The Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) reviewed the Independent Assessment, titled Information Security Risks of Anti-Virus Software (hereafter “BRG Assessment”), prepared by Berkeley Research Group, LLC (BRG), and dated November 10, 2017. Kaspersky Lab (hereafter “Kaspersky”) submitted the BRG Assessment to DHS as an exhibit to Kaspersky’s request for DHS to initiate a review of Binding Operational Directive (BOD) 17-01. The BRG Assessment, in part, responds to the NCCIC Information Security Risk Assessment (hereafter “NCCIC Assessment”) on commercial off-the-shelf (COTS) anti-virus software and Kaspersky-branded products, dated August 29, 2017. The NCCIC Assessment was attached as Exhibit 1 to an Information Memorandum from the Assistant Secreta1Y for DHS Cybersecurity and Communications (CS&C) to the Acting Secretary of DHS, dated September 1, 2017 (hereafter “Information Memorandum”). This document is a Supplemental Information Security Risk Assessment and will similarly be attached to an Information Memorandum from the Assistant Secretary for CS&C to the Acting Secretary of DHS.
1. File Access and High-Level Privileges
The BRG Assessment confirms the key conclusions of the NCCIC Assessment. Specifically, BRG explains, consistent with the NCCIC Assessment, that anti-virus software operates with “broad access to the computer’s hardware and operating system” and that the software “runs with the same privileges as the user, as well as one or more underlying, highly-privileged software components, such as kernel-mode drivers or SYSTEM-level processes.” BRG describes the “kernel” as a “core component of a computer’s operating system and largely responsible for facilitating the interaction other software running on the computer and the computer’s central processing unit (CPU), memory, and other hardware devices (often via additional software called a “device The “SYSTEM account” is “an internal account on Microsoft Windows operating systems that operates at the highest privilege Most anti-virus software now also “intercepts and monitors network traffic on a user’s computer, including encrypted web browsing traffic, in order to identify malicious code embedded in websites visited by the user.”
Based on its “limited technical analysis within the time available” of Kaspersky and other anti-virus products, BRG determined that all of the software that it analyzed, including Kaspersky-branded products, “contained components that operated with SYSTEM-level privileges.” Additionally, BRG determined that “[e]ach installed multiple kernel drivers within our test systems for various anti-malware purposes, including file system monitoring, process monitoring, and network traffic interception and inspection.” BRG states that, “[A] software vulnerability in any one of the kernel drivers or SYSTEM-level processes could reasonably result in a complete compromise of the user’s computer.”
While BRG refers (above) to a “software vulnerability in a kernel driver or SYSTEM-level process, as detailed in the NCCIC Assessment, DHS is concerned about the information security risks presented by the normal functionality of anti-virus software, apart from any specific “vulnerability” in the software. The Russian Government or Kaspersky—in collaboration with the Russian Government—can exploit this functionality, including broad access to files, high-level system privileges, and interception and inspection of encrypted web traffic.