Kaspersky Kerfuffle: Can Foreign Contractors Protect America's Data?
With controversy over Russia swirling around Washington, our lawmakers have suddenly gotten wise to the fact that the Moscow-based cybersecurity firm Kaspersky Labs has spent two decades securing important contracts with U.S. government agencies. After years of resolute inaction, the House Science, Space, and Technology Committee got around to asking 22 federal agencies for their documents and communications concerning Kaspersky last month. The deadline to reply was Friday, August 11.
Before this year, lawmakers on both sides of the aisle studiously ignored the online security giant’s Kremlin connections. Other countries stopped trusting Kaspersky with their secrets years ago: China’s government procurement office blacklisted them back in 2014. The Trump administration finally yanked the company from two lists of approved vendors used by government agencies one month ago. Before then, American officials had apparently been comfortable with millions of devices automatically sending reams of data back to Kaspersky’s headquarters in Moscow.
Incredibly, U.S. government systems have been so reliant on Kaspersky software that the Obama White House ruled out going after the company as a retaliatory measure in 2016. Eugene Kaspersky, a tech heavyweight trained at a KGB-funded university, has close links with the Russian government and the Federal Security Service – the same FSB that inherited the legacy of the KGB. The move to pull Kaspersky from the U.S. General Services Administration (GSA)'s list of approved vendors for contracts came after Bloomberg obtained emails showing the company had been involved in developing software for the FSB, and that some of the anti-virus vendor’s employees had accompanied state investigators on cybercrime raids.
Taking Kaspersky off the GSA’s procurement list might be the first concrete action after years of speculation over its links with Russia’s security services, but Kaspersky products purchased outside the GSA contract process can still be used by agencies. This raises the question the House is now trying to answer: just how much official data has this company had access to? Even more importantly, what are the potential dangers of handing government contracts (and sensitive or confidential data) to foreign companies, especially those known to be hostile to U.S. interests?
Then again, that second question assumes the government even knows who it’s handing data over to. Chinese tech firms like Huawei and ZTE may be banned from bidding for U.S. government contracts over spying concerns, but some of America’s most important secrets and mission-critical data still manage to end up in China with hardly a second thought. In one of the most spectacular own goals of the Obama era, the Office of Personnel Management (OPM) hired overseas contractors and gave them root access to the personnel records of 14 million federal employees and applicants -- including undercover American intelligence personnel based in China.
Where were those contractors based? Argentina, for one, but also inside the People’s Republic of China. At the time, Congressman Jason Chaffetz of the House Oversight Committee compared OPM’s move to “leaving all your doors and windows unlocked and hoping nobody would walk in and take the information." As it turns out, Beijing is perfectly capable of walking through open doors. By attacking OPM, Chinese hackers managed to steal millions of those records.
Unfortunately, the spy agencies themselves also hand over mission-critical tasks to potentially unreliable foreign companies. Systran International, the formerly French-owned firm that was acquired by South Korea's CSLi in 2014, provides translation services to the National Security Agency (NSA), as well as to carmakers such as Ford. The company’s machine translation technology is used by the NSA to track online conversations in foreign languages for evidence of terror-related activity in real time. In Paris, though, where Systran is still based, the company’s recent struggles and layoffs have officials wondering whether they can trust the company’s ability to keep the classified data from France’s spy agencies (who also use its services) secure.
One of the most prominent overseas companies providing IT services to U.S. government agencies is Japan’s NTT Data Corp, which works with the military, the Department of Homeland Security (DHS) and the Drug Enforcement Agency (DEA). In all, NTT Data serves more than 50 federal agencies, raking in billions every year in spite of President Trump’s “America First” jobs agenda. NTT has managed to snap up so much of the federal contracting market in part by buying U.S. competitors, like Dell, to make themselves seem “almost as American as American companies.”
Apart from depriving U.S. companies of contracts, it’s abundantly clear that farming out our country’s most sensitive IT infrastructure to foreign firms poses very real national security issues. Then again, such threats don’t just come from outside the homeland. Bradley (now Chelsea) Manning, Ed Snowden, and Reality Winner have forced us to learn the hard way that too many people have access to classified data and too many untrustworthy individuals are somehow receiving clearances. Around five million people in the U.S. currently have security clearances that allow them access to sensitive and confidential material, with many of them working on behalf of outside contractors (American or otherwise).
Embarrassing leaks or the loss of federal employees’ personal data are bad, but they’re not the worst thing that can happen if the government continues to bungle its approach to protecting the nation’s data. The Russians have repeatedly tested new cyberweapons by temporarily bringing down parts of Ukraine’s electric grid. Those attacks have put Congress on edge, but it turns out that the U.S. isn’t all that much better prepared for a similar attack on our own grid or other infrastructure networks. In the event of a major operation conducted by the Russians, Chinese, or even a lesser adversary like the North Koreans or non-state cybercriminals, the disorganized hodgepodge of companies and contractors responsible for keeping us connected could finally be exposed as our Achilles heel.