Trump Administration Restricts Kaspersky Lab Product UseRussian Anti-Virus Vendor Claims It's Been Caught Up in 'Political Game'
The Trump administration has moved to restrict the U.S. government's ability to use products built by Moscow-based cybersecurity firm Kaspersky Lab.
See Also: Case Study: The Road to Zero Trust
The move comes after persistent suggestions by the White House, as well as lawmakers and federal officials, that the company might be vulnerable to Russian government influence.
In recent days, related rumors have intensified. On Tuesday, ABC News reported that alleged ties between Kaspersky Lab and Russian intelligence and government agencies was fueling an interagency review by the White House, the Department of Homeland Security, the GSA and other federal agencies.
Later that day, a report from Bloomberg cited a 2009 email from Kaspersky Lab founder and CEO Eugene Kaspersky, referencing a "big project." The report claimed that this was in reference to work that Kaspersky Lab was doing for Russia's state security organization, the FSB.
The Moscow-based security firm has continued to refute the allegations. "Kaspersky Lab has no ties to any government, and the company has never helped, nor will help, any government in the world with its cyber espionage efforts," the company tells Information Security Media Group.
A Russian official recently stated that any attempt to ban Kaspersky Lab products by the White House or U.S. lawmakers could spark reprisals by the Russian government, which is a big user of U.S.-built hardware and software (see Russia Threatens Retaliation If U.S. Bans Kaspersky Lab).
GSA Delists Firm
Regardless, the General Services Administration - the U.S. agency that manages the federal government's IT procurement - has announced that it has dropped Kaspersky Lab from its list of approved suppliers.
"After review and careful consideration, the General Services Administration made the decision to remove Kaspersky Lab-manufactured products from GSA IT Schedule 70 and GSA Schedule 67 - Photographic Equipment and Related Supplies and Services," a GSA spokeswoman tells ISMG. "GSA's priorities are to ensure the integrity and security of U.S. government systems and networks and evaluate products and services available on our contracts using supply chain risk management processes."
Delisting: Not a Ban, Per Se
It's unclear what the real-world implications of the delisting from the so-called GSA schedule might be.
For starters, the delisting only applies to future contracts. In addition, Kaspersky Lab products have not been banned for government use, only made more difficult to procure. And it's not clear how widespread the use of the Moscow-based security firm's products might be in the U.S. government.
GSA also emphasized that the delisting is not equivalent to a ban. "Agencies make individual procurement decisions on a requirement-by-requirement basis using supply chain risk management processes and can determine how to procure needed products and services using acquisition instruments available to them," the GSA spokeswoman tells ISMG.
In other words, U.S. government agencies can still purchase Kaspersky Lab products, or products which use the company's technology. "GSA has only made the decision to not offer those products on our contracts," the spokeswoman says. "The acquisition, installation and use of any company's products and services are based on a risk determination and decision by the acquiring agency."
Rumor and Innuendo
The GSA's move follows months of rumors in U.S. government circles - and government sources speaking to U.S. media outlets on background - alleging collusion between Kaspersky Lab and the Russian government.
The FBI has launched a probe of the company's practices in the United States, NBC reports. The company's software was also the subject of a secret Department of Homeland Security memo distributed to government agencies in February, and an April warning from the Senate Intelligence Committee to Director of National Intelligence Dan Coats and Attorney General Jeff Sessions, ABC reports.
The Senate Armed Services Committee, in its recent markup of the National Defense Authorization Act for Fiscal Year 2018, moved to ban the use of all Kaspersky Lab products by the Department of Defense.
Kaspersky Lab Cites Anti-