Updated (3:25 p.m.) with a statement from Kaspersky Lab.
The U.S. government is considering sanctions against Russian cybersecurity company Kaspersky Lab as part of a wider round of action carried out against the Russian government, according to U.S. intelligence officials familiar with the matter.
The sanctions would be a considerable expansion and escalation of the U.S. government’s actions against the company. Kaspersky, which has two ongoing lawsuits against the U.S. government, has been called “an unacceptable threat to national security” by numerous U.S. officials and lawmakers.
Officials told CyberScoop any additional action against Kaspersky would occur at the lawsuits’ conclusion, which Kaspersky filed in response to a stipulation in the 2018 National Defense Authorization Act that bans its products from federal government networks.
If the sanctions came to fruition, the company would be barred from operating in the U.S. and potentially even in U.S. allied countries.
Sen. Jeanne Shaheen, D-N.H., authored legislation to ban Kaspersky, which was eventually introduced into the NDAA. In public, she’s been one of the most vocal anti-Kaspersky crusaders in U.S. government, including writing a New York Times op-ed on the subject last year. Sanctions are necessary, she said, and it’s exactly the sort of thing Congress laid the groundwork for last year.
“The evidence of close ties and cooperation between Kaspersky Lab and the Kremlin is overwhelming, which is why I led efforts in Congress to rid Kaspersky products from federal systems. Sanctioning Kaspersky Lab is a logical next step,” Shaheen told CyberScoop. “Congress provided the administration with the necessary authority to sanction Kaspersky Lab and its CEO through the Countering America’s Adversaries Through Sanctions Act. It is now time that they take this step. The administration must show no hesitancy in sending a strong message that Putin’s near-constant cyber-attacks and intrusions against U.S. and NATO systems and institutions will not be tolerated.”
The prospect of new sanctions against Russia has loomed especially large since recent U.S. military strikes against Syria, where Russian companies have been accused of aiding Syria’s chemical weapons program. The process has been publicly disjointed and dramatic.
Trump’s stated goal since he was a candidate has been to improve relations with Russia. The U.S. has enacted two rounds of sanctions against Russia in recent weeks including sanctions for 2016 election meddling and sanctions singling out Putin’s Russian allies.
The ongoing process to consider and craft sanctions against Kaspersky has thus far fallen in large part to White House Cybersecurity Coordinator Rob Joyce. Joyce’s work on the matter comes as reports surface of an ongoing power struggle inside the National Security Council to determine the future of U.S. cybersecurity policy.
The National Security Council, Treasury Department and Department of Homeland Security declined to comment.
The fact that additional sanctions against Kaspersky are now being weighed means that the company’s fortunes in the U.S. and around the world risk falling even further than they already have. The FBI has long been advising private sector firms to cut ties with the company, a policy that has directly steered American companies from completing business deals with Kaspersky in the last year.
Retailers like Best Buy removed Kaspersky from their shelves in 2017 while utility companies, power companies and even other nations followed suit. Last week, it was revealed that Twitter banned Kaspersky from advertising on the platform as a result of U.S. government statements against the company.
Controversy also enveloped the company when CyberScoop reported last month that Kaspersky research exposed an active U.S.-led counterterrorism operation targeting ISIS and al-Qaeda members in the Middle East. The revelation sparked a debate on whether private companies should publicly share research, despite indications that it could burn sensitive counterterrorism operations. Company founder and namesake Eugene Kaspersky defended the research.
Kaspersky, which has consistently denied any wrongdoing whatsoever, said the federal ban impacted only a tiny sliver of the company’s overall business. The company and Russian officials have both called the ban a “politicized decision.”
While many of the details of the U.S. government’s case against Kaspersky remain classified, officials in both the U.S. and the United Kingdom have pointed directly to Russian law as a fundamental root of Kaspersky’s problem. Analysis of Russian law has been at the heart of the U.S. government’s legal strategy in defending against Kaspersky’s ongoing lawsuits.
Western officials argue that Russia requires private enterprises, including Kaspersky, to hand data over to Russian intelligence with no court order. Kaspersky has in the past repeatedly denied that such laws apply to them.
“The reason is the Russian legal framework as much as it is about the activities of any one company,” said Ciaran Martin, the director of the UK’s National Cyber Security Centre. “Russian law works in a way that means — and this is overt and open source — the state can suborn antivirus companies to provide data in a way we view as harmful so we recommended they are not used in sensitive government networks.”
CyberScoop spoke with a Kaspersky spokesperson at a private event in San Francisco. The spokesperson said the company had “no comment.” No additional response was shared with CyberScoop prior to this article’s publication.
Moscow’s tightening grip on the internet has repeatedly stoked global controversy. The encrypted messaging app Telegram was recently banned in Russia for refusing to give the Russian government the ability to read encrypted messages. Several years beforehand, Telegram CEO Pavel Durov ran VKontakte, the largest Russian-language social media network. Durov, once a celebrated Russian tech icon, was effectively exiled from his home country for publicly refusing to cooperate with Moscow’s demands for data from and control of the website. In 2014, after a lengthy struggle, Durov sold his last stake of VKontakte to allies of Russian president Vladimir Putin.
Update: Kaspersky Lab provided CyberScoop with a statement Monday afternoon that reads: “The continued actions by the U.S. government against Kaspersky Lab lack sufficient basis, have been taken without any evidence of wrongdoing by the company, and rely upon subjective, non-technical public sources, such as uncorroborated and often anonymously sourced media reports and rumors, which is why the company has challenged the validity of these actions in federal court. Kaspersky Lab welcomes calls to declassify any credible information that can shed light on the government’s concerns regarding its operations or its products as a public good, so that the company can responsively address said concerns and the general public can better understand this matter without the ongoing obfuscation.”