Dogged by rumors of a nefarious relationship with Russia’s intelligence services and reeling from its removal as a General Services Administration-approved vendor, the Russian cybersecurity firm Kaspersky Lab has already weathered a rough couple of months. But the company’s troubles are just beginning.
The Senate will soon consider a provision in the National Defense Authorization Act that bans the use of Kaspersky software, hardware, or services in all federal agencies—a stunning setback for a company with global market share and an open desire to manage the federal government’s cybersecurity infrastructure. House lawmakers appear be moving more slowly, but no less methodically, toward a similar goal.
It’s unlikely to end there. Dave Aitel, the chief executive of security consulting firm Immunity Inc., expects that the Kaspersky ban will eventually include firms operating federally designated critical infrastructure, including banks and power companies.
“One of our big customers is a big bank, and we’re having to advise them that now is the time to start finding another supplier,” Aitel said, adding that the bank in question is among the top five trading banks. He explained that there are multiple regulatory mechanisms through which the federal government can pressure companies operating critical infrastructure to dump Kaspersky, and predicted the ultimate impact will extend “way beyond” the federal government.
Several lawmakers refused to rule out an eventual critical-infrastructure prohibition on Kaspersky. “Anything that’s critical to our national defense—economics, financial, infrastructure,” said West Virginia Democratic Sen. Joe Manchin when asked whether he’d support such a provision. In May, Manchin asked the Homeland Security Department to provide a report on its use of Kaspersky products.
California Republican Rep. Adam Schiff, the ranking member on the House Intelligence Committee, had a similar response. “I guess the bottom line for me is, is any of this data you’d be concerned about the Russian government having?” Schiff said. “If it is, then I wouldn’t recommend the use of Kaspersky.”
Driving the crackdown is an escalating sense in Washington that the Moscow-based company is a Trojan horse for Russian spies seeking a backdoor into America’s most sensitive computer networks. U.S. cybersecurity analysts are split on this notion, with some wondering whether Kaspersky is a civilian casualty of the new Cold War playing out between Russia and the United States. But there’s little ambiguity among lawmakers in either party, many of who mutter darkly about new classified intelligence that’s prompted serious cause for concern.
There are also signs that Congress’s worries over Kaspersky arose well before tensions increased. Texas Republican Michael McCaul, chairman of the House Homeland Security Committee, told National Journal that concern over Kaspersky predates the Ukraine crisis and more recent strains to the U.S.-Russia relationship.
“[Eugene] Kaspersky’s a Russian,” the chairman said. “And his affiliation with the Russian government—they’re obviously one of our biggest foreign adversaries in cyberspace, so there’s always been that concern.”
“But I think now more has come out,” McCaul added. “I can’t really get into it.”
Founded in 1997, Kaspersky quickly established itself as a mainstay in the global cybersecurity marketplace. With more than $619 million in annual revenue in 2015, and over 400 million users and 3,500 employees worldwide, the antivirus firm is Russia’s premier software exporter. Analysts have long given high marks to Kaspersky for its forensic analysis of cyberattacks, which many still view as the best in the business.
But there have long been suspicions surrounding the company’s ties to Moscow. Eugene Kaspersky, the company’s founder, studied cryptography and programming at a KGB-operated academy before taking a job at the Russian ministry of defense. Despite 20 years of private-sector experience since then, some have continued to question whether he ever truly left the government’s orbit.
During a May meeting of the Senate Intelligence Committee, Florida GOP Sen. Marco Rubio asked the heads of six U.S. intelligence agencies whether they would be comfortable using Kaspersky products. All six said no. Later that month, an ABC News report said the Senate Intelligence Committee had received a classified briefing on Kaspersky’s activities. In June, multiple reports indicated that FBI agents had visited the homes of more than 10 Kaspersky employees based in the United States. By mid-July, GSA had removed Kaspersky from a list of preferred federal vendors, though it cited no specific reason for doing so.
Kaspersky’s removal from the GSA schedule doesn’t ban federal agencies from purchasing the company’s products, nor forces the agencies now using the products to stop. And no one—neither in Congress nor at the agencies themselves—seems to know the scope of Kaspersky’s use at the federal level.
But many lawmakers are convinced that the problem is widespread, and they’re looking to remove Kaspersky from sensitive federal systems. In late June, New Hampshire Democratic Sen. Jeanne Shaheen added an amendment to the NDAA that would ban the Pentagon’s use of Kaspersky products. Republican lawmakers on the Senate Armed Services Committee—including Mike Rounds, chairman of the panel’s cybersecurity subcommittee—have been broadly supportive of that push. House Armed Services Committee Chairman Mac Thornberry of Texas told National Journal that he was “sympathetic” to Shaheen’s Kaspersky amendment.
On Friday Shaheen upgraded her amendment into a blanket, federal-wide ban on all Kaspersky products. The senator’s move coincided with a letter sent the day before to 22 federal agencies by Texas GOP Rep. Lamar Smith, chairman of the House Committee on Space, Science, and Technology. Smith asked the agencies to provide a full accounting of their use of Kaspersky products, citing concerns that they “could be used as a tool for espionage, sabotage, or other nefarious activities against the United States.”
Eugene Kaspersky vehemently denies those “nefarious activities.” A company statement provided to National Journal notes the Kaspersky founder has offered to testify before Congress and invited lawmakers to examine his firm’s source code. “Kaspersky Lab, a private company, seems to be caught in the middle of a geopolitical fight where each side is attempting to use the company as a pawn in their political game,” the statement read.
But David O’Brien, a senior cybersecurity researcher at Harvard University, said a clean source code wouldn’t prove anything. “Just because we can’t find any offensive weapons embedded into it right now doesn’t mean that there might not be in the future,” he said. Because antivirus software relies on constant updates, O’Brien explained that Kaspersky could work a backdoor into its products at a later date—perhaps by purposely omitting code that could detect a Russian intrusion. “If there’s a missing signature and it happens to be one that could’ve caught some Russian malware, that would be a really bad thing for the U.S. government,” he said.
Aitel, who is also a former National Security Agency researcher, said the rapid moves against Kaspersky by GSA and on Capitol Hill are signs that the U.S. government isn’t merely acting out of an abundance of caution. “You don’t get blacklisted for hypotheticals,” he said. “You get blacklisted because you did something.”
Still, some cybersecurity analysts remain sympathetic to Kaspersky’s plight. “I think these questions are arising, probably, from the toxic political environment that exists,” said Kenneth Geers, a cybersecurity researcher at the Atlantic Council and former NSA official. “Kaspersky might just be caught in the crossfire.”
Regardless of the rationale, nearly all observers agree that an American clampdown on Russia’s premier software exporter will spur a backlash. The Russian government’s new, largely untested cybersecurity law could be brought to bear against Microsoft and other American companies operating in the country. And the balkanization of the global tech industry—which analysts say is already quickening worldwide—will only accelerate further.
“I think the precautionary principle is starting to kick in. Unless you can absolutely prove that you’re not complicit in some way, then we can’t use you,” said Steve Weber, a cybersecurity researcher at University of California, Berkeley. In addition to Kaspersky, Weber pointed to the effective blacklisting of Chinese telecom firm Huawei in the United States and China’s own recent crackdown on Apple.
“Maybe 10 years from now we’ll look back on it and say the period from 1995 to 2015 was actually the exception to the rule,” Weber said. “Because it was a time where this kind of essential infrastructure actually was much more globalized than these kinds of things have been throughout history.”