In March this year, Kaspersky Lab, an international software security group based in Russia and with business operations in more than 200 countries worldwide has recently been put in the spotlight for an accusation closely associating them with Russian intelligence agencies and thereby posing a threat to their very own US clients.
Of course, Kaspersky Lab strongly denied this claim. However, it can also be recalled how other larger scale firms such as FireEye and Crowdstrike have had their share of the same tribulation when they were largely criticized for failure to inform about the US state malware. However, both of these scenarios suggest how the line between research and espionage is getting thinner, if not blurry.
Recently, a similar case arose involving Celil Unuver, a co-founder of SignalSec which is a small time security researcher in Turkey whose main focus was on industrial control software. Unuver was called by the Turkish policemen to present himself at the cybercrime bureau and was advised that should he fail to do so within the three days following the latter’s call, he shall be arrested.
For more than eight years, Unuver’s business revolved around publicly divulging some vulnerabilities and offering some to the market legally but throughout the same time, he has committed to staying on the authorized track. He found most customers from the US for the basic fact that there are far more incentives offered by these clients.
However, now that he is being questioned by their local authorities, Unuver cannot help but be apprehensive how his line of work and business could be easily mistaken as treason. In retrospect, he tried to recall what could have triggered the said accusation and could only come up with working in the same area as Stuxnet- a state malware who have previously targeted an Iran nuclear plant, where the United States and Israel were closely associated with.
In Twitter, he has even joked how was a “cyberweapon seller” thinking that he worked in the same area as Stuxnet but now that he is being questioned, he cannot help but think how this could have been taken so seriously by their local government.
Thereafter, he was informed that his case was abandoned after eight long months of difficult ordeal. While it was a sigh of relief, Unuver cannot go back anymore to his usual state, insecure and uncertain of what lies ahead.
The case of Unuver and Skylarov only prove that even smaller researchers like them are potentially in harm’s way for being mistaken as spies. The lack of understanding between exploit trade and vulnerabilities in the local scene alone only continues to contribute to the danger such circumstance brings. Until then, small scale and large security research firms must endure the threat their craft brings. And until then, a researcher must be prepared to be mistaken as a potential spy.