A major cybersecurity firm has been removed from the list of vendors approved for use by federal agencies amid concerns over its relationship with the Russian government. The Moscow-based Kaspersky Lab was delisted by the Trump administration last week, following reports that the company had been working closely with Russian intelligence services, even joining them on raids—claims the company denies.
Kaspersky Lab is one of the world's largest consumer IT security software vendors, with hundreds of millions of users, and its antivirus software can be purchased everywhere from Best Buy to Walmart. But not by federal agencies.
From Russia With Love?
“When it comes to the business of security, provenance matters,” Robert Hackett writes in Forbes. And Kaspersky Lab’s provenance has long made some in the government suspicious. Founded in 1997 by Eugene Kaspersky, a Russian cybersecurity expert, the company has spread across the world, earning a reputation for identifying emerging cybersecurity threats quickly. But the company’s founder “was never able to overcome lingering suspicions among U.S. intelligence officials that he and his company were, or could become, pawns of Russia's spy agencies,” according to Reuters.
In May, U.S. intelligence chiefs testified before Congress that they doubted the trustworthiness of the firm’s products, while the FBI has interviewed Kaspersky employees about their use of U.S. data.
A recent expose by Bloomberg Businessweek declared: "Kaspersky Lab Has Been Working With Russian Intelligence." Leaked emails from 2009 show that the company was working with the Russian Federal Security Service, the intelligence agency that’s the successor to the KGB, not just to protect against hackers, but to track them down in real time and in person, Bloomberg claimed.
“Kaspersky provides the FSB with real-time intelligence on the hackers’ location and sends experts to accompany the FSB and Russian police when they conduct raids,” according to an expose in Bloomberg. “They weren’t just hacking the hackers; they were banging down the doors.”
The company has denied that it’s too close to Russian intelligence. “Kaspersky Lab has always acknowledged that it provides appropriate products and services to governments around the world to protect those organizations from cyberthreats, but it does not have any unethical ties or affiliations with any government, including Russia,” a company statement said. And as rumors about the company’s integrity spread this spring, Eugene Kaspersky went on Reddit to denounce the concerns as “total BS” and “unfounded conspiracy theories.” He has offered to testify before Congress and “respond to all questions from the U.S. government that may arise.”
The “collusion” between Kaspersky Lab and Russian intelligence has been questioned by some cybersecurity commentators, who view the reports by Bloomberg and others as weak evidence of potential wrongdoing. Some have argued that such shady dealings are simply part and parcel of the infosec world.
Caught in the Crossfire?
The federal delisting “represents the most concrete action taken against Kaspersky following months of mounting suspicion among intelligence officials and lawmakers that the company may be too closely connected to hostile Russian intelligence agencies,” Reuters explains.
The delisting removes Kaspersky Lab from the General Services Administration’s list of approved vendors for contracts covering IT services and digital photography equipment. The decision was taken “after review and careful consideration,” the agency says, as part of its mission “to ensure the integrity and security of U.S. government systems and networks.”
But the delisting isn’t exactly a blacklisting. Government agencies that don’t follow GSA procurement procedures can still buy Kaspersky services, though a bill before Congress would bar the Department of Defense from doing so.
Kaspersky wouldn’t be the first company to find itself caught in geopolitical cybersecurity crossfire. Both the U.S. and Chinese governments have a history of prohibiting foreign vendors that could be exploited by hostile parties, as Hackett details:
For years, the United States has effectively banned the Chinese tech giant Huawei from entering its network equipment market for fear of possible government-mandated backdoors. Former President Barack Obama last year blocked a Chinese investment fund from acquiring Aixtron, a German chip equipment maker with a presence in the U.S., citing security concerns. China, meanwhile, has long barred western social media companies, like Facebook, from making inroads within the Middle Kingdom, where the Communist Party regards free speech as a threat.
Kaspersky Lab is just “the latest company to receive the brunt of a nation’s suspicions,” he writes.
For those who are suspicious, though, and who aren’t the heads of federal agencies, knowing whether you’re exposed to any potential Kaspersky-related risks can be difficult. First, if the government has more than just a suspicion about Kaspersky Lab, it’s not making any of that evidence public at this time. Second, while Kaspersky claims nearly 400 million users, as many as 200 million of those are unwitting users. Licensing agreements mean that Kaspersky’s software is embedded in everything from firewalls to telecommunications equipment, Bloomberg reports, “none of which carry the Kaspersky name.”
This post was authored by Casey C. Sullivan, who leads education and awareness efforts at Logikcull. You can reach him at casey.sullivan@logikcull.com or on Twitter at @caseycsull.
