Written byPatrick Howell O'Neill
The FBI has been briefing private sector companies on intelligence claiming to show that the Moscow-based cybersecurity company Kaspersky Lab is an unacceptable threat to national security, current and former senior U.S. officials familiar with the matter tell CyberScoop.
The briefings are one part of an escalating conflict between the U.S. government and Kaspersky amid long-running suspicions among U.S. intelligence officials that Russian spy agencies use the company as an intelligence-gathering tool of global proportions.
The FBI’s goal is to have U.S. firms push Kaspersky out of their systems as soon as possible or refrain from using them in new products or other efforts, the current and former officials say.
The FBI’s counterintelligence section has been giving briefings since beginning of the year on a priority basis, prioritizing companies in the energy sector and those that use industrial control (ICS) and Supervisory Control and Data Acquisition (SCADA) systems.
In light of successive cyberattacks against the electric grid in Ukraine, the FBI has focused on this sector due to the critical infrastructure designation assigned to it by the Department of Homeland Security.
Additionally, the FBI has briefed large U.S. tech companies that have working partnerships or business arrangements with Kaspersky on products — from routers to virtual machines — that touch a wide range of American businesses and civilians.
In the briefings, FBI officials give companies a high-level overview of the threat assessment, including what the U.S. intelligence community says are the Kaspersky’s deep and active relationships with Russian intelligence. FBI officials point to multiple specific accusations of wrongdoing by Kaspersky, such as a well-known instance of allegedly faking malware.
In a statement to CyberScoop, a Kaspersky spokesperson blamed those particular accusations on “disgruntled, former company employees, whose accusations are meritless” while FBI officials say, in private and away from public scrutiny, they know the incident took place and was blessed by the company’s leadership.
The FBI’s briefings have seen mixed results. Companies that utilize ISC and SCADA systems have been relatively cooperative, one government official told CyberScoop, due in large part to what’s described as exceptional sense of urgency that dwarfs most other industries. Several of these companies have quietly moved forward on the FBI’s recommendations against Kaspersky by, for example, signing deals with Kaspersky competitors.
The firms the FBI have briefed include those that deal with nuclear power, a predictable target given the way the electric grid is increasingly at the center of catastrophic cybersecurity concerns.
The traditional tech giants have been less receptive and cooperative to the FBI’s pitch.
Earlier this year, a U.S. congressional panel asked federal government agencies to share documents on Kaspersky Lab because the firm’s products could be used to carry out “nefarious activities against the United States,” Reuters reported. That followed the General Services Administration removing Kaspersky from an approved-vendors list in early July and a congressional push to pass a law that would ban Kaspersky from being used by the Department of Defense.
Kaspersky, which has long denied ever helping any government with cyber-espionage efforts, reiterated those denials.
“If these briefings are actually occurring, it’s extremely disappointing that a government agency would take such actions against a law-abiding and ethical company like Kaspersky Lab,” a company representative told CyberScoop. “The company doesn’t have inappropriate ties with any government, which is why no credible evidence has been presented publicly by anyone or any organization to back up the false allegations made against Kaspersky Lab. The only conclusion seems to be that Kaspersky Lab, a private company, is caught in the middle of a geopolitical fight, and it’s being treated unfairly, even though the company has never helped, nor will help, any government in the world with its cyber-espionage or offensive cyber efforts.”
Russia’s Quid Pro Quo
In the briefings, FBI officials also raise the issue of Russia’s increasingly expansive surveillance laws and what they charge is a distinct culture wherein powerful Russian intelligence agencies are easily able to reach into private sector firms like Kaspersky with little check on government power.
Of particular interest are the Yarovaya laws and the System for Operative Investigative Activities (SORM), among others, which mandate broad, legally vague and permissive Russian intelligence agency access to data moving inside Russia with retention periods extending to three years. Companies have little course to fight back. U.S officials point to the FSB, the KGB’s successor, as the cryptography regulator in Russia, and say it puts an office of active agents inside Russian companies.
A Kaspersky spokesperson emphasized that all information received by the company is “is protected in accordance with legal requirements and stringent industry standards, including encryption, digital certificates, firewalls and more” and insisted that “the company is not subject to these laws and other government tools” like SORM.
The law unquestionably does, however, impact Russian internet and communications providers, which Kaspersky uses. And, after all, it’s the Russian “legal requirements” that raise so many eyebrows.
