By Joseph Menn
SAN FRANCISCO (Reuters) - The $71 billion cybersecurity industry is fragmenting along geopolitical lines as firms chase after government contracts, share information with spy agencies, and market themselves as protectors against attacks by other nations.
Moscow-based cybersecurity firm Kaspersky Lab has become a leading authority on American computer espionage campaigns, but sources within the company say it has hesitated at least twice before exposing hacking activities attributed to mother Russia.
Meanwhile, U.S. cybersecurity firms CrowdStrike Inc and FireEye Inc <FEYE.O> have won fame by uncovering sophisticated spying by Russia and China - but have yet to point a finger at any American espionage.
The balkanization of the security industry reflects broader rifts in the technology markets that have been exacerbated by disclosures about government-sponsored cyberattacks and surveillance programs, especially those leaked by former U.S. intelligence agency contractor Edward Snowden.
"Some companies think we should be stopping all hackers. Others think we should stop only the other guy's hackers - they think we can win the war," said Dan Kaminsky, chief scientist at security firm White Ops Inc, putting himself in the former camp.
Kaspersky Lab has faced questions about its connections to Russian intelligence before: Chief Executive Eugene Kaspersky had attended a KGB school, Chief Operating Officer Andrey Tikhonov was a lieutenant colonel in the military, and Chief Legal Officer Igor Chekunov had served in the KGB's border service.
Eugene Kaspersky said the firm has never been asked by a government agency to back away from investigating a cyberattack, and said that its international team of researchers would not be swayed by any one country's national interests.
Still, several current and former Kaspersky Lab employees said the firm has dithered over whether to publish research on at least two Russian hacking strikes.
Last year, Kaspersky Lab officials privately gave some paying customers a report about a sophisticated computer spying campaign that it had uncovered. But the company did not publish the report more widely until five months after British defense contractor BAE Systems Plc <BAES.L> exposed the campaign, linking it to another suspected Russian government operation and noting that most infected computers were found were in Ukraine.
"We were late," Eugene Kaspersky said about the report, but he denied that political considerations were at play. "It is not possible to be the champion in every game."
In 2013, Kaspersky Lab researchers uncovered another spying operation, dubbed Red October, that was written by Russian-speaking programmers and targeted governmental and diplomatic organizations in Europe, Central Asia and North America.
It was only after a heated internal debate that the firm decided to publish a report on that operation, which it believed to be the work of the Russian military's GRU foreign intelligence branch, according to several current and former Kaspersky Lab employees who did not want to be identified.
WHERE TO DO BUSINESS
Kaspersky Lab has been the first to expose a series of major U.S. cyberattacks, including, most recently, the tools that may have been used to spread the Stuxnet worm that sabotaged Iran's nuclear program.
Like its U.S. competitors Symantec Corp <SYMC.O> and Intel Corp <INTC.O>, Kaspersky Lab drops hints about who it thinks are behind the attacks but does not publicly name the country.
Kaspersky's success in uncovering U.S. campaigns is in part because its anti-virus software and security products are sold in countries of high interest to American spies, such as Iran and Russia. Much of its research is based on data from customer computers that use Kaspersky software.
CrowdStrike, a privately held cybersecurity firm based in Irvine, California, will not sell its services in either Russia or China because it does not want to face pressure to suppress information about the activities of those governments. That also means the firm is less likely to stumble across the United States' most ambitious intelligence-gathering efforts.
"We're selective about our customers," said CrowdStrike Co-founder Dmitri Alperovitch. "You can't play both sides."
CrowdStrike's customers include major global banks and tech companies.
FireEye avoids selling its services in China and Afghanistan, but does have clients in Russia. Last year, it acquired computer forensics firm Mandiant Corp, founded by a former U.S. Air Force officer, Kevin Mandia.
As many of Mandiant's first large customers were U.S. Defense Department suppliers, it came across spying campaigns launched by Chinese hackers. That started a cycle in which Mandiant was hired by other companies worried about China, enhancing the firm's knowledge and reputation in dealing with that type of threat.
If companies specialize too much in one region, however, they could miss attacks elsewhere, security experts said.
As governments spend more to protect their networks from hackers, they draw closer to the cybersecurity companies. Senior U.S. intelligence officials, notably from the National Security Agency, have also joined private security companies after leaving their posts, drawn by surging demand for cyber expertise.
Greater information sharing, as proposed by a bill backed by U.S. President Barack Obama, would push the public and private sectors still closer.
"I would not be surprised if the NSA went to Symantec and McAfee and asked them not to detect something," said cryptography expert Bruce Schneier, chief technology officer at Resilient Systems Inc, a security firm.
Spokespeople for Symantec and Intel, which bought McAfee in 2011, said that has not happened.
To be sure, Symantec has played a critical role, along with Kaspersky Lab, in exposing the U.S.-led Stuxnet, and it has backed up other Kaspersky findings since then.
"We are being completely agnostic to who the malware author may be," said Symantec Principal Security Response Manager Vikram Thakur.
Asked if Mandiant would ever expose a U.S. spying program, the firm's technical director, Ryan Kazanciyan, said: "I honestly don't know."
Vitor De Souza, spokesman for parent company FireEye said: "We would do a report on a U.S. group if they broke the law."
The ties between governments and homegrown security firms could yet break apart, especially if intelligence agencies start corrupting anti-virus software to spy on target machines.
"Security products might become one of the main vectors of getting access," said Mikko Hypponen, chief research officer at Finland's F-Secure Oyj <FSC1V.HE>.
White Ops' Kaminsky, whose company identifies networks of compromised computers being used for fraud, said some security companies' own attitudes could end up making things worse faster.
"The global economy depends on a secure Internet, and that means no back doors for anybody," he said. "Nobody wants to live in a war zone."
(Additional reporting by Jim Finkle in Boston; Editing by Tiffany Wu)