Kaspersky Lab, the Moscow-based security software provider led by Eugene Kaspersky, is facing new questions around its involvement with the Kremlin as this week Americans wait to see whether President Donald Trump signs new Russian sanctions into law.
This comes as a U.S. congressional panel last week asked 22 government agencies to share documents on Kaspersky Lab dating back to Jan. 1, 2013, including any internal risk assessments, according to Reuters. The committee also requested lists of systems using Kaspersky products and names of any U.S. government contractors or subcontractors that do so. Reuters said the committee is looking for responses by Aug. 11.
Kaspersky Lab said in a statement provided to IT Pro that the allegations of any ties to the Russian government are false, comments that echo what its founder Eugene Kaspersky said in an interview last week on MSNBC when he told journalist Richard Engel that the company has “got zero help, zero advice from Russian government.”
Still, the question on some IT pros minds amid the public sector pushback is whether they too should consider using an alternate security vendor. But a security expert IT Pro talked to suggests the concern is overblown as Kaspersky Lab remains one of the most respected security vendors within the community, many of whom gathered in Las Vegas last week for the Black Hat conference.
Andrew Hays, CTO and co-founder of Dallas-based security startup Leo Cyber Security, said that over his 20-year security career he has worked with a lot of the researchers and developers at Kaspersky Lab, calling them “some of the most respected and trusted security people on the planet.”
“People look at [Kaspersky Lab] researchers and their staff in the same way they look at Cisco or Symantec; they are a large company with a lot of knowledge and they contribute a lot back to the security community,” Hays said. Kaspersky Lab software is installed on more than 400 million PCs throughout the world, and the company recently launched free anti-virus software to help it extend its global reach.
Hays said the current politically-charged climate in the U.S. with Russia has put a spotlight on Kaspersky Lab, but it is not the first time that U.S. relations with foreign governments have impacted cybersecurity vendors. For example, back in 2006, after the Dubai Ports World scandal, the Committee on Foreign Investment in the United States began to investigate the proposed acquisition of government security provider Sourcefire by Israeli-based Check Point Software Technologies.
“The U.S. government looked at Sourcefire being deployed in pretty much all of their government agencies and it having very close ties to the U.S. government, but CheckPoint is an Israeli company,” Hays said. The entire deal was axed, and Check Point lost Sourcefire to Cisco because of the political controversy, he said.
“Russia is now perceived as a threat to the socioeconomic status of the United States and some loose threads have been pulled that are exposing some cooperation between Kaspersky and to us, a foreign intelligence service, but to them a local intelligence service; I think it’s being blown out of proportion,” Hays said.
While Hays said that Kaspersky’s market share in the U.S. could be hurt by the ongoing controversy, “we tend to have a short memory when it comes to security issues” offering the example of people who said they wouldn’t shop at TJ Maxx or Target after the massive security breaches, only to go shopping at the respective stores weeks later.
In a statement provided to IT Pro, Kaspersky Lab said: “Kaspersky Lab has no ties to any government, and the company has never helped, nor will help, any government in the world with its cyberespionage efforts. The company has a 20 year history in the IT security industry of always abiding by the highest ethical business practices and trustworthy development of technologies, and Kaspersky Lab believes it is completely unacceptable that the company is being unjustly accused without any hard evidence to back up these false allegations.”
“Kaspersky Lab, a private company, seems to be caught in the middle of a geopolitical fight where each side is attempting to use the company as a pawn in their political game. Eugene Kaspersky, CEO and founder of Kaspersky Lab, has repeatedly offered to meet with government officials, testify before the U.S. Congress and provide the company’s source code for an official audit to help address any questions the U.S. government has about the company. Kaspersky Lab continues to be available to assist all concerned government organizations with any investigations, and the company ardently believes a deeper examination of Kaspersky Lab will confirm that these allegations are unfounded," the statement continued.
Does – and Should - “Made in America” Security Exist?
The reality of most security vendors today is that their teams are spread around the world, and many have development offices and consultants outside of the U.S. who are contributing code.
“I guarantee you that thorough background checks have been performed but are they as thorough as a government agency would want? Is all that information disclosed when massive partnerships are announced or deals are transpired because they’re subcontractors?” Hays said.
“What happens if someone pulls back the covers and says, ‘OK, all development has to be in the United States otherwise the government cannot allow corporations to buy a certain piece of software?’; that would be incredibly impactful to security products and vendors because it would stifle innovation and increase the cost of everything and we could see a lot of companies going out of business as a result,” he said.
The impact could go beyond putting security providers out of business, and could actually have an effect on an organization’s own bottom line. Hays said he believes the impact could see more organizations to start having what he calls “an isolationist attitude” to the software they deploy.
“It’s no longer going to be the best solution to address the problem; it will be the best solution available that has certain caveats. Will they pay more for it? Maybe. Is that a tax or a premium that is just as good as a competing product from another part of the world? It might be viewed as that; it might just be the cost of doing business,” he said.
Organizations may be naïve if they think that security vendors do not cooperate with law enforcement agencies, Hays said, pointing out that both Symantec and Microsoft have cooperated with the FBI.
“Think what you want about a security company cooperating with government but the company is beholden to its shareholders and its shareholders want to make money, and in order to make money you need to rattle the cage the loudest, and make as much noise as possible,” Hays said. “When you have a high profile takedown of a botnet or of a particular individual that you as a company contributed to that’s a feather in your cap and you want to talk about it to anyone who will listen.”
For organizations who may be concerned about their security vendor working with law enforcement, they don’t have to look too hard to find evidence, Hays said.
“If you’re worried about your security vendor working with law enforcement and you haven’t thought about it until now, maybe check their press releases over the past couple of years or search on Google,” he said.
It is up to organizations themselves to ensure they are working with a trusted security vendor, and this happens in the due diligence process.
“I can’t say that organizations should implicitly trust any security vendor, let alone Kaspersky,” he said. “I think that organizations should perform their own due diligence or bring in expertise to help them see what works best for the organization and its users, customers and partners.”