Kaspersky, a Russian cybersecurity firm, has given in to the US government. CEO Eugene Kaspersky said he would let the US government review Kaspersky Labs’s source code, after a Senate proposal to cut defense-department contracts with the company. The implication is that this could do more to undermine US security than protect it, because American firms could be equally pressured to divulge code to Russia, U.S. and other countries.
The company’s willingness to share its source code comes after a proposal was put forth in the Senate that “prohibits the [Defense Department] from using software platforms developed by Kaspersky Lab.” It goes on to say, “The Secretary of Defense shall ensure that any network connection between … the Department of Defense and a department or agency of the United States Government that is using or hosting on its networks a software platform [associated with Kaspersky Lab] is immediately severed.”
The worrisome implication of this decision is that any country cant ask any software vendor to make available its source code before it can do business, in that country. Understand that even what seems harmless may not be. Kaspersky does not run on isolation – it needs OS like Windows, Linux, iOS and Android to run. So, those can be subjected to evaluations.
Russia has been making the same requests of private companies recently. Major technology companies like Cisco, IBM, Hewlett Packard Enterprise, McAfee, and SAP have agreed to give the Russian government access to “code for security products such as firewalls, anti-virus applications and software containing encryption,” according to Reuters. Security firm Symantec pointedly refused to cooperate with Russian demands last week. “It poses a risk to the integrity of our products that we are not willing to accept,” a Symantec spokesperson said in a statement.
What the U.S. plans to do has many global consequences. Yet, the U.S. has the rights to be concerned on its national security. It would have simply excluded Kaspersky from the opportunity. However, it wants to give the company the benefits to compete, despite the risks. To do that, it wants to be sure its national security will not be compromised.
For Kaspersky, it certainly sees the huge U.S. market opportunity and wants to compete therein. This means it is ready to take any risk on its IP to convince the U.S. government that it is an ethical company that will not compromise American security. Doing this will not just win its customers with the U.S. government but also with U.S. private companies. So, it’s decision to agree, is the only choice it has. If it refuses, even private companies may be worried. People may criticize Kaspersky, but considering many factors, it wants to play in the U.S. market and it does not see any other alternative than asking U.S. government to examine its source codes.
The implication of this is that companies going into new markets would be possibly expected to share source codes with the countries. Expect some of these codes to leak and end up in the hands of competitors. Also, there is a cybersecurity risk where some of the codes can leak and enter into the hands of bad people. The biggest issue is the vulnerability of intellectual property (IP) which companies will be subjected to. This has the potential to totally change the software industry, and how companies sell products and services in the software industry, internationally.
As the world witnesses the total redesign in the software sector, one has to link that to what is happening in the cybersecurity area. This week, many reports have suggested that hackers from a nation state have hacked into computers used by power stations. If you then share source codes to these countries, it simply means no one is safe. The company products which are sold to protect entities become vulnerable from bad state actors. Simply, any company that shares its source code may be undermining its business in the long-run. It is a not a good strategy despite the immediate gain.