Yesterday, the Trump Administration released a statement indicating that Kaspersky Lab, one of the largest security companies in the world, would no longer be allowed to sell its products or services to the federal government. At the time, it wasn’t clear why the government had taken this step, and the CEO of Kaspersky Lab, Eugene Kaspersky, has strenuously argued that his company is being treated as a pawn in a game of chess between the US and Russia.
Kaspersky told ABC News that any concerns about his product were based in “ungrounded speculation and all sorts of other made-up things,” before adding that he and his company “have no ties to any government, and we have never helped nor will help any government in the world with their cyberespionage efforts.”
Now last claim looks particularly dubious. According to emails obtained by Bloomberg Businessweek (and confirmed by Kaspersky Lab as genuine), Kaspersky’s ties to the Russian FSB (the successor to the KGB) are much tighter than have previously been reported. It has allegedly worked with the government to develop security software and worked on joint projects that “the CEO knew would be embarrassing if made public.”
It’s common — in fact, it’s practically essential — for security firms to work closely with their own governments, both in terms of providing security solutions and in actively monitoring for threats or suspicious activity. But there’s a difference between working with the federal government of your nation and acting as an agent working on behalf of that government. These leaked emails, seem to show the company slipping over that line.
The first part of the described project was a contract to build a better DDoS defense system that could be used by both the Russian government and other Kaspersky clients. Nothing unusual about that. But Kaspersky went farther, and agreed to some extremely unusual conditions. According to ABC News’ report, Kaspersky wrote that the project contained technology to protect against filter attacks, as well as implementing what researchers call “Active Countermeasures.”
But there’s more to the story. Kaspersky also provided the FSB with real-time intelligence on the hackers location and and sends experts to accompany the FSB on its investigations and raids. ABC’s source described the situation as, “They weren’t just hacking the hackers; they were banging on the doors.”
Certain members of Congress and US government intelligence agencies have both warned against using Kaspersky Lab in any sensitive government or business setting. This could easily explain why. Installing software that can phone home to a company affiliated with the FSB could be a major problem should hackers come calling. Kaspersky also sells a secure operating system, KasperskyOS, designed to run on critical infrastructure, factories, pipelines, and even self-driving cars. The US Defense Intelligent Agency has reportedly circulated internal memos warning of the risks of using Kaspersky’s system, even as the company continues to deny that any connection between itself and Russia actually exists.
One More Thing…
Some will argue that this is mere political theater. After all, didn’t ATT, Yahoo, Microsoft, Google, and a number of other companies comply with onerous requests made in dubious circumstances from the NSA and FBI? The answer, of course, is yes. But there are meaningful differences here: To the best of our knowledge, no one from Microsoft or ATT ever did a ride-along on a raid to capture a suspect. It’s also a fact that more than one company fought hard against being forced to provide such evidence, capitulating only when all of the court cases and appeals had failed.
There may not be much practical difference between the end product delivered by a company that takes a job willingly and one that takes it only under duress, but there is a moral difference. Whether its Tim Cook going to court to protect user privacy or Google promptly encrypting all of its traffic, including within the data center, more than a few US companies have taken (or tried to take) strong stances against such spying. That doesn’t make them perfect. It may not even make them worthy of praise. But it does highlight a meaningful difference between what happened in Russia and what’s happened in the United States.