The Department of Homeland Security is banning US government agencies from using any products or services created by Kaspersky Lab, an industry-leading Russian cybersecurity company.
The move is the culmination of a months-long campaign by Washington figures against the company. But key executives of competing companies said they believed Kaspersky was getting a raw deal.
“The reason all this drama is happening is because there were articles that came out indicating that Kaspersky had ties to the Russian government,” said Dan Tentler, founder of Phobos Group. “And while there haven't been articles that have come out saying the same thing about US-based companies, you have to understand that it's gotta be true of us here as well.”
In a statement provided to BuzzFeed News after the DHS announcement, Kaspersky said that it “has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts, and it’s disconcerting that a private company can be considered guilty until proven innocent, due to geopolitical issues.”
Issuing a binding operational directive on Wednesday, DHS instructed all federal agencies to identify the Kaspersky products in use on government systems within the next 30 days and to be prepared to remove those products within 90 days. A DHS official told BuzzFeed News the government does not know how widely Kaspersky's products are used.
“The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” DHS announced. “The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates US national security.”
It’s common for cybersecurity companies around the world to help identify world governments’ spying activity, and numerous US firms keep a keen eye on the US’s biggest adversaries in cyberspace, like China and Russia.
But no firm has done as much to identify such activities by US agencies, in particular the National Security Agency, as has Kaspersky. It hired the first known researcher to discover Stuxnet, the malware widely believed to be a joint US–Israeli operation credited with damaging Iran's nuclear centrifuges. Kaspersky also has published significant research on an advanced hacker group it calls Equation Group, widely believed to be part of the NSA.
Kaspersky himself was trained by the KGB, the FSB’s predecessor state security agency, and heavily staffs his company with former FSB and KGB analysts.
The move to ban Kaspersky products on federal computers is the culmination of months of distrust of Kaspersky from figures in Washington, all tinged with the allegation that the company has inappropriate ties with or can be compromised by Russian intelligence agencies.
Democratic Sen. Jeanne Shaheen of New Hampshire, citing classified information, has pushed for legislation to ban the government from using Kaspersky software. At a Senate Intelligence Committee hearing in May, six of the US’s top intelligence officials, including the directors of the CIA and the National Security Agency, said they would not be comfortable personally using Kaspersky software.
In July, Bloomberg Businessweek published internal emails from 2009 in which founder and CEO Eugene Kaspersky told executives that the company was embarking on a new project at the behest of the FSB. Kaspersky responded that it and its employees “do not have inappropriate ties with any government. The company does regularly work with governments and law enforcement agencies around the world with the sole purpose of fighting cybercrime.”
David Kennedy, founder of Cleveland-based TrustedSec, told BuzzFeed News that there has "never" been any evidence presented publicly that Kaspersky has direct ties to the Russian government, though he said some evidence might have been presented in private.
“The truth is we don’t know if Kaspersky has direct ties," he said.
On Friday, after news broke that the FBI had reportedly urged American retailers to stop selling Kaspersky products, Best Buy became the first major American retailer to stop selling them. Several other retailers that carry Kaspersky, including Amazon and Newegg, declined to confirm to BuzzFeed News that they were committed to continue selling the firm's products. A spokesperson for Target said that “we currently carry Kaspersky products in Target stores and are reviewing this, given today’s news.”
But the company hasn’t given up. “The company looks forward to working with DHS, as Kaspersky Lab ardently believes a deeper examination of the company will substantiate that these allegations are without merit,” Kaspersky's statement said.
Reached for comment soon after the DHS statement, a Kaspersky spokesperson indicated that despite grumblings from the US, the ban caught the company off guard.
“It’s such a tight turnaround for us! This is amazing. I can’t believe we didn’t get more advance [notice],” she said.
Kevin Collier is a cybersecurity correspondent for BuzzFeed News and is based in New York.
Contact Kevin Collier at firstname.lastname@example.org.
Got a confidential tip? Submit it here.