Congressional concern is climbing—not for the first time—about government agencies using an anti-virus tool made by the respected but Russia-based security firm Kaspersky Lab. The dustup is a case study in why securing government systems is devilishly complicated.

The fracas comes as congressional Democrats are squaring off against President Donald Trump over possible collusion between Russian intelligence agencies and members of his campaign. It also follows a presidential campaign upended by a Russian government influence operation and amid a deluge of leaks from U.S. intelligence agencies.

The competing priorities of security, intelligence, diplomacy and budget constraints play a role in the melee. So, too, do the rival power centers of a government that’s struggled for years, often unsuccessfully, to manage cybersecurity and technology buying in a unified way.

This is the basic paradox: On one hand, top intelligence officials at the FBI, CIA and the National Security Agency tell members of Congress that Kaspersky Lab can’t be trusted, that they wouldn’t put its products on their personal computers, let alone the nation’s. On the other hand, federal agencies still use the Moscow-headquartered anti-virus software. During the past decade, it’s plugged into systems at the Consumer Product Safety Commission, the Treasury Department, the National Institutes of Health and U.S. embassies, among other locations, contracting data shows.

Kaspersky anti-virus also frequently protects state, local and tribal government computers, former officials told Nextgov.

It may even be on some non-national security systems at the Homeland Security Department, according to testimony from Homeland Security Secretary John Kelly, though it’s generally barred from intelligence and national security systems throughout government, according to official testimony.

This disparity between official concern about the Kaspersky company and the prevalence of the firm’s anti-virus on government systems highlights two fundamental facts.

First, anti-virus is both immensely useful and extremely powerful. If used for nefarious purposes, it’s capable of pilfering nearly any file from a computer system or loading malware onto that same system. It can do all of this undetected unless a system administrator is monitoring it extremely closely and perhaps not even then.

Second, despite widespread alarm over government data breaches at the White House, the State Department, the Pentagon and the Office of Personnel Management, the government is a long way from being able to impose uniform security standards on all of its computers.

‘Longstanding Concerns’

Government officials are deeply concerned about the possibility of nefarious activity by the Russian-based company, which several smaller agencies have purchased through third parties and bundlers as part of larger computer security packages, three former Obama administration cybersecurity officials confirmed to Nextgov.

Such concerns have been aired numerous times before, most recently by Buzzfeed in May.

At least part of this concern centers around the possibility of undue influence by the Russian government on Kaspersky and the fact that, like other anti-virus firms, Kaspersky is typically capable of moving files from a customer’s systems to its own systems or to a computer cloud in order to analyze those files for infections. While this capability can sometimes be minimized or unplugged, the prospect of U.S. government data hitting a server in Russia is enough to make officials very nervous, former officials say.

“While the Kaspersky product is good and effective for basic AV services, because of some unknown factors as to where information is transmitted back to Kaspersky systems under certain configurations of the product, many felt very uncomfortable endorsing Kaspersky for use on national security systems,” one former official said.

Because DHS and the White House have limited authority to impose requirements on agency-level technology and acquisition officials, however, there wasn’t an easy path to bar agencies from purchasing packages that included Kaspersky, the officials said.

Those agencies typically purchased Kaspersky because of a lower price point on the entire package, they said, a reflection of the tight budgets that for years have bedeviled government technology.

The company’s products also have a good reputation for rapidly catching new malware strains used by cyber criminals, especially hacking rings based in Russia and Eastern Europe, where Kaspersky has a larger customer base than many of its main competitors and thus better visibility into hackers’ methods.

The former U.S. government officials, who requested anonymity because of the sensitivity of the topic, declined to describe government’s specific concerns with the anti-virus or to provide evidence of possible wrongdoing. One former DHS official said the concerns were “longstanding” and that officials were concerned about the presence of Kaspersky both on government computers and on computer networks at major companies, especially those in critical infrastructure sectors such as energy and transportation.

DHS never formally advised companies to not use Kaspersky products, but it’s likely officials shared their concerns with industry through informal channels, the former DHS official said.

