Why we fight and will keep on fighting

As Kaspersky Lab’s legal challenge continues, Eugene Kaspersky considers why cybersecurity companies must fight for the industry to stay open and collaborative

Two months ago, a U.S. District Court dismissed our challenge to the Department of Homeland Security (DHS) Directive and the provisions in the FY18 National Defense Authorization Act that ban the use of our products by federal agencies. As you’d expect, we’re appealing the court’s dismissal.

Now, you might wonder why we’re doing that. Why do we keep getting up after every punch when we could just move on and save ourselves a great deal of time, money, and frustration?

Well, the answer’s twofold — and very close to my heart.

First, we believe it’s the right thing to do. Kaspersky Lab has never, and will never, help anyone in the world with their offensive security efforts. Put simply, we protect our customers with the very best cybersecurity solutions and services in the world. Allegations — without any supporting evidence of any wrongdoing — have harmed our reputation and negatively affected our commercial interests and those of our business partners. And because we feel that these actions have violated our constitutional rights and protections, we absolutely must challenge them in court.

Second, we’re doing it to protect our own industry: This situation sets a dangerous precedent. One of the concerns about us relates to our Russian origins. Labeling a company as a national security risk just because of its country of origin does little to address real cybersecurity risks. Think about it: IT supply chains are global by nature, and governments around the world recognize that cyberthreats can originate from anywhere and that threat actors don’t limit their activities to certain countries or companies. Former National Security Advisor Michael Hayden recently said that he “hope[s] to God [the U.S. intelligence services] have a case rather than just a concern” regarding KL; otherwise, they would “legitimate people all over the world to possibly reject American technology simply because it’s American.” But not one real case has been presented. And that is why we’re forced to act as we have, with legal action. Today it’s KL at the top of the list of companies causing “concern,” but you can be sure other companies will be there in the future.

The cybersecurity industry may become balkanized: slowly fragmented into insulated areas through company-specific or geography-specific bans and restrictions. Of course, countries facing advanced cyberadversaries are fearful of what they might expect next. And there’s a natural inclination for those legitimate concerns to result in protectionist barriers. We fully support the need to better protect governments, businesses, and consumers against increasingly sophisticated cyberthreats. But we must ask ourselves if the solutions being implemented to address these valid concerns actually result in stronger cybersecurity.

We’d like to suggest an alternative to country- or company-specific prohibitions on technology: Stick all those bans and restrictions in the trash and develop a cybersecurity risk management and mitigation strategy that relies on independent testing and validation processes. Create a framework that assesses the integrity of security products throughout their lifecycle — regardless of their origin. (I repeat: regardless of their origin!) And focus on criteria that produce evidence-based results so we can continue meaningful dialogue about cyberthreats.

We applaud those that share this vision of working together to promote transparency and accountability. This is how we promote security — not fear, uncertainty, and doubt.

Just to recap: We’ve done nothing wrong, no evidence has ever been presented against us (and it won’t — there isn’t any), and so we’re forced to take legal action.

But back to our core business: We know the value of worldwide cybersecurity collaboration. That’s because we’re one of a select handful (about 10) of leading security vendors. And it’s only these 10 that have the global reach to conduct the extensive threat research needed to monitor and protect the global landscape. But each of us still sees just part of the picture. We need to be able to continue to share and collaborate. Balkanization in IT security would break these valuable connections among researchers around the world, not just by keeping them from talking to each other, but also by making them afraid to do so.

We know that our ongoing litigation is adversarial and looks like a fight with the world’s largest and most powerful government. However, we have publicly asked for meetings with concerned government stakeholders to answer their questions, and have repeatedly offered to work with them to address any perceived risks that they’ve identified. So far, the phone’s been pretty quiet. Nevertheless, our offer of cooperation, collaboration, and real dialogue stands.

So we fight — and will go on fighting: for our business, colleagues, partners, and customers, and for the global cybersecurity industry that we love and believe in. We’re here forever to save the world.