Politics pollute cyber-security ethics
The $71 billion cyber-security industry is fragmenting along geopolitical lines as firms chase after government contracts, share information with spy agencies, and market themselves as protectors against attacks by other nations.
Moscow-based cyber-security firm Kaspersky Lab has become a leading authority on US computer espionage campaigns, but sources within the company say it has hesitated at least twice before exposing hacking activities attributed to Russia.
Meanwhile, US cyber-security firms CrowdStrike Inc and FireEye have won fame by uncovering sophisticated spying by Russia and China, but have yet to point a finger at espionage in the US.
The balkanization of the security industry reflects broader rifts in the technology markets that have been exacerbated by disclosures about government-sponsored cyber-attacks and surveillance programs, especially those leaked by former US intelligence agency contractor Edward Snowden.
"Some companies think we should be stopping all hackers. Others think we should stop only the other guy's hackers," said Dan Kaminsky, chief scientist at security firm White Ops, putting himself in the former camp.
Kaspersky Lab has faced questions about its connections to Russian intelligence before: CEO Eugene Kaspersky had attended a KGB school, COO Andrey Tikhonov was a lieutenant colonel in the military, and Chief Legal Officer Igor Chekunov had served in the KGB's border service.
Eugene Kaspersky said the firm has never been asked by a government agency to back away from investigating a cyber-attack, and said its international team of researchers would not be swayed by any one country's national interests.
Still, several current and former Kaspersky Lab employees said the firm has dithered over whether to publish research on at least two Russian hacking strikes.
Last year, Kaspersky Lab officials privately gave some paying customers a report about a sophisticated computer spying campaign that it had uncovered, but did not publish the report more widely until five months after British defence contractor BAE Systems exposed the campaign, linking it to another suspected Russian government operation and noting that most infected computers were found were in Ukraine.
"We were late," Eugene Kaspersky said about the report, but he denied political considerations were at play. "It is not possible to be the champion in every game."
In 2013, Kaspersky Lab researchers uncovered another spying operation, dubbed Red October, that was written by Russian-speaking programmers and targeted governmental and diplomatic organizations in Europe, Central Asia and North America.
It was only after a heated internal debate that the firm decided to publish a report on that operation, which it believed to be the work of the Russian military's GRU foreign intelligence branch, according to several current and former Kaspersky Lab employees who did not want to be identified.
Where to do business
Kaspersky Lab has been the first to expose a series of major US cyber-attacks, including, most recently, the tools that may have been used to spread the Stuxnet worm that sabotaged Iran's nuclear program.
Like its US competitors Symantec and Intel, Kaspersky Lab drops hints about who it thinks are behind the attacks but does not publicly name the country.
Kaspersky Lab's success in uncovering US campaigns is in part because its anti-virus software and security products are sold in countries of high interest to American spies, such as Iran and Russia. Much of its research is based on data from customer computers that use Kaspersky software.
CrowdStrike, a privately held cyber-security firm based in Irvine, California, will not sell its services in Russia or China because it does not want to face pressure to suppress information about the activities of those governments. That also means the firm is less likely to stumble across the United States' most ambitious intelligence-gathering efforts.
"We're selective about our customers," said CrowdStrike-founder Dmitri Alperovitch. "You can't play both sides." CrowdStrike's customers include major global banks and tech companies.
FireEye avoids selling its services in China and Afghanistan, but does have clients in Russia. Last year, it acquired computer forensics firm Mandiant, founded by a former US Air Force officer, Kevin Mandia.
As many of Mandiant's first large customers were US Defence Department suppliers, it came across spying campaigns launched by Chinese hackers. This started a cycle in which Mandiant was hired by other companies worried about China, enhancing the firm's knowledge and reputation in dealing with that type of threat.
If companies specialize too much in one region, however, they could miss attacks elsewhere, security experts said.
As governments spend more to protect their networks from hackers, they draw closer to the cyber-security companies. Senior US intelligence officials, notably from the National Security Agency, have also joined private security companies after leaving their posts, drawn by surging demand for cyber expertise.
Greater information sharing, as proposed by a bill backed by US President Barack Obama, would push the public and private sectors still closer.
"I would not be surprised if the NSA went to Symantec and McAfee and asked them not to detect something," said cryptography expert Bruce Schneier, chief technology officer at security firm Resilient Systems.
Spokespeople for Symantec and Intel, which bought McAfee in 2011, said this has not happened.
To be sure, Symantec has played a critical role along with Kaspersky Lab in exposing the US-led Stuxnet, and it has backed up other Kaspersky findings since then.
"We are being completely agnostic to who the malware author may be," said Symantec principal security response manager Vikram Thakur.
Asked if Mandiant would ever expose a US spying program, the firm's technical director, Ryan Kazanciyan, said: "I honestly don't know."
Vitor De Souza, spokesman for parent company FireEye said: "We would do a report on a U.S. group if they broke the law."
The ties between governments and homegrown security firms could yet break apart, especially if intelligence agencies start corrupting anti-virus software to spy on target machines.
"Security products might become one of the main vectors of getting access," said Mikko Hypponen, chief research officer at Finland's F-Secure Oyj.
White Ops' Kaminsky, whose company identifies networks of compromised computers being used for fraud, said some security companies' own attitudes could end up making things worse faster.
"The global economy depends on a secure Internet, and that means no back doors for anybody," he said. "Nobody wants to live in a war zone."