Allegations vs. Evidence

There’s no public evidence of collusion between Kaspersky and the Russian government, and U.S. officials have never publicly alleged such interference, though it’s common for intelligence agencies to keep such evidence under wraps to avoid revealing intelligence sources and methods.

The company flatly denied any collusion in a May statement, saying “Kaspersky Lab has no ties to any government, and the company has never helped, nor will help, any government in the world with its cyber espionage efforts.” The company also firmly denied sharing any customer data with Russian authorities.

Despite discussion about Kaspersky during Senate hearings and in numerous media stories, the company has never been contacted by executive branch officials or members of Congress about those concerns, a Kaspersky spokeswoman told Nextgov.

“Kaspersky Lab has no ties to any government, and the company has never helped, nor will help, any government in the world with its cyber espionage efforts." - Kaspersky Lab statement

The company’s CEO and co-founder Eugene Kaspersky suggested U.S. intelligence officials’ concerns about his product are “political,” based on broader tension between the U.S. and Russia, during a Reddit “Ask Me Anything” discussion in May. Kaspersky also said he’d be willing to testify publicly before the Senate and respond to any concerns.

Eugene Kaspersky also claimed highly technically capable nations such as Russia don’t need the help of private companies to conduct digital surveillance and that it would be unfeasible to force such cooperation.

Though Eugene Kaspersky didn’t highlight this point, any proven collusion between his company and the Russian government would also be disastrous for the firm’s global reputation.

“If there was any confirmed episode of this, that would be the end of their AV business and the end of their business period,” a U.S. government contractor who’s studied anti-virus extensively told Nextgov. “So, there’s a strong economic incentive to not engage in these sorts of shenanigans.”

There is ample circumstantial evidence Kaspersky may be closely tied to President Vladimir Putin’s government, but it is far from dispositive. The company is based in Russia, after all, the same nation whose intelligence agencies U.S. officials have anonymously accused of hacking email systems at the State Department and the White House.

U.S. intelligence agencies have also officially concluded the Russian government hacked Democratic political organizations and released stolen emails in an effort to swing the 2016 presidential election toward President Donald Trump and away from his Democratic challenger Hillary Clinton.

Eugene Kaspersky has acknowledged serving as an intelligence officer in the Soviet military and studying computer science and cryptography at a KGB-funded institute. But, U.S. cybersecurity firms, including CrowdStrike and FireEye, are well-populated with former U.S. military, intelligence and civilian government officials.

Kaspersky also has exposed hacking campaigns by highly sophisticated groups likely affiliated with U.S. intelligence agencies, most notably its 2015 report on The Equation Group, an “advanced persistent threat,” or APT, group likely tied to NSA.

Similarly, U.S.-based cybersecurity firms have bolstered their reputations by documenting Russian intelligence-linked APT groups, such as Fancy Bear and Cozy Bear, which CrowdStrike tied to the 2016 U.S. election breaches at the Democratic National Committee.

All three companies have typically shied away from publicly exposing the digital espionage of their own nation’s intelligence agencies.

A threat tracker for a U.S. company told Nextgov individual Kaspersky researchers have helped his company verify Russian government-linked threat actors in the past. Former government cyber officials queried about that statement were unsurprised and attributed it to front-line researchers with similar interests, effectively security geeks geeking out, rather than to a company directive.

How Much Damage Could Anti-Virus Do?

Thus far, the public does not know any specifics about what’s led intelligence officials to express concern about Kaspersky’s independence. The public doesn’t know how troubling that intelligence is or how confident officials are in their conclusions. What is known is that anti-virus, if used for nefarious purposes, could be extremely powerful and nearly undetectable.

At its most basic level, anti-virus does its work by regularly scanning every single file and system on a computer. Because it does this on the computer itself rather than at the periphery of an entire network, there usually aren’t other systems monitoring the work of the anti-virus. The digital security systems DHS provides to federal agencies, known as Einstein and Continuous Diagnostics and Mitigation, for example, sit on the periphery of agency networks, not at the device level.

