Five things to know about the Kaspersky-Russia controversy

Government scrutiny of Moscow-based cybersecurity firm Kaspersky Lab grew this week after the Trump administration barred federal agencies and departments from using software produced by the company, citing potential risks to U.S. national security.

The multinational firm, which boasts more than 400 million customers globally, has come under fire in Washington as lawmakers have grappled with Moscow’s alleged interference in the 2016 presidential election. 

The U.S. government has never produced public evidence linking the company to the Kremlin. But the Department of Homeland Security (DHS) made waves this week by issuing a public directive ordering federal executive bodies to come up with “detailed plans” to discontinue their use of Kaspersky anti-virus software. 

“The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security,” the department said.

Here are five things you need to know about Kaspersky and the controversy around whether its anti-virus products can be trusted.

U.S. officials have signaled concerns about Kaspersky for months

Kaspersky Lab has been the subject of media attention in recent years, partly because of founder Eugene Kaspersky’s background. Kaspersky was educated at a Soviet-era military scientific institute sponsored by the KGB, the predecessor to Russia’s current FSB intelligence service. 

“The company securing your internet has close ties to Russian spies,” Bloomberg News charged in a March 2015 article. 

But that scrutiny has ramped up in recent months, amid Capitol Hill probes of Russian interference in the presidential election.

{mosads}During a public Senate Intelligence Committee hearing in May, six top intelligence officials testified that they would not be comfortable having Kaspersky software on their computers. 

“A resounding ‘no’ from me,” said Andrew McCabe, then the acting director of the FBI.

Rob Joyce, President Trump’s cybersecurity coordinator, echoed those concerns three months later.

“I worry that as a nation-state Russia really hasn’t done the right things for this country and they have a lot of control and latitude over the information that goes to companies in Russia. So I worry about that,” Royce, the former leader of an elite NSA hacking group, said during a televised interview on CBS News.

The government has never produced public evidence tying Kaspersky to the Kremlin

Despite concerns raised about the company by current and former intelligence officials, the federal government has not ever produced any public evidence demonstrating that Kaspersky has any links to the Russian government.

Most of the speculation about the company’s links to Moscow has been confined to news publications. The company is said to be the subject of a long-running FBI probe.

This lack of evidence is a primary detail that the company has cited as proof that concerns about its trustworthiness are unfounded.

But the Homeland Security announcement added credibility to worries about Kaspersky, with DHS citing “ties between certain Kaspersky officials and Russian intelligence” as reason for concerns.

Still, the company isn’t backing down. Kaspersky plans to take up DHS on its request to submit a written response to mitigate concerns.

“The company is disappointed with the decision by the U.S. Department of Homeland Security (DHS), but also is grateful for the opportunity to provide additional information to the agency in order to confirm that these allegations are completely unfounded,” Kaspersky said in a statement Wednesday.

“No credible evidence has been presented publicly by anyone or any organization as the accusations are based on false allegations and inaccurate assumptions, including claims about the impact of Russian regulations and policies on the company.”

DHS move rankles cybersecurity community

The DHS decision to publicly disclose that Kaspersky’s software could be compromised by the Russian government without producing any evidence to substantiate the claim has prompted concerns in the private cybersecurity community.

Some worry that the move could signal a crackdown on the federal government’s use of non-American cybersecurity products. It could also set a dangerous precedent, they say, that could compel other countries to place restrictions on American-made security products.

“The United States banning Kaspersky software from government systems without articulating with evidence the reason for that move provides an excuse if not justification for foreign governments to make similar actions without justification against U.S. vendors,” said Joe Slowik, senior threat analyst at industrial threat intelligence firm Dragos.

“The decision might be justifiable, but the way that it is being justified is doing nothing but harm in the long run.”

James Norton, a former DHS cyber official, said that the decision should not be seen as an action against a particular nation or company, but rather a flashpoint in a broader effort by the department — which is responsible for protecting civilian federal networks — to reevaluate the security of certain software and take corrective action where necessary.

“I think that the action taken on Wednesday is just one symptom of a larger issue of looking at holistically government networks and how we best secure them,” Norton said. “I think there are going to be other instances where the government has to take step backs rather than steps forward.”

But Norton also warned about the dangers of being too restrictive about cybersecurity software: “I think we also need to be careful not to go into a U.S.-only posture.”

The decision has bipartisan support

The decision to bar the federal government from using Kaspersky software is playing well among both Democrats and Republicans who have sounded alarm over the company.

Sen. Jeanne Shaheen (D-N.H.), who had previously introduced legislation barring the federal government from using Kaspersky software, applauded the Trump administration for “heeding” her call.

“The strong ties between Kaspersky Lab and the Kremlin are very alarming and well-documented,” Shaheen said. 

Shaheen’s measure is poised to be included in annual defense policy legislation up for a vote by the Senate next week, and would codify the DHS ban on Kaspersky into law.

Rep. Lamar Smith (R-Texas), chair of the House Science Committee, expressed support for the directive, labeling it a “crucial step toward ensuring our federal systems are not susceptible to potential cyber espionage.”

In July, Smith wrote to 22 different agencies and departments requesting information on the federal government’s use of Kaspersky software, citing concern it could be used in “espionage” or “nefarious activities against the United States.”

Kaspersky will appear before Congress

Eugene Kaspersky will have the opportunity to clear up concerns about the company in public testimony before Congress later this month.

A House Science subcommittee has requested Kaspersky’s testimony at a Sept. 27 hearing focused on oversight of the cybersecurity posture of the federal government and potential risks posed by Kaspersky Lab products to U.S. information systems.

Kaspersky has accepted the invitation, but needs an expedited visa in order to address “the allegations about my company and its products,” he said in a statement on Thursday. He is slated to testify alongside a top DHS cyber official. 

The CEO has already fumed at the U.S. government ban.

“I guess this explains it all ‘Guilty ‘til proven innocent, jailed ‘til you clear your name’ Welcome to 21st century,” he wrote on Twitter.  

Kaspersky has also offered to hand over his source code to assuage concerns about whether it can be trusted.