The AV industry in the post-Snowden era

Bits of Freedom [1], a Dutch digital rights organization that focuses on privacy and communications freedom, was among the first organizations worldwide to ask questions about the detection of malware developed or sponsored by governments following the Snowden revelations. It is unlikely to be the last group to seek answers from the anti-malware industry. Ultimately, though, we are likely to see state led efforts to change the situation, which will impact directly on the IT industry and the anti malware sector.

The Brazilian government has abandoned its hitherto apathetic stance regarding information security matters in favour of a more aggressive, critical position. In a bid to halt cyber-espionage, the government’s agenda now includes laws and decrees that will affect the day-to-day work of IT companies in the country.

One of the laws soon to be approved in Brazil will force foreign companies (including anti malware firms) to host their servers in the country [2] if they want to do business on Brazilian soil. In this way, the government believes it will have more control over the data of its citizens, and will be able to prevent abuse by other governments. Foreign companies will have to weigh up the costs and benefits of implementing data centres in Brazil – which currently boasts neither competitive prices nor a strong infrastructure.

Elsewhere, the European Union was already preparing to reassess issues concerning the data of its citizens prior to the revelations about the NSA spying regime. In 2009, the same issue caused serious problems for Google’s European operations, forcing the company to upgrade its software to meet local requirements. It seems certain that the anti-malware industry will face similar challenges. Does your software have protection features using the cloud? [3] Be prepared to change it at the request of a major customer or to meet the demands of governments and new legislation.

In 2014, the Brazilian government will no longer buy new computers or software that cannot be audited by the government itself – operating systems and other software will no longer be used if companies make it difficult to audit the source code. Software vendors will be required to change their terms of use to ensure that nothing from the government’s information network can be sent to servers outside the country. These requirements will cause legal and technical uncertainty for many companies that operate in Brazil but which still need to comply with the legal standards of their home countries. And how many companies will be prepared to share the source code of their products?

The political sentiment at this time – not only in Brazil but also in several European countries affected by these espionage schemes – is one of exacerbated nationalism. This is reflected in the decision to rate companies according to their country of origin, regardless of the quality of their products. In Brazil, the authorities and the military are adopting laws which will require them to give preference to suppliers of Brazilian origin. Where the authorities cannot fully control these companies, or lack the technology required, they will aim to develop the products themselves in the longer term.

We should expect to see governments creating their own anti malware products. The Brazilian government has already invested in DefesaBR, a Brazilian-made AV that is intended to replace foreign products in the near future. I expect many other governments to take a similar course of action.

These are complex and challenging issues: governments are large purchasers of software and everyone wants their custom. Now, they are not only seeking protection against malware developed by other governments, but they also want to control and shape the anti-malware solutions according to their internal policies or interests.

The question is whether the anti malware industry is prepared to respond to such changes. For now, we can only wait and see.

Latest articles:

Bulletin Archive