The Trump administration's ban on the use of a Russian cybersecurity firm's software is heightening suspicion worldwide that private internet firms might be in league with their home governments, an industry leader said Wednesday.
The Trump administration last week told U.S. government agencies to remove Kaspersky Lab products from their networks, citing alleged ties between officials at Moscow-based Kaspersky and Russian intelligence. Non-government entities and individuals may still use Kaspersky products.
But whether Russia retaliates or not, mistrust of the cybersecurity field has risen, and U.S. adversaries are likely to avoid U.S.-built software, believing that U.S. intelligence agencies may have special access, Greg Clark, chief executive of Symantec, said Wednesday.
"If you're China, if you're Russia, do you want to run American-built stuff? Probably not," Clark said at a presentation hosted by the Center for Cyber & Homeland Security at The George Washington University.
The Sept. 13 directive from the Homeland Security Department ordered all federal entities to remove Kaspersky security software from their networks, noting its concern about “ties between certain Kaspersky officials and Russian intelligence.” Russian law compels Kaspersky to assist the nation’s intelligence agencies, it added.
Clark defended the DHS directive, saying that U.S. intelligence officials “are very good at what they do. … I think we should listen to what they have to say.”
Russia has not formally issued a retaliatory measure to the Kaspersky ban. But in early September, Russian President Vladimir Putin told state companies that they should avoid running foreign software because it poses a risk to national security.
“In certain areas, the state will inevitably say to you: ‘You know, we cannot buy that, because somewhere a button will be pressed and here everything will go down,’” Reuters reported, citing the Interfax news agency. “So bear that in mind.”
Clark said he “absolutely” worries about the precedent of linking a private cybersecurity company to a state intelligence network, adding that Symantec, a leading global company based in Mountain View, California, with $4 billion in annual revenue, had faced challenges in that regard as well.
U.S. technology companies are already paying a price for the alleged activities of intelligence agencies, said Leo Taddeo, a former FBI cyber specialist who currently is chief information security officer with Cyxtera Technologies, a Coral Gables, Florida, firm that offers internet infrastructure and security solutions.
Following the revelations of disgruntled NSA contractor Edward Snowden in 2013, which included reports of U.S. intelligence spying on foreign heads of state, some countries sought to ensure that their data was protected, Taddeo said, specifically requiring data storage centers within their own borders.
“Under the umbrella of protecting privacy, what is happening is that data must reside in Germany, for example, and as a result data centers in Germany get more business,” Taddeo said in an interview.
Taddeo said he didn’t know why the decision on Kaspersky came out this month after years of U.S. concern that the firm was linked to Russian intelligence, a charge the company had previously denied.
He said the timing may have resulted from concern that any formal charge would tip off the Kremlin to how U.S. officials grew suspicious.
“You want to get it right. And you don’t want to tip your hand too soon,” Taddeo said.
Clark of Symantec, which is a direct competitor of Kaspersky, said his company is not concerned about retaliation from Russia.
“We do have some sales in Russia,” he said, noting that its own Norton antivirus software is sold there. But he added: “For our firm, Russia is not a territory of economic significance.”
Moreover, Russian law requires that foreign companies turn over source code for cybersecurity products for review, an action that can allow proprietary technology to be lost.
“We are the firm that said no to the review of our source code. I’m fine with the consequences of not being able to sell it there,” Clark said.
Just as Kaspersky came under suspicion in the United States, U.S. technology companies have also faced misgivings abroad, he said. Suspicion jumped after a hacker group calling itself The Shadow Brokers appeared in mid-2016 and divulged what it claimed were stolen cyber-weapons from the top-secret National Security Agency. The tools revealed a series of vulnerabilities in products of big software and tech companies, including Microsoft.
“Overseas, there were a lot of inquiries from some very large customers of ours saying, why don’t you guys have anything in there?” Clark said.
After explaining to clients how its own software blocked some of the alleged NSA exploits, Clark said Symantec was able to allay suspicions. But concerns remain latent that other U.S. companies may be collaborating with federal agencies.
"There is concern that North American companies may be doing things," Clark said. “There have been examples of very powerful security firms doing things that are not good for their customers,” he added, without providing names.