NSS Labs, a third-party security product tester, has filed an antitrust lawsuit against CrowdStrike, ESET, Symantec and the Anti-Malware Testing Standards Organization (AMTSO), alleging they conspired to prevent independent testing that could uncover security flaws in their products.
Symantec's managed security services arm is a Top 100 MSSP for 2018. Both CrowdStrike and ESET have growing relationships across the MSP and MSSP ecosystems.
In the lawsuit, NSS claimed the defendants allowed their products to be tested only by organizations that comply with AMTSO's testing protocol standard. All of the accused co-conspirators, including the complainant NSS, participate in the AMTSO project, which last May adopted its first testing protocol standard developed in concert by 20 cybersecurity vendors and testers. The idea is to reassure consumers that testing has been “conducted in good faith, without bias, and with full transparency of engagement between testers and vendors.”
That hasn’t been the case, NSS contends. “If you are in the cybersecurity industry, it won’t surprise you to hear that vendors often know about their products’ deficiencies yet don’t reveal them to consumers,” wrote Vikram Phatak, NSS Labs CEO, in a blog post. “What should shock you is that they are actively conspiring to prevent independent testing that uncovers those product deficiencies to prevent consumers from finding out about them."
Additional AMTSO signees involved in the scheme but not named in the lawsuit include vendors AV-Comparatives, Bitdefender, Carbon Black, FireEye, Microsoft, Kaspersky Lab, and Trend Micro. Those included in the lawsuit are spearheading the conspiracy, Phatak told ZDNet. There are others, he said, that will be identified as the case progresses.
A True Conspiracy? Tricky Claim
Conspiracy is difficult to prove. The co-conspirators must have agreed together to commit an illegal act that had at its core a common goal. Yet, Phatak’s argument alleges that the fix was in, a back-room hatched boycott of NSS’ independent testing in which the vendors protected one another.
“Being the sole vendor refusing to be tested is bad for sales.…However, if a group of vendors agree ahead of time to boycott an independent test lab – say a lab they cannot get to do their bidding – then each is insulated from criticism by being one among many,” the CEO claimed.
The way in which AMTSO operates and how the standard was developed appears to be the foundation for the lawsuit. Indeed, it hasn’t been only NSS but also AV-Comparatives, AV-Test, and SKD Labs that have pushed back against the standard. Phatak said that the AMTSO’s version of ‘fair and useful’ testing harbors a potential conflict of interest. Because it has been developed by those security vendors “whose products are being tested, not a neutral, independent third-party setting a higher bar for the security vendors and the industry...what they’re actually doing is actively preventing unbiased testing.”
The executive called out CrowdStrike in particular as an example of the conspiracy, complaining that specific passages in its end user licensing agreements prevent independent testing of their products. ”This unethical and deceptive behavior hampers transparency and hinders consumers in their ability to assess whether a product delivers on its promises,” he said.
Lawsuit Responses
As you might expect, the accused vendors have something to say about the lawsuit. (via ZDNet and MSSP Alert)
- From CrowdStrike: "NSS is a for-profit, pay-to-play testing organization that obtains products through fraudulent means and is desperate to defend its business model from open and transparent testing. We believe their lawsuit is baseless."
- From Symantec: "We are aware of the lawsuit filed by NSS Labs and we believe that their claims against us are entirely baseless. While it’s understandable that NSS Labs’ desire for profits may be inherently at odds with a non-profit, standards-based organization such as AMTSO, the integrity of the testing process should be of utmost importance, starting with transparency and equity for all participants. We welcome the opportunity to bring the discussion of fair and open testing further into the public conversation, while also shining a light on certain business practices within the testing industry."
" - From ESET: "We are aware of the allegations stated in the blog post from NSS Labs, however, we have yet to receive official legal communication. As legal proceedings appear to have been initiated, we are unable to say more at this time, beyond the statement that we categorically deny the allegations."
Calls for vendors to cut a wider path for product security testing are gaining traction as millions of Internet of Things (IoT) devices flood the market. For example, a survey by Trustwave, a Top 100 MSSP for 2018, found that security concerns often prevent organizations from adopting IoT technologies. Still, IoT security considerations often take a back seat to product features and timeliness, potentially leaving consumers uninformed and unaware of risks associated with a vendor’s product.
Article updated September 26, 2018 with Symantec statement.
