of knowledge that we don’t, they should cut ties. But setting this sort of precedent is not a good sign. Kaspersky agreeing to the demand is not a good sign. Numerous western companies doing the same for Russia is not a good sign.

In the same way that experts say that you shouldn’t pay the ransom when hit by ransomware, tech companies need to block this coercion before it gets out of control.


[Associated Press]



While I appreciate this article, a lot of people might not understand why showing your source code can expose security weaknesses:

Programmers like myself build systems that can span hundreds of files and millions of lines (billions for some things). Every time that we use conditional statements to check things, or reach for code outside of our own (especially libraries on your computer that may change over time) or create patterns in the way that we access, change, or store data on your computer, we may create a point of weakness for someone to exploit. Much of the time, we are trusting that because the specifics of those operations are obscured by how much harder it is to find them after the program has been build and how scattered the machine code is. By showing source code to a party that may choose to be malicious with that knowledge later, it becomes possible for them to use the source code like a road map to test those potential points of weakness and come up with detailed hacks that cheat the system much faster because they are not forced to figure things out through trial and error or painstaking (often fruitless) reading of the assembly code.