When the anti-virus finds something suspicious in a file, it will quarantine that file for additional, automated investigation. When it spots a known vulnerability in a particular system, it will protect against it.

If the anti-virus sees something that looks suspicious but isn’t a known infection—say, for instance, a file that may be infected with polymorphic malware constantly changing its particular digital signature—it may encrypt that file and transport it to the AV company’s own systems for investigation. If the file is genuinely malicious, the company will alert its other customers to protect them. The faster and more frequently those updates come out, the more valuable an anti-virus is for its customers.

So, what could an anti-virus do if compromised by or beholden to a customer’s adversary? A lot.

It could install something malicious on a computer that poses as a security update, security researchers say. Even easier, it could decline to install certain updates that protect against preferred attack vectors of a particular adversary.

It would also be relatively easy to skip certain updates for only a subset of customers, security researchers say.

[Anti-virus] explores every nook and cranny of a computer and you can’t restrict it. It can change the way an operating system works." - Matthew Green, Johns Hopkins

Or, simplest of all, the anti-virus could simply extract files an adversary might find interesting under the premise those files were being scanned for infections.

“Anti-virus is really powerful,” said Matthew Green, an assistant professor and cryptography researcher at Johns Hopkins’ Information Security Institute. “It has to be powerful to do what it does. It explores every nook and cranny of a computer and you can’t restrict it. It can change the way an operating system works. It can bypass a lot of features of the operating system. It has almost total visibility into every [email] attachment.”

Anti-virus is so powerful, in fact, some highly technical organizations opt not to use anti-virus and other malware detection tools because they’re concerned that even a nonmalicious flaw would give a hacker who exploited it too much power.

A researcher with Google’s Project Zero, for example, discovered a vulnerability last month that would allow a hacker to take over an entire system just by sending a malicious email through the Windows Defender malware detection tool installed on nearly every Windows consumer PC—even if the PC owner never opened the email.

“If you practice good security using other methods, the risks [of an anti-virus] may outweigh the benefits,” said Joe Hall, chief technologist with the Center for Democracy and Technology. “But for most of us, the benefits outweigh the risks.”

Where Does the U.S. Government Go From Here?

Given the supreme power of anti-virus and how difficult it is to detect nefarious activity, it might seem rational to bar Kaspersky from government systems even without evidence of any wrongdoing or, perhaps, to limit certain digital security contracts to American firms. There are rules restricting foreign control of companies that do certain intelligence and national security work, but not for most civilian, unclassified systems.

Such prohibitions, however, could put the U.S. on a slippery slope to endorsing a balkanized internet where one nation’s products aren’t accepted in others. That’s a result government officials have argued against in the past because it would be highly damaging to U.S. tech companies. This was especially true when European companies and governments expressed concern about possible U.S. government backdoors in American tech products after revelations about NSA spying programs by leaker Edward Snowden in 2013.

“We should be globalists,” said Curtis Dukes, a former director of NSA’s cyber defense wing who now works for the Center for Internet Security. “We want our products to be sold overseas just like other nations want their products to be purchased in the U.S.”

Dukes’ ideal solution would be a set of international standards to vet anti-virus and other highly powerful tech products.

While global companies have been relatively successful at developing technology standards—for wireless devices, for example—governments have had less luck agreeing to security standards.

A shorter-term though still difficult solution, several former officials said, would be more centralized authority for IT security in government so officials can make standardized decisions about acceptable risks. Centralizing cybersecurity management is a top priority for the White House’s Cybersecurity Coordinator Rob Joyce.

For example, a central government agency could vet software products for security similar to the way acquisition officials vet those products for affordability and other issues, one former official said.

“If Kaspersky or another product can demonstrate it’s within the risk parameters, it could be put on the list,” one former official said. “When it comes to intrusion detection and anti-virus and the like, we need to be very careful. People’s information needs to be given the best protection and having a pre-approved products list for departments and agencies would be a good thing.”