U.S. intelligence agencies have turned up the heat in recent days on Kaspersky Lab, the Moscow-based cybersecurity giant long suspected of ties to Russia’s spying apparatus.
Now, official Kremlin documents reviewed by McClatchy could further inflame the debate about whether the company’s relationship with Russian intelligence is more than rumor.
The documents are certifications issued to the company by the Russian Security Service, the spy agency known as the FSB.
Unlike the stamped approvals the FSB routinely issues to companies seeking to operate in Russia, Kaspersky’s include an unusual feature: a military intelligence unit number matching that of an FSB program.
“That strikes me as much more persuasive public evidence,” said Paul Rosenzweig, a former deputy secretary for policy at the Department of Homeland Security. “It makes it far more likely that much of the rumor and uncertainty about Kaspersky are true.”
For years, suspicions that Kaspersky is connected to Russia’s spying apparatus have dogged the company, a leading global seller of anti-virus programs. Founder and CEO Eugene Kaspersky studied cryptography, programming and mathematics at an academy operated by the KGB, the FSB’s Soviet-era predecessor, then worked for the Ministry of Defense.
Since he established the firm in Russia 20 years ago, Kaspersky has grown to serve more than 400 million users worldwide, according to its website, and is the largest software vendor in Europe. Its security software is also widely available in the United States in Target, Walmart and other retail outlets.
Federal agencies use it as well, with Kaspersky serving as a subcontractor on a smattering of federal software contracts, So has, ironically, the Democratic National Committee, even after its emails were breached last summer by Russian hackers.
But amid investigations into Russia’s cyber meddling in last year’s U.S. elections, concerns have grown that Kaspersky software could somehow be used to launch a crippling cyberattack on the U.S. electric grid or other critical infrastructure, such as railroads, airlines or water utilities. ABC News reported in May that the FBI warned industry leaders about those risks last year – a meeting confirmed by McClatchy.
In recent days, two events kept Kaspersky in the news: FBI agents fanned out to interview Russian Kaspersky employees based in the United States, and a Senate committee approved legislation to curb federal use of the company’s products.
Even so, no proof has ever been made public to refute the company’s vehement denials that it has connections to Russian intelligence.
The documents obtained by McClatchy, however, could provide additional evidence that the clandestine FSB has a tight relationship with Kaspersky.
Kaspersky said the FSB’s certification review “is quite similar to that of many countries,” including those of the European Union and the United States. It includes an analysis of the company’s source code “to ensure that undeclared functionality and security issues –- like backdoors – do not exist,” the company said.
However, Russia’s certification reviews do not require the company to divulge “the necessary information to permit those (spy) organizations to bypass products’ security mechanisms,” Kaspersky said.
A former Western intelligence official who examined the documents for McClatchy described as “very unusual” the assignment of a military intelligence number on Kaspersky’s certificates.
In Russia’s closed society, the FSB retains the right to access any company’s data transmissions, and no firm is allowed to use encryption to block the intelligence agency’s intrusions, the former Western spy said.
Kenneth Geers, a former NATO cyber expert who is a fellow at the Washington-based Atlantic Council, also reviewed the company’s FSB certificate.
Geers said he could not say with certainty the degree to which the documents show a formal connection between Kaspersky and the FSB.
But “the suggestion is that this is a government op (operation), a unit with a direct government affiliation,” he said.
“No one should be surprised if there are closer relationships between IT vendors and law enforcement, worldwide, than the public imagines,” Geers said.
A WORLDWIDE DEPLOYMENT OF SENSORS MAY BE TOO GREAT A TEMPTATION FOR ANY COUNTRY’S INTELLIGENCE SERVICES TO IGNORE.
Kenneth Geers, former NATO cyber expert
Case in point: Whistleblower Edward Snowden revealed that American telecommunications companies shared vast amounts of personal data with the ultra-secret U.S. National Security Agency, where Geers once worked.
It’s certainly possible, Geers said, that Kaspersky’s software contains a secret “backdoor” to allow Russian special services access for law enforcement and counterintelligence purposes.
“If such a secret backdoor exists, I would not be shocked,” Geers said. “A worldwide deployment of sensors may be too great a temptation for any country’s intelligence services to ignore.”
“Kaspersky may also have been required by Russian authorities to participate in a quiet business partnership with the government,” he said.
A former CIA station chief in Moscow agreed that Kaspersky may have had little choice.
“These guys’ families, their well-being, everything they have is in Russia,” said Steve Hall, who later headed the agency’s Russian operations before retiring in 2015.
Kaspersky is “a Russian company,” Hall said. “Any time (Russian President Vladimir Putin) wants Kaspersky to do something – anything – he’ll remind them that’s where their families are and where their bank accounts are. There’s no doubt in my mind it could be, if it’s not already, under the control of Putin.”
Kaspersky has rejected any notion that it might be an intelligence front, citing its years of delivering quality products.
“As a private company, Kaspersky Lab has no ties to any government, and the company has never helped, nor will help, any government in the world with its cyber espionage efforts,” Eugene Kaspersky said in May during an “Ask Me Anything” session on the Web site Reddit.
