WASHINGTON (CN) – Deliberate cooperation between Moscow-based anti-virus product firm Kaspersky Lab and Russian intelligence is not necessary for cybersecurity threats to manifest, a witness told a House committee Wednesday.
Pointing to media reports that Israel had tipped off the National Security Agency that its secret hacking tools were on Kaspersky Lab’s network, Sean Kanuck of the International Institute for Strategic Studies said that means two foreign governments have already leveraged the anti-virus tools to view U.S. secrets.
Kanuck told members of a subcommittee of the House Committee on Science, Space and Technology that the sequence of events appears to validate questions about using the anti-virus software on sensitive computers.
On Wednesday morning, Kaspersky Lab acknowledged its anti-virus software had taken source code for a secret American hacking tool from a personal computer belonging to an NSA employee in 2014.
The statement was the result of an internal inquiry conducted by the company after media reports that the Russian government used the company’s software to harvest NSA technology.
Kanuck was one of several experts who testified before the Subcommittee on Oversight on the risk posed to federal agencies by Kaspersky Lab products.
During the hearing, James Norton, president of Play-Action Strategies, a Washington, D.C.-based consulting firm, said the government only started taking the issue seriously in the last few years, and that has allowed foreign adversaries to infiltrate government networks.
“We just haven’t had the capability in place over the last couple of years to even know what’s there,” he said. “I think that’s part of the trouble.”
Norton added later that the U.S. needs to “come to grips” with the fact that online intelligence gathering is the new normal.
Fears have grown over the past year about Kaspersky Lab’s connection to Russian intelligence and whether its anti-virus software can find and remove files, leading the Department of Homeland Security to bar federal agencies from using the product.
But in his written testimony to the subcommittee, Kanuck said the more pertinent question to focus on is whether Kaspersky Lab products are more susceptible than other cyber security vendors.
“It is clear that foreign intelligence services are not limited to exploiting the products of companies originating from their own countries,” he wrote.
Kanuck also said the threat posed by Kaspersky Lab should be placed within the larger context of Russia’s goal of trying to influence campaigns in the U.S.
“If one considers Russia’s intentions in cyberspace and conjoins them with the kind of information and access that could be derived by exploitation of Kaspersky Lab products and services, then the risk must be considered to be substantial,” he said.
He also suggested that Kaspersky Lab business communications within Russia could be monitored by the domestic security service under the country’s telecommunication surveillance laws.
“I would encourage the U.S. government to assess all IT products from all vendors regardless of national origin, because if we’re trying to protect sensitive information we should be fully cognizant that foreign intelligence actors will be willing to exploit any IT vendor that we’re using, even if it’s not of their own national origin,” he said.
Kanuck said in light of what’s now known about Kaspersky Lab’s it’d be hard to imagine them being seriously considered for a government contract.
“If it’s meant to protect the information of a sensitive national security type, I would think that it would not pass the sniff test because of the foreign penetrations and foreign influence that we’ve previously discussed here,” he said.