NSS Labs vs. CrowdStrike, Symantec, ESET and the Anti-Malware Testing Standards Organization

Advancing Transparency and Accountability in the Cybersecurity Industry

On September 18, 2018, NSS Labs filed an antitrust suit against CrowdStrike, Symantec, ESET and the Anti-Malware Testing Standards Organization (AMTSO). You might be asking yourself, why?

NSS Labs’ mission is to advance transparency and accountability in the cybersecurity industry. We filed this suit because some vendors have not been living up to their responsibility to protect consumers and they know it, and they’re trying to prevent the public from knowing it too. If you are in the cybersecurity industry, it won’t surprise you to hear that vendors often know about their products’ deficiencies yet don’t reveal them to consumers. What should shock you is that they are actively conspiring to prevent independent testing that uncovers those product deficiencies to prevent consumers from finding out about them.

Keep in mind that these actions are not occurring in a vacuum. When a customer unknowingly relies on a flawed security product it can have serious consequences – from financial losses to physical safety. We filed this suit because we believe it’s important to bring the actions of some antivirus (AV) vendors to light and shine a spotlight on several bad behaviors in the cybersecurity industry. In short, some vendors have not been living up to their responsibility to protect consumers and they know it. Exposure to cyber risks is worsening daily and the implications are staggering. Given the pervasiveness of cyberattacks and the resulting impacts to our society, it is more critical than ever for cybersecurity products to do what they promise.

Just a few weeks ago, Kirstjen M. Nielsen, Secretary of Homeland Security stated that the breadth, scope and consequences of cyberattacks exceeds the risk of physical attacks and these attacks have moved past the epidemic stage and are now at a pandemic stage. The World Economic Forum estimates global losses due to cybercrime at US $0.5 Trillion in 2017 and these losses are projected to grow even more rapidly. 

But what does this have to do with our lawsuit?

NSS Labs frequently uncovers product deficiencies during our independent tests. We tell customers about those deficiencies. As you can imagine, this can hurt a vendor’s sales. So, what is a vendor to do?  Some (the good ones) fix their products. Others try to avoid being tested. But being the sole vendor refusing to be tested is bad for sales.…However, if a group of vendors agree ahead of time to boycott an independent test lab – say a lab they cannot get to do their bidding – then each is insulated from criticism by being one among many. You hopefully see where this is going.

The actions of the parties named in this suit were conducted by and through their participation in the Anti-Malware Testing Standards Organization (AMTSO), an organization that claims its purpose is to establish standards “for fair and useful testing.” What they neglect to tell you is that their version of “fair and useful” tests are driven by the same security vendors whose products are being tested; not a neutral, independent third-party setting a higher bar for the security vendors and the industry. They claim to try to improve testing but what they’re actually doing is actively preventing unbiased testing. Further, vendors are openly exerting control and collectively boycotting testing organizations that don’t comply with their AMTSO standards – even going so far as to block the independent purchase and testing of their products.

In addition, a number of vendors such as CrowdStrike have conspired to prevent testing of their products by placing clauses in their end user licensing agreements (EULA) that make testing of their products subject to their permission. This unethical and deceptive behavior hampers transparency and hinders consumers in their ability to assess whether a product delivers on its promises.

Out of necessity, consumers trust their security vendors to do right by them but in reality, they often have no way to know if they should. Which is why at NSS Labs we have a saying, “If it is good enough to sell, it is good enough to test.” 

Many of you reading this have relied on NSS Labs tests and insights to guide your decisions. We strive to earn your trust every day and do not take your trust for granted. It is our hope that our actions today mark an important step forward in advancing transparency and accountability in the cybersecurity industry.

Thank you for your continued support.

Vikram Phatak, CEO of NSS Labs

Follow us on Twitter (@NSSLabs) to keep informed as new research is released.

TAGS: Cybersecurity, NSS Labs, Testing