Indeed, many cyber experts, including those with federal government backgrounds, have praised the quality of Kaspersky software. The company also has a record of exposing cyberattacks, including the U.S. government’s Stuxnet attack that disabled Iran’s nuclear weapons development even though the Iranian equipment wasn’t connected to the Internet.
AS A PRIVATE COMPANY, KASPERSKY LAB HAS NO TIES TO ANY GOVERNMENT, AND THE COMPANY HAS NEVER HELPED, NOR WILL HELP, ANY GOVERNMENT IN THE WORLD WITH ITS CYBER ESPIONAGE EFFORTS.
Company founder Eugene Kaspersky during a session on website Reddit
But several other experts said they were “not shocked” by the disclosure of the language in Kaspersky’s FSB certificate.
“It is common view around the intelligence community that [Kaspersky] is treated [by the Kremlin] like an arm of the Russian government,” said a former Obama administration cyber official, who asked for anonymity because of the sensitivity of the matter.
Kaspersky has gained an unwanted spotlight lately amid the Justice Department’s investigation headed by outside Special Counsel Robert Mueller into whether the Kremlin colluded with President Donald Trump’s 2016 campaign.
At a recent Senate Intelligence Committee hearing in May, Sens. Marco Rubio, a Republican from Florida, and Joe Manchin, a Democrat from West Virginia, raised concerns about Kaspersky.
Rubio asked a phalanx of intelligence agency chiefs sitting before the panel, “Would any of you be comfortable with the Kaspersky Lab software on your computers?”
Before him were, among others, the leaders of the FBI, CIA and the National Security Agency.
To a man, each said “no.”
The FBI interviews of Kaspersky employees occurred on June 27, in the wake of disclosures that the company paid retired Army Lt. Gen. Michael Flynn more than $11,000 in consulting fees last fall before he began a short-lived stint as White House national security adviser.
The day after the interviews, the Senate Armed Service Committee approved legislation that would bar the Pentagon from buying Kaspersky products.
“The ties between Kaspersky Lab and the Kremlin are very alarming,” said Democratic Sen. Jeanne Shaheen of New Hampshire. “This has led to a consensus in Congress and among administration officials that Kaspersky Lab cannot be trusted to protect critical infrastructure, particularly computer systems vital to our nation’s security.”
Her amendment to the Defense authorization bill prohibiting Pentagon purchase of the software as of October 2018 won overwhelming approval.
It would bar contracts with any firm in which Kaspersky has majority ownership. It also would require the Defense Department to sever connections with any network associated with Kaspersky.
“This is something that probably should have been done a while ago,” said the unidentified U.S. government official, lamenting that “practicing cyber hygiene is not always the best in government.”
If the ban becomes law, there could be reverberations, a Russian news agency reported. It quoted a top Kremlin communications official, Nikolai Nikiforov, as warning that if the United States freezes out Kaspersky, Putin’s government could not rule out retaliation.
A spokesperson for the FBI declined to comment.
But the bureau has long suspected that some of Kaspersky’s American-based employees were engaging in intelligence activities, said a U.S. government official, who declined to be identified because of the sensitivity of the matter.
Federal agencies currently hold at least 20 contracts in which Kaspersky products are used. The General Services Administration makes them available on an approved product list for much of the government.
CDW Corp., a top government tech contractor that has provided Kaspersky software and maintenance through four contracts with the Consumer Safety Product Commission (as recently as May 23), declined to say whether it plans to continue offering Kaspersky software.
Dell Inc., the giant computer manufacturer, offers Kaspersky in many of its products. The company did not respond to a request for comment.
So why do federal agencies still use Kaspersky software if there has been such uneasiness about it inside national security circles?
“Under acquisition rules, it is very difficult for an agency to rely on classified information in order to make purchasing decisions,” said J. Michael Daniel, White House cybersecurity coordinator during the Obama administration.
“A lot of acquisition officers didn’t seek out that information because they couldn’t use it in the decision-making process,” said Daniel, now president of the Cyber Threat Alliance, a group committed to improving cyber defenses.
The U.S. intelligence community’s conclusion that Russian cyber operatives pirated thousands of emails from the Democratic National Committee beginning in 2015 helped trigger the inquiries into possible Kremlin interference in the election.
But two months after the DNC disclosed that its servers had been hacked – in an apparent attempt to help prevent further intrusions – the party purchased Kaspersky software on Aug. 25, 2016, for $137.46, according to Federal Election Commission records. It was the only federal political committee that reported buying Kaspersky software in the 2016 cycle, according to FEC records.
A DNC spokesman did not respond to a request for comment.
For its part, the company publishes a blog that advises consumers about computer viruses. The U.S. government official said, though, that in the past Kaspersky has aroused suspicions as to why it warns about some computer bugs, but not others.
The firm’s presence has become so embedded in the U.S. economy that the company sponsors a Ferrari Formula One racing team, robotic competitions for children and is among the corporate sponsors of an upcoming conference of the National Conference of State Legislatures.
“They have a big public relations wing,” said the U.S. government official who spoke on condition of anonymity. “They’re fully aware they’re under the microscope.”