Is software from Moscow-based Kaspersky Lab a threat to national security? Federal officials say yes, but so far they haven’t disclosed the evidence behind their suspicions.
Software made by Kaspersky, which has its US headquarters in Woburn, was banned from computers of US government agencies by the Department of Homeland Security Wednesday. The leaders of the nation’s intelligence community and the senior US senator from New Hampshire all warn that Kaspersky’s antimalware products, designed to protect computers from viruses and ransomware, could be used by Russian agents to steal sensitive information.
But so far they have presented no proof the company is a stooge of Russian intelligence services. The reason? It’s classified.
Advertisement
Democratic US Senator Jeanne Shaheen , a member of her chamber’s Foreign Relations and Armed Services committees, said that she has seen the government’s evidence against Kaspersky and is in favor of declassifying it so the public can, too.
“There is an overwhelming case against Kaspersky,” said Shaheen.
Moreover, Shaheen argued there are other reasons to bar Kaspersky software from government computers. She cited a Russian law which gives that country’s investigators the right to demand access to all information stored on a company’s computer systems.
“Why would we want a company that is subject to such laws to be dealing with sensitive information from the US government?” Shaheen asked.
Shaheen also cited press reports that indicate Kaspersky’s close ties with the Kremlin, including a Bloomberg News story from July. That report featured leaked e-mails from company founder Eugene Kaspersky, in which he described working directly with agents of the Russian intelligence services to develop software for defending against certain kinds of Internet attacks. Bloomberg also cited unnamed sources who said that Kaspersky executives worked directly with Russia’s FSB security service in cybercrime investigations. One of these executives, Ruslan Stoyanov, was arrested in Russia on treason charges in December.
Advertisement
Homeland Security did not return requests for more details on its Kaspersky ban. The General Services Administration, the federal agency that manages all US government purchases, also did not respond to requests for comment. In July, the GSA removed Kaspersky from its list of approved products, meaning that the government was barred from buying new copies of the software.
Christopher Burgess, a former officer of the Central Intelligence Agency and coauthor of a book on intellectual property protection, said the US government is right to stop using Kaspersky products. But he acknowledged the US intelligence community has not presented hard evidence that Kaspersky’s software is being used to steal intelligence from government computers, and believes there is a good reason why it hasn’t.
“I am guessing that there is a more substantive smoking gun within the US government’s research,” said Burgess, who speculated the information cannot be revealed without compromising the sources that provided it.
But Philip Chertoff of the cybersecurity program at the GLOBSEC Policy Institute, a think tank sponsored by the European Union and NATO, is much more skeptical of the Kaspersky ban.
“Certain people are assigning malice to Kaspersky simply because they’re a Russian company,” Chertoff said. “That’s very dangerous rhetoric to use.”
He warned the Kaspersky ban will trigger retaliation by the Russians against American technology companies. Since the United States is a leader in many technology markets, a retaliatory response “can do more damage to the US than to Russia.”
Advertisement
Kaspersky is just the latest foreign technology company to face skeptical scrutiny from the US government. Recent years have seen a host of similar controversies.
For example, the Chinese telecom firm Huawei, best known in the United States for its cellphones, also makes high-end switches and routers that run corporate networks and the Internet. But in 2012, a report from the Permanent Select Committee on Intelligence in Congress warned of close ties between Huawei and the Chinese military. The report said that the Chinese might build back doors into Huawei products, allowing spies to tap into vast amounts of online data. The US government refused to buy Huawei products. Though business were free to keep buying, few did, and demand for Huawei gear stagnated.
In a more recent case, the US Army in August banned the use of remote-controlled aircraft from Chinese drone maker DJI, saying it had uncovered “cyber vulnerabilities” that made DJI products unsecure and unreliable. It’s unclear whether US government skepticism will affect private sector purchases of DJI drones.
But Kaspersky may already be losing out with consumers. The major electronics retailer Best Buy stopped carrying the company’s products earlier this month.
Hiawatha Bray can be reached at hiawatha.bray@globe.com. Follow him on Twitter @GlobeTechLab.