I’ve been in security for decades in various roles and I’m a fan of the work Kaspersky Lab does. It operates in a region where security, or the lack of it, is in your face all the time and seems to go beyond thinking of security as a product it offers and more as a way of life. The recent actions toward banning Kaspersky Lab by the U.S. government are, however, problematic for the firm. At the heart of the complaint and action isn’t anything that Kaspersky Lab has been proven to have done, but a Russian law that makes it almost certain that Kaspersky Lab has, or will, provide customer intellectual property to the Russian government.
This law isn’t that dissimilar to actions in the U.S. like the Patriot Act, which appear to provide the same kind of exposures to U.S. firms, but the Russian process, from filing a complaint to incarcerating the guilty, appears to lack the kinds of protections provided by the U.S. Constitution. A Russian company just doesn’t seem to have the same kind of protections a U.S. company does but, given that people in foreign countries often project their legal system on others, that doesn’t mean U.S. firms don’t have the same image problem Kaspersky Lab now has.
In the end, what the U.S. is doing to Kaspersky Lab puts U.S. security firms at risk as well. The fix is likely an international agreement protecting security firms from this kind of government overreach to protect those firms against failure.
Government’s Conflicted Goals and Wrong-Headed Priorities
I certainly get that law enforcement wants access to things that are secured. Criminals, terrorists and other bad actors often use security technology to conceal their dangerous and illicit acts. Being ex-law enforcement myself, I fully understand the need to quickly circumvent those technologies. However, security technology also protects legitimate businesses, government offices, manufacturing plants, utilities, the military and law enforcement agencies.
Keys that are created for law enforcement aren’t exclusive to law enforcement. We tend to underpay our police and government bureaucrats, making them relatively susceptible to bribes, and their own security systems are underfunded and porous. Given Russia’s extreme known vulnerability to WannaCry, thanks to the use of pirated software, it is likely less secure than the U.S.
This means that the back doors that these two and other governments want could end up doing more damage to their respective countries than the holes in security they want to create will mitigate.
Attackers always have the advantage because they can try and fail almost infinitely and still eventually succeed in penetrating a secure site. A defender only has to fail once. So, using laws to effectively put attackers and defenders on a more level playing field by opening up security products, like these laws appear to do, ultimately benefits the attacker.
I thought that Russia, being run by an ex-spy, and in a far more hostile environment, might understand the dynamic better than the U.S. government, but it has proven that no government has a monopoly on stupid.
Banning Kaspersky Lab
Sadly, and clearly unfairly, Kaspersky Lab is now an example of why neither the term sad nor unfair matters in making good business decisions. If the U.S. government bans Kaspersky Lab, and it is breached, anyone using it has an extremely high probability of being found negligent. And as we approach likely multi-billion-dollar related judgements and settlements, that one word added to the event would multiply the related damage finding to unaffordable levels.
So, if the U.S. bans Kaspersky Lab, you may not have any choice but to ban it as well. It certainly isn’t fair to Kaspersky Lab, but that’s what its government did to it.
Wrapping Up: Look at BlackBerry
How did I get to BlackBerry? It is in Canada and, so far, Canada has been one of the smarter countries in that it doesn’t seem to be shooting its own security firms in the head. BlackBerry may showcase the future of security companies that will likely have to relocate there to get around the stupidity in the Russian and U.S. governments. Then we can get back to keeping the bad guys out, rather than fighting bureaucrats.
Until then, security firms in Russia and the U.S. may be increasingly screwed by their own governments.
Rob Enderle is President and Principal Analyst of the Enderle Group, a forward-looking emerging technology advisory firm. With over 30 years’ experience in emerging technologies, he has provided regional and global companies with guidance in how to better target customer needs; create new business opportunities; anticipate technology changes; select vendors and products; and present their products in the best possible light. Rob covers the technology industry broadly. Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group, and held senior positions at IBM and ROLM. Follow Rob on Twitter @enderle, on Facebook and on Google+