The Washington Post and the Wall Street Journal report that Russian government hackers obtained details of U.S. cyber capabilities from the personal computer of a National Security Agency employee who had taken classified material home. He was running Kaspersky antivirus software. Apparently, the compromised secrets could enable the Russian government to thwart U.S. cyber operations, both defensive and offensive.
News reports regarding this story have understandably focused on the damage to U.S. cyber capabilities. I have no particular inside knowledge of the specific information leaked to the Russians, but if these reports are true, the compromise was particularly severe. However, as concerned as I am about the compromised information, I observe that such information is often of transient value to an adversary, or at least should be treated that way.
Of more concern to me is the idea that Kaspersky software has the capability to inspect the media of any computer running it for interesting files and to forward such files to Russian intelligence. This raises at least two groups of questions.
First, what is the nature of the algorithm that searches stored files on my computer? For example, does it look for documents that have the phrase “Top Secret” on them? Does it seek to decrypt my encrypted files? Does it go after my deleted files? Does it do keyword searches for documents containing the word “nuclear”? Is it looking for pornography stored on my computer so the Russians can blackmail me? Reading my email? And so on.
Second, how widely deployed is Kaspersky software on non-U.S.-government computers? This includes personal computers of U.S. government employees, of course, but also the work and/or personal computers of many in the private sector. What kinds of information have been taken from those computers? And what is the potential for mischief or malfeasance with that information being compromised?