By: Sedgwick Jeanite
Three of the biggest names in the cybersecurity world, CrowdStrike, Inc., Symantec Corporation and ESET, LLC have been named as defendants in an antitrust lawsuit that alleges they conspired to hamper independent reviews of their antivirus products. A fourth defendant in the action is Anti-Malware Testing Standards Organization, an organization formed in 2008 to develop the first official standards for anti-malware testing. Ordinarily, customers pay attention to antitrust litigation because the outcome may have some financial impact on the price for products. However, in this day and age, where cybersecurity is extremely important to every company, the facts alleged in this antitrust lawsuit could undermine consumers and customers’ confidence in certain cybersecurity products.
On September 18, 2018, cybersecurity testing provider NSS Labs Inc. filed an antitrust lawsuit against CrowdStrike, Symantec and ESET in the U.S. District Court for the Northern District of California. According to NSS, the three companies are attempting to set conditions on how their products are independently vetted. NSS alleges that the three companies seek to prevent a bad review of their products from harming their respective reputations. However, their attempts to prevent a bad review of their products potentially subjects and exposes their customers to significant security risks. NSS asserts that CrowdStrike, Symantec and ESET are actively conspiring to prevent independent testing of their products that would uncover deficiencies in the products and the protections they supposedly offer to customers.
Security vendors and independent testing labs traditionally have had an uneasy and sometimes contentious relationship over control of the testing process and parameters. Thus, the friction between the vendors and testing labs is nothing new. In fact, in 2017 CrowdStrike lost an effort to obtain a restraining order and injunction to prevent NSS from releasing results of a test of Advanced Endpoint Protection, a cybersecurity product manufactured and sold by CrowdStrike. However, the September 2018 antitrust lawsuit filed by NSS clearly represents an escalation of those conflicts and also provides outside entities, including customers, with the following interesting facts:
- NSS is the world’s leading provider of cybersecurity testing services.
- Independent testing of cybersecurity products including Endpoint Protection products is essential for customers to have accurate information regarding the performance of these products because few, if any, customers have the ability to accurately test EPP products for themselves.
- On May 22, 2018, the AMTSO adopted its Testing Protocol Standard for the Testing of Anti-Malware Solutions.
- NSS alleges that the AMTSO is being used to set the terms by which a test can be conducted instead of being used to set the standards that products should be expected to meet.
- The vendors are conspiring, by and through AMTSO and otherwise, to restrict and have restricted competition in the testing of EPP products and AEP products to preclude objective and accurate testing.
- The vendors agreed to refuse to deal with and boycott any EPP testing company seeking to test or testing EPP and AEP products that does not agree to adhere to the AMTSO Testing Standard.
- In NSS’ experience, EPP vendors, including AEP vendors, frequently make unsubstantiated and/or overstated claims about the lack of EPP Security Defects in their products and therefore the ability of their products to detect, prevent, or remediate cyberattacks perpetrated by criminals and state actors.
- In NSS’ experience, most EPP products, including AEP platforms, do not live up to their performance claims and, even when they do literally live up to their performance claims, the protections are often so limited that they can be evaded.
- It is essential for customers and potential customers of EPP products, including AEP products, to have access to accurate and unbiased tests of the products that are not controlled or directed by the EPP product companies since customers and potential customers generally have no ability to evaluate the performance of EPP products for themselves.
- Misleading the consumer and the public regarding the effectiveness of cybersecurity products has a direct effect on public safety and the safety of businesses and individuals who rely on EPP products.
In the complaint, NSS alleges that the conspiracy has caused it harm, injured its business and property, and asserts ten separate causes of actions against the defendants including eight causes of action for Violation of Section 1 of the Sherman Act (15 USC § 1) and two causes of action for Violation of the Cartwright Act (California Business & Professions Code § 16720).
While most of NSS’ claims are personal to the company, there are certain implications that are relevant to customers and consumers. First, out of necessity, consumers trust the representations made by security vendors and the products they market and sell to protect them and their businesses. In reality, they often have no way to know if the products are operating as advertised. It is likely that some vendors have not been living up to their responsibility to protect consumers and they know it. Vikram Phatak, the CEO of NSS, wrote in a blog post that “it won’t surprise you to hear that vendors often know about their products’ deficiencies yet don’t reveal them to consumers.” Through independent testing, products that do not meet certain standards or requirements would be exposed and companies would be forced to improve those products.
Second, when a customer unknowingly relies on a flawed security product it can have serious consequences – from financial losses to physical safety. For example, in February 2018, the White House said that malicious cyber activity could cost the U.S. economy between $57 and $109 billion dollars in 2016. The World Economic Forum estimates global losses due to cybercrime at US $0.5 trillion in 2017 and these losses are projected to grow even more rapidly.
Exposure to cyber risks and cyberattacks is worsening daily and the implications are staggering. Given the pervasiveness of cyberattacks and the resulting impacts on businesses, consumers and customers, it is important that cybersecurity products perform as marketed and are subjected to accurate, unbiased and independent tests as other products in the marketplace.