Transparency, due process fell by the wayside in the case of Kaspersky Lab –

The governments actions against Kaspersky Lab is a de facto debarment. Lets just call it like it is. The government gave Kaspersky Lab the federal procurement version of the death penalty.

And the lack of due process for the company should be alarming for every federal contractor. In fact, the entire episode should be a big, flashing, warning light for other companies, as the actions taken by the government are highly unusual, severe and unexplainable, according to cyber and legal experts.

Additionally, the lack of transparency on the evidence of a connection between Kaspersky Lab and the Russian government for this de facto debarment from the General Services Administration or anyone in the intelligence community is just as disconcerting.

Federal procurement lawyers and federal cyber experts both say there seems to be no good reason for GSA to have kicked Kaspersky off the schedules program, and now for lawmakers to aggressively question agency use of their software. The latest comes from Sen. Jeanne Shaheen (D-N.H.), who added a provision to the National Defense Authorization bill that would prohibit any agency from using Kaspersky Lab hardware, software or services whether directly or indirectly through a subcontractor or third party.

Your opinion matters. Take Market Connections survey about how you consume media.

If you look in the Federal Acquisition Regulations (FAR) part 9.4, theres a whole administrative process which started back in the 1980s after a company argued they were denied due process. The courts held companies needed to have due process and Kaspersky hasnt had its due process, said Bill Shook, a procurement attorney and former congressional investigator. What we dont have is specific knowledge of if there is a backdoor that the Russian government can access and I dont know how much of this is hysteria over President Donald Trumps supposed connections to the Russian government. If I was representing them, Id take this to court and then the government would have to show the judge evidence that the software is not secure or produces a national security threat.

Jake Williams, a former National Security Agency executive who worked on the Tailored Access Operations (TAO) cyber warfare effort and now is an instructor and course author for the SANS Institute, said he is skeptical of Kaspersky Labs connection to the Russian government.

Practically everyone Ive talked to says, We have evidence of that connection, but no one has seen it, Williams said in an interview with Federal News Radio. Im not sure if someone started something and now its routing by rumor. We dont know if the homework has been done, but we havent seen it if it has.

Williams said its quite possible that Kaspersky could have some backdoor or other hidden vulnerability that the Russian government could take advantage of, but its the type of thing that would only happen once and then no one would trust the company ever again.

John Pescatore, director of emerging security trends at SANS and a former Gartner researcher who did work for Kaspersky, said concerns about the companys connection to Russia arent new and there have been plenty of opportunities for researchers and others to discover potential or real problems.

House minibus sets stage for fight over sequestration, civilian-defense parity

The whole thing from GSA and now Congress really came out of the blue, he said. No security folks Ive talked with have found any smoking guns or evidence. If this is a trade war where countries are not using each others cyber software, the U.S. has the most to lose because we have so many software companies. This seems like a symbolic gesture or unofficial sanction.

And thats also whats getting federal procurement attorneys concerned.

Eric Crusius, a senior counsel with Holland & Knight in Washington, D.C., said taking aggressive actions against a contractor without due process is highly unusual, if not unprecedented.

There may be facts to justify these actions that we dont know about, but any actions taken should be taken with due process afforded to everyone else, he said. The legislative action is an existential threat. Congress shouldnt bend rule of law even around a company whos suspected of cyber espionage without going through normal protocol.

Shook added its also highly unusual for a lawmaker to get involved in a specific procurement issue.

He said former Rep. Norm Dicks (D-Wash.) applied strict oversight of the Air Forces award of its refueling tanker in the mid-2000s, which eventually went to Boeing and was in Dicks district.

Experts had a hard time recalling another time when a member of Congress tried to legislatively ban a vendor from working with the government.

Pescatore said an Israeli cyber company called Check Point was caught up in the espionage case of Jonathan Pollard in 1985 and was temporarily banned from the NSA.

He also pointed to the Chinese networking and telecommunications company Huawei, as well as when IBM sold its PC branch to Lenovo as times when lawmakers raised concerns about possible cyber threats for the federal government. But there was no attempt to legislatively ban the vendor.

There is an issue of supply chain to make sure all software is safe without any backdoors. There are ways to do that. The U.K. required Huawei to give them their source code to look for vulnerabilities and bugs or back doors, Pescatore said. Its not widely done in the federal government. NSA has been pushing this issue around vulnerabilities.

As for Kaspersky Lab, a spokeswoman didnt tip their hand as to whether they would take legal action against GSA or the government.

Kaspersky Lab has no ties to any government, and the company has never helped, nor will help, any government in the world with its cyberespionage efforts. The company has a 20-year history in the IT security industry of always abiding by the highest ethical business practices and trustworthy development of technologies, and Kaspersky Lab believes it is completely unacceptable that the company is being unjustly accused without any hard evidence to back up these false allegations, the spokeswoman said by email. Kaspersky Lab, a private company, seems to be caught in the middle of a geopolitical fight where each side is attempting to use the company as a pawn in their political game. Eugene Kaspersky, CEO and founder of Kaspersky Lab, has repeatedly offered to meet with government officials, testify before the U.S. Congress and provide the companys source code for an official audit to help address any questions the U.S. government has about the company. Kaspersky Lab continues to be available to assist all concerned government organizations with any investigations, and the company ardently believes a deeper examination of Kaspersky Lab will confirm that these allegations are unfounded.

The fact is the governments decision may be well constituted in facts, but without sharing it or at least offering some further explanation, the random and seemingly unfair action against Kaspersky Lab should send a shiver down other vendors.

Read the original here:

Transparency, due process fell by the wayside in the case of Kaspersky Lab –

Related Post

August 7, 2017   Posted in: Jonathan Pollard |

Fair Use Disclaimer

"Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances."

Under the 'fair use' rule of copyright law, an author may make limited use of another author's work without asking permission. Fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights.

Fair use as described at 17 U.S.C. Section 107:

"Notwithstanding the provisions of section 106 and 106A, the fair use of a copyrighted work, including such use by reproduction in copies or phono-records or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.

In determining whether the use made of a work in any particular case is a fair use the factors to be considered shall include:

  • (1) the purpose and character of the use, including whether such use is of a commercial nature or is for or nonprofit educational purposes,
  • (2) the nature of the copyrighted work,
  • (3) the amount and substantiality of the portion used in relation to the copyrighted work as a whole, and
  • (4) the effect of the use upon the potential market for or value of the copyrighted work."