NSS Labs has filed an antitrust lawsuit against CrowdStrike, Symantec, and ESET, alleging that the organizations have conspired to restrict independent product testing through AMTSO membership.
On Wednesday, the security product testing company’s CEO, Vikram Phatak, said that the antitrust lawsuit relates to vendors which “are actively conspiring to prevent independent testing that uncovers product deficiencies to prevent consumers from finding out about them.”
Among these vendors, Phatak claims, are CrowdStrike, Symantec, and ESET.
The cybersecurity companies are participants in the Anti-Malware Testing Standards Organization (AMTSO), which is a project designed to “introduce definitive standards for fair and useful testing,” as well as “provide detailed advice on how to run tests.”
Other members of the scheme — but not related to the antitrust case — are AV-Comparatives, Bitdefender, Carbon Black, FireEye, Microsoft, Kaspersky Lab, and Trend Micro.
NSS Labs is also a member of AMTSO.
The suit was filed with a US district court in Northern California on Tuesday. According to court documents (.PDF), NSS Labs alleges that the company is a “direct target” of the “conspirators” through AMTSO in efforts to “restrict competition in the testing of cybersecurity products that are critical to, but often fail at, the protection of computer systems operated by governments, businesses, and consumers.”
“NSS Labs frequently uncovers product deficiencies during our independent tests,” the executive says. “We tell customers about those deficiencies. As you can imagine, this can hurt a vendor’s sales. So, what is a vendor to do? Some (the good ones) fix their products. Others try to avoid being tested.”
A core reason for the lawsuit appears to be how AMTSO operates and which companies are members.
The testing of AV products is important. Not only can this uncover security vulnerabilities and weaknesses which vendors can patch before customers are put at risk of harm, but this can give consumers a marker for which cybersecurity solutions to adopt — and which to avoid.
Phatak says that the project’s idea of “fair and useful” testing is inherently flawed as they are “driven by the same security vendors whose products are being tested; not a neutral, independent third-party setting a higher bar for the security vendors and the industry.”
In turn, this potential conflict of interest could be detrimental to independent, unbiased product tests.
The AMTSO Testing Standard, which the complaint deems “unlawful,” raised the objections of members including NSS Labs, AV-Comparatives, AV-Test, and SKD LABS.
Despite these objections and a vote, the standard has been adopted. NSS Labs alleges that the cybersecurity firms named in the complaint allegedly agreed to boycott any testing company which did not adhere to the standard.
The testing firm says that such alleged behavior is illegal “or, at a minimum, unreasonably restrains competition” in the cybersecurity product testing market.
“Further, vendors are openly exerting control and collectively boycotting testing organizations that don’t comply with their AMTSO standards — even going so far as to block the independent purchase and testing of their products,” Phatak alleges.
The complaint claims that through AMTSO, the cybersecurity vendors have come together to blindside NSS Labs, actions which have already caused “substantial injury.”
The security testing firm also alleges that it “will suffer further injury, including irreparable injury such as permanent loss of market share,” unless the apparent conspiracy is stopped.
NSS Labs says that there is no competitive justification for the AMTSO Testing Standard and the project’s goals will likely only result in restraining competition.
“AMTSO’s efforts at determining how products are tested does not advance compatibility, interoperability, consumer safety or any other pro-competitive basis for standardization,” the company added. “Rather, AMTSO and the AMTSO Testing Standard exist solely to enable product vendors to avoid competition on quality and price with no offsetting benefits to competition.”
The NSS Labs executive specifically mentions CrowdStrike, pointing to clauses in end-user licensing agreements (EULA) which allegedly prevent tests occurring without the firm’s permission.
“This unethical and deceptive behavior hampers transparency and hinders consumers in their ability to assess whether a product delivers on its promises,” NSS Labs says. “If it is good enough to sell, it is good enough to test.”
This is not the first time that NSS Labs and Crowdstrike have clashed. In 2017, Crowdstrike failed to prevent a report being made public which related to the Falcon Host antivirus product.
NSS Labs conducted the testing, which Crowdstrike claimed was performed poorly and was “deeply flawed.” Crowdstrike also said at the time that NSS Labs’ behavior was “unethical, illicit, and subversive.”
An ESET spokesperson said the cybersecurity firm is yet to receive any official, legal communication, and as such, “we are unable to say more at this time, beyond the statement that we categorically deny the allegations.”
“Our customers should be reassured that ESET’s products have been rigorously tested by many independent third-party reviewers around the world, received numerous awards for their level of protection of end users over many years, and are widely praised by industry-leading specialists,” the spokesperson added.
ZDNet has reached out to CrowdStrike, Symantec, ESET, and AMTSO and will update if we hear back. We have also contacted NSS Labs with additional queries.
Previous and related coverage
Source Article from https://www.zdnet.com/article/nss-labs-files-lawsuit-against-crowdstrike-symantec-eset-amtso/#ftag=RSSbaffb68
NSS Labs files lawsuit over alleged CrowdStrike, Symantec, ESET product test conspiracy
Latest blogs for ZDNet
Latest blogs for ZDNet