Cybersecurity testing standards under antitrust scrutiny at Justice Department

Cybersecurity vendors including CrowdStrike, Symantec and ESET are under the microscope at the Justice Department for their role in potentially excluding third-party testing services that don’t adhere to particular standards, MLex has learned.

The civil investigation is in the initial stage, with the Justice Department having sent letters to at least those three companies, along with the Anti-malware Testing Standards Organization, or AMTSO, and NSS Labs, requesting that the companies retain relevant documents, it is understood.

The investigation is understood to have been opened in late February. Antitrust prosecutors in San Francisco are investigating the conduct, it is understood.

The investigation follows a private lawsuit filed by security testing service NSS that accused AMTSO and the three companies of creating biased testing protocols and boycotting testing services that refuse to adhere to the standards.

The Justice Department investigation is understood to be focused primarily on the allegations in the private lawsuit, which was filed in September last year.

A spokesperson for NSS said the company "has no comment on this matter." CrowdStrike, Symantec, ESET and AMTSO did not respond for comment. The Justice Department declined to comment.

In the private case, Symantec, CrowdStrike, ESET and other unnamed cybersecurity vendors are accused of using AMTSO to create a skewed framework for evaluating their products and refusing to deal with third-party testing services unless they agreed to abide by their rules, according to the lawsuit from Texas-based NSS.

According to the lawsuit, CrowdStrike Chief Technology Officer Dimitri Alperovitch organized a meeting with his company, ESET and Symantec at the RSA security conference in February 2017 in San Francisco.

At the meeting, the companies had "the express intent, purpose and effect of obtaining agreement among the competitors to refuse to do business with companies, including specifically NSS Labs, who attempt to perform public tests of their products using testing methodologies other than those agreed to by the [companies] and embodied in the AMTSO Testing Standard," according to the lawsuit.

A spokesperson for the RSA conference, held annually in San Francisco, did not respond for comment.

According to the lawsuit, during the development of the testing standards, NSS wrote to AMTSO president Dennis Batchelder to criticize the process. “Instead of using the Draft Standard to improve product offerings and protect the end user, vendors have repeatedly used it as a tool to demonstrate their dissatisfaction with tests where they have underperformed or with test results that they have been unable to use to support their marketing claims,” according to a May 2018 letter sent by NSS.

“Although the Draft Standard calls for testers to test any solution, it does little to ensure that vendors cannot block or prevent testers from procuring the product to conduct a test, nor does it prevent vendors from intentionally sabotaging a test,” the letter stated.

Because of these disagreements, NSS said in the letter that it was withdrawing from the standards working group.

In its motion to dismiss NSS's lawsuit, however, ESET said any allegations that it colluded on the testing standards are illogical, as it was not a member of the working group, and it voted against the standard.

In its response, CrowdStrike said that its decision to stop doing business with NSS predates the conduct alleged in the NSS lawsuit. It unilaterally decided to stop doing business with the Texas company, CrowdStrike said. As evidence of its decision, Crowdstrike pointed to ongoing litigation between the two companies over results of a test in 2017.

A hearing on the motions to dismiss from those companies, as well as Symantec and AMTSO, is scheduled for May 30.

The Justice Department's antitrust division has made a push to investigate the complex world of standard-setting since its current chief, Makan Delrahim, took the top spot in late 2017.

Delrahim has given multiple speeches about the importance of enforcing antitrust laws in the standard-setting context, where he has expressed concern about opportunities for collusion. Delrahim's comments have typically referenced patents for essential technologies such as cellular communications, but he has emphasized the potential more broadly for the standard-setting process to violate antitrust law.