One wonders why Lorenzo Franceschi-Bicchierai, a journalist with the American website Motherboard, decided to recycle all the old charges against the Russian company which The Wall Street Journal wrote about at the beginning of the year – which, again, were flung far and wide by one US publication after another.
If Franceschi-Bicchierai had some evidence to substantiate what he alleges, rather than floating theories in the hope that someone would believe them, that would be a laudable effort. Sadly, that is not the case. And I say sadly, because Franceschi-Bicchierai is one of the better American journalists who writes about technology.
His 5000-word piece is the result of a trip to Cancun to attend the Kaspersky Security Analyst Summit which was held there in early March. He starts off by using the opening routine at the summit, which posed the question "who are you really?" to ask the same question of Kaspersky Lab.
But then he asks whether the company is an arm of Russian President Vladimir Putin's government or a victim of US protectionist propaganda. For any unbiased observer, it should be plain that not a shred of proof has yet been offered by anyone in the US or elsewhere to substantiate the claim that Kaspersky Lab is a front for Moscow. But these rhetorical questions serve to create an atmosphere of doubt and that appears to be Franceschi-Bicchierai's modus operandi.
He questions whether the SAS is a gathering to show off the work of Kaspersky Lab researchers or a chance for the company to expose ongoing US intelligence operations – simply because one of the talks this year was about malware known as Slingshot which was later claimed to be an operation of the US Defence Department’s Joint Special Operations Command to hunt down Al-Qaeda and ISIS terrorists.
At this point, it would have been illuminating for Franceschi-Bicchierai to offer the perspective that when nation-states disperse malware into the wild, apparently with the aim of trapping extremists, every other Windows user — the exploits generally target this operating system — is also exposed to the same malware and the harm it can do.
A second point which could have been raised here is that US spy agencies appear to be remarkably incompetent in keeping the malware they create under wraps. The best case in point is the NSA which lost a number of exploits that were exposed on the Web by a group known as the Shadow Brokers in April 2016. The CIA, too, does not score highly on this.
But had Franceschi-Bicchierai offered these perspectives as well, then it is doubtful that his effort to cast doubts on Kaspersky Lab would have had as much appeal. It borders on intellectual dishonesty.
Why should any security company play along with governments that release malware that add to the danger that Windows users, in the main, face when they are online? Why should journalists keep quiet unless there are laws that prohibit them from writing about such things? That question is never tackled by Franceschi-Bicchierai and probably because, again, it would not serve to advance his central thesis. Patriotism often gets in the way of hard, cold logic.
Franceschi-Bicchierai cited articles from The New York Times, The Wall Street Journal and Bloomberg that had claimed Kaspersky Lab software "helped Russian intelligence services steal highly classified documents from a US National Security Agency contractor".
I contacted him and asked: "You mentioned the reports in the US mainstream media last year, making various allegations about Kaspersky and its supposed nexus with Russia. Did you find that these reports stacked up from a technical perspective?" Franceschi-Bicchierai has not bothered to respond.
Kaspersky Lab has been at the forefront of exposing government malware – from the US, the UK, Russia, North Korea, Iran, China... the list goes on. No other security firm has such a record. It did not expose Stuxnet, but hired the man who did so, Sergey Ulasen, soon after.
Franceschi-Bicchierai questions why Slingshot was revealed at the SAS. That's a naive question. Every company that has a good story to tell will reserve it for the biggest audience – and there is no place where Kaspersky Lab has a larger captive journalistic audience in one place than at the SAS. There appears to be some kind of amnesia that makes Franceschi-Bicchierai forget why these summits, conferences, call them what you like, are held: to gain publicity for the organisation that hosts them.
It is common for companies that are about to release research that could hurt another firm to indulge in what is called responsible disclosure. Franceschi-Bicchierai cites sources, some named, to argue that this should have been done in the case of Slingshot. Kaspersky Lab's explanation was that it did not know that this was a US operation.
Of course, one can argue that the company was telling a lie. But exactly why would a company that employs many Americans and still has a decent amount of business in the US private sector, want to rub the American Government the wrong way, after all the problems it has had? It defies logic. If, as Franceschi-Bicchierai claims, Kaspersky Lab lays on the PR with a vengeance, such an act seems even more illogical.
He does not do his thesis any good by quoting Australian Patrick Gray who publishes a marketing podcast called Risky Business. Gray inclines to the view that one should support the existing security agency-journalist nexus by keeping quiet about operations that are likely to be nation-state operations. Completely forgotten is the fact that Kaspersky Lab said it was unaware of this. But by this point in Franceschi-Bicchierai's feature, balance has long disappeared.
There's a lot more asides in the article; one that struck me was the use of quotes from Trail of Bits founder Dan Guido, again to shore up Franceschi-Bicchierai's argument. Guido has said of the SAS that it is a “purposefully engineered opportunity for Russian intelligence to get close to hackers they care about".
Whether one takes Guido's assessment seriously is debatable. This is the same Guido who accepted US$16,000 from the Israeli firm CTS Labs in March to review vulnerabilities in AMD processors – publication that was found to be aimed at shorting the company's stock. CTS published its findings 24 hours after it notified AMD and a noted short-seller, Viceroy Research, released a report soon after the story broke, betting that AMD shares would fall. Guido's acceptance of this job did not in any way burnish any credentials he has.
Then Franceschi-Bicchierai claims that people are drugged at the SAS and some have their rooms broken into. All from anonymous sources, of course. What is surprising is that while he says he was unable to verify any such claims, he still floats them. Another claim, that the SAS is a booze-fuelled event, is, again, naive. Drinking is the sole sport at tech conferences; if free booze wasn't there, I suspect that the halls would not be filled.
The SAS has the practice of offering every speaker a shot after his/her talk, this being downed along with the MC. That does not happen at every conference. But the central point is that alcohol is a main attraction at tech conferences, even if it has led to some situations that are not exactly savoury.
What evokes laughter is Franceschi-Bicchierai's attempt to paint himself as virtuos because he did not allow Kaspersky Lab to pay for his flight to attend the conference. If he had wanted to maintain this mantle of purity, then he should probably have taken a room on his own and looked after his own food expenses too. How much does it cost to fly from New York to Cancun?
If any journalist is going to be influenced by accepting sponsored trips in this day and age, then that person should quit the profession right away. Franceschi-Bicchierai may not be as hardened and cynical as someone who has been in the game much longer. The advice I go by was offered by a grizzled old hack. "Drink his booze, and then f*** him. It's so much sweeter," was his advice, with the reference being to people who tried to sweeten you up to promote this, that or the other.
Franceschi-Bicchierai's "precautions" before going to Cancun also evoked a laugh: locking himself out of his regular email accounts and taking along a clean iPhone and a clean Chromebook. It's a bit presumptuous to think of oneself in such inflated terms, but I guess that many journalists, who fancy themselves as players, and not observers, do get this disease.
It's good to remember that journalists are just filling up the spaces between the ads and would do well to disabuse themselves of any illusions of importance. Remember, the press is the fourth estate, not any branch of government, outsiders not insiders.
The writer attended Kaspersky Lab SAS in Cancun and all his expenses were paid by the company, right down to the packet of crisps he gobbled down at Cancun Airport on the trip back.