Recently, there has been substantial reporting regarding potential ties between Kaspersky Lab and the Russian government. A series of public accusations from U.S. government officials certainly intimate that conclusion, which has been bolstered by some leaders of the U.S. intelligence community agencies. Furthermore, the U.S. government went as far as to remove Kaspersky Lab from two General Services Administration (GSA) lists of approved vendors used by U.S. government agencies for contracts that cover information technology services and digital photographic equipment. Leaked e-mails were alleged to solidify ties to Russian intelligence, although this was questionable at best. To add a digital nail in the coffin, the Federal Bureau of Investigation (FBI) wanted all businesses – and not just organizations tied or affiliated with the government – to stop using all Kaspersky products in general. Such overwhelming condemnation suggests that there must be some validity to the claim, but is that the case?
Despite pronouncements of illicit ties, no evidence has been offered to the public to prove or at least justify the strength of these allegations. Much of what has been provided is very much circumstantial without the important “smoking gun” to solidify these concerns. Critics of Kaspersky are quick to note that the company’s founder is among multiple Kaspersky team member trained in cyber security at an academy run by Russian intelligence. Others will cite how Kaspersky Lab has been certified by the Russian Security Service (FSB), and was given a number matching that of an FSB program.
Kaspersky Lab Responds to FBI Claims
Kaspersky has and continues to vehemently deny any and all such claims and counters this viewpoint by offering transparency. In July 2017, in an effort to prove that no collusion exists between the company and the Russian government, Kaspersky offered to provide source code to the U.S. government for auditing, as well as to testify before Congress on the subject. In December 2016, one of the company’s top cyber security investigators was arrested by Russian authorities amid charges of treason. According to the company, the nature of the individual’s very public arrest predated his employment with the firm, raising doubt over the “closeness” of the company and the government.
Notably, the company has been a leader in tracking advanced persistent threats (APT) – the malicious cyber activity suspected of being conducted, orchestrated, or directed by foreign governments. Bolstering its independent claims, Kaspersky has uncovered activity affiliated to Russian hackers, as well as from other countries as well, and has been the target of another APT group, discovering the stealthy actors entrenched on its networks in 2015. The company boasts a longstanding cooperative relationship with international law enforcement. In 2014, Kaspersky Lab extended its scope of cooperation with Interpol, and signed a memorandum of understanding with Europol. While largely as circumstantial as the evidence against it, the culmination of these points certainly backs Kasperky’s argument that the company is independent of the government.
The objections with Kaspersky Lab is similar to those levied against Chinese information technology companies Huawei and ZTE and are founded in many of the same fears of state-direction, and unverified suspicions of espionage collusion. As with those companies, there is a dearth of evidence that shows with any measure of confidence that they are engaged in espionage activities on behalf of their home governments. In the aftermath of the concern of Russian meddling in U.S. and French elections, fear of all things Russian is understandable. However, instigating a “digital red scare” without providing the solid evidence seems more of a political move than a practical one. Indeed, Kaspersky has expressed the same sentiment saying that the company is being used as a pawn in a larger geopolitical game between the Russian and U.S. governments. Since establishing Kaspersky Lab 20 years ago, the company has enjoyed tremendous financial success and growth, serving more than 400 million users worldwide and is the largest software vendor in Europe. Undoubtedly, the accusations of a government like the United States could potentially tarnish the brand and impact future sales.
What should be the solution for the Kasperskyl Lab crisis?
Instead of finger-pointing, an easier solution may be just to not buy Kaspersky Lab products for government systems. In a consumer driven marketplace, every individual and organization can purchase whatever product they want, and if an organization does not trust another, then it simply makes sense not to acquire their products and services. But publicly calling into question a company’s integrity and business practices without the evidence to support those claims is nothing short of irresponsible and petty, and may encourage equal treatment to U.S. companies at a later date. This type of escalation is not needed or helpful. In the cyber domain, there is an understandable demand for public and private partnerships that serve to strengthen their respective security environments. And that starts with a shaking hands, not slapping them away.
This is a guest post written by Emilio Iasiello.