Like one of John Le Carre’s “moles,” anti-virus software is the perfect, obvious software platform to act as a double agent, protecting computers from malware, while simultaneously transmitting interesting tidbits to some intelligence controller in parts unknown.
Security software has permission to do just about anything on our machines – to search, investigate, and neutralize computer software in order to provide adequate security protection. But what is necessary is also and obviously dangerous, especially if we don’t know the provenance of our security software. As for example, if it is made in Russia!
Of course, a United States security agency would never deploy Russian security software – like Kaspersky Lab’s products – to monitor US security files. Even in an age of monumental bureaucracy and decision-making unfettered by the constraints of technical knowledge, this would be so ridiculous that we should relax in the sure knowledge this would never happen.
But it has. We don’t know if Kaspersky Labs is a witting, unwitting, or coerced partner to Russian intelligence gathering, but its anti-virus tools have been acting as an adjunct Russian agent against US intelligence. However, for a risk so entirely obvious, these details are irrelevant.
The choice of Kaspersky Labs as a security vendor for US security agencies probably won’t bring about changes in technical decision making. Some even more ridiculous event will be needed to wake us up to the fact that in technology decisions, it is technology that counts, and technical understanding that drives correct decisions. Not sales pitches, nor vendor claims, nor vision, nor relationships, nor cost. These things matter but are secondary. Every day, experienced technologists see good organizations spend on technology they cannot possibly use, because the decision makers simply didn’t bother to understand the technology. But when someone bothers to ask, the experts to make a good decision are usually available.
When it comes to technology decisions, understanding the technology comes first, and trumps whatever is in a distant second place. If that sounds obvious, I agree that it is, but it’s also very far from standard practice. Just ask the NSA.