MELISSA BLOCK, HOST:
So the U.S. government doesn't buy from Kaspersky, or other foreign companies, but American consumers can buy whichever anti-virus software they'd like. Joining me to talk about how these computer security companies do their work is NPR tech reporter Aarti Shahani. And, Aarti, let's start with Kaspersky, which, as we mentioned earlier, is a corporate sponsor of NPR News. We heard Corey say that people have raised concerns about the work that this company has done for the Russian security services. Does that mean American consumers should be wary of Russian spying?
AARTI SHAHANI, BYLINE: (Laughter) No. That's really not what it means at all. Kaspersky has millions of users, and their software is a published product, which means that outsiders can reverse engineer it. Plenty of people are pouring over Kaspersky and all the other major anti-virus software trying to find weaknesses so they can be fixed. It's not in the business interest of the company to leave in some obvious backdoors as a favor to hackers, you know, Russian intelligence or otherwise. Researchers in the community would find it and fry them for it. That's pretty much the consensus among the experts I've interviewed.
BLOCK: We do hear about new and novel computer techs all the time, Aarti. Do the anti-virus companies respond to these alone? Do they ever combine forces to fight them together?
SHAHANI: You know, collaboration is absolutely key here. Microsoft, McAfee, Trend Micro, Kaspersky, Symantec - they all collect samples of malware - malicious software - and they exchange kind of like in a club. But researchers in those companies tell me this exchange is very in-depth and critical to the work. They need a database of malware samples that's global and cross-border because attacks don't respect borders. Basically, the companies find new pieces of malware. They upload samples to a file sharing site, and they give the people they trust a login to access. The way anti-virus works you can only stop something you've seen before, so if an attacker comes up with something new, then you need to flag it for future versions of your software to detect.
BLOCK: The point there being, though, Aarti, that there's no way that anti-virus products can work all of the time against any malware.
SHAHANI: You know, that is a key point. The bad guys have copies of all the anti-virus software that's out on the market. So, you know, imagine they're in a lab, running tests on Kaspersky, Symantec, whatever, and they keep tweaking the malware they're writing until it doesn't get caught. When it looks just different enough that it can't be detected, that's when they launch it. So that's the problem with anti-virus. By its very design, it can't catch everything.
BLOCK: So if that's the problem, what's the solution to that?
SHAHANI: Well, you know, you can never get rid of all risk in the world, but one way to fight back is to add an extra layer of monitoring. Get another kind of software that keeps track of every laptop, desktop, device on the network, and right there look for attempts at intrusion and zap them. All the big banks, defense contractors, high-value targets have this system for incident response - so teams looking for novel attacks. But that's, again, for high-value targets, which face a lot more risk and need more protection than everyday users.
BLOCK: OK, Aarti, thanks so much for talking to us.
SHAHANI: Thank you.
BLOCK: That's NPR's Aarti Shahani. She's just back from two big conferences on cybersecurity and hacking. Transcript provided by NPR, Copyright NPR.