“If it comes to the case of Kaspersky being induced to do something which is undocumented and illegal, it’s only then we’re in a slightly different domain [than in the West] and yes, you can assume the Russian government would have ways to induce private industry to do what it wants,” Keir Giles, a Russia expert with the British think tank Chatham House, told CyberScoop. “This is extremely hard to pin down because by this very nature this official encouragement is clandestine.”
They show up, say ‘You’re already breaking the law, now what are you going to do for me?’”
By design, there is little visibility and public understanding of this opaque world. Many of the accusations pointed at Russia are met — by Kaspersky’s defenders as well as by civil liberties activists and technologists critical of what they view as gross U.S. government overreach — with fingers pointed right back at U.S. military and spy agencies.
Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation, believes Western intelligence agencies are engaged in many of the same tactics and must be similarly criticized but that “the legal and political landscape in Russia is very different.”
“The Yarovaya laws and many of the other internet-related laws in Russia were never meant to be implementable,” she told CyberScoop. “They were always meant to be overbroad, overreaching and impossible to comply with because this gives the Russian government a place to start whenever they come calling for your data. They show up, say ‘you’re already breaking the law, now what are you going to do for me?'”
Galperin’s observations on the Russian legal and political landscape mirrors what U.S. officials say in private about intentionally vague laws allowing intelligence officers to have broad abilities and authorities to conduct what U.S. officials see as malicious activity.
Throughout Kaspersky’s leadership ranks, including CEO and founder Eugene Kaspersky, the company is populated with Russian former intelligence officials, some of whom are accused by Western intelligence agencies of continuing in all but name to work for the Kremlin. This is a major point of contention, because Western cybersecurity firms are largely populated by ex-intelligence community employees as well.
While much of the public focus has understandably been on Eugene Kaspersky, the U.S. intelligence community places great focus on other executives, including Chief Legal Officer Igor Chekunov. Prior to joining the company, Chekunov was a KGB officer. A Kaspersky spokesperson stressed that Chekunov’s time was “obligatory military service” equivalent to “working for customs and border protection (CBP), which is under the Department of Homeland Security (DHS).” U.S intelligence officials say in briefings they believe the list of individuals within Kaspersky cooperating with Russian intelligence is far longer, but they’ve offered no public evidence as proof.
“Once you serve in the [Russian] intelligence services, you’re always kind of linked to them,” Zachary Witlin, a Russia analyst at the Eurasia Group, told CyberScoop. “Kaspersky is an interesting case though. Eugene built this entire company there, he and plenty of other Russians want it to succeed as a global cybersecurity company because it showcases that Russia does have the talent to have world-class software products. I don’t think they would be immune from the same sorts of oversight that incredibly powerful Russian intelligence agencies have on the rest of the country, but they would have to make a calculation about whether or not they would be putting a major company like that at irreparable risk. In a situation like this, I’m not so sure.”
In closed congressional hearings, senators have responded with some punch to the FBI’s work. The chief criticism from Congress, which is anxious to take legislative action, is that the U.S. intelligence community didn’t speak up sooner about the problem. Earlier this year, senior U.S. intelligence officials slammed Kaspersky in an open congressional hearing; Eugene Kaspersky blamed it on “political reasons” rather than any wrongdoing by his own company.
In the years since suspicion has crept up against Kaspersky, the firm has repeatedly denied that it poses a threat to U.S. security or that it cooperates with Russia or any other government to spy on users. Efforts to reach out to American authorities have repeatedly been ignored or dismissed, the company told CyberScoop.
“CEO Eugene Kaspersky has repeatedly offered to meet with government officials, testify before the U.S. Congress and provide the company’s source code for an official audit to help address any questions the U.S. government has about the company, but unfortunately, Kaspersky Lab has not received a response to those offers,” a company spokesperson said.
“The company simply wants the opportunity to answer any questions and assist all concerned government organizations with any investigations, as Kaspersky Lab ardently believes a deeper examination of the company will confirm that these allegations are completely unfounded.”
The issue of a code audit was dismissed as a “publicity stunt” earlier this year by Jake Williams, an ex-NSA employee who has called the U.S. government’s efforts against Kaspersky “purely political.”
Beyond Kaspersky, U.S. intelligence officials see a problem that encompasses all of Russia and which, more broadly, impacts relations with tech firms from other countries, most notably China. As with so many other Washington, D.C., conversations of late, however, Russia has taken nearly sole possession of the spotlight that might otherwise be spread more globally.
Update: A Kaspersky spokesperson’s comments on the nature of Chief Legal Officer Igor Chekunov’s KGB service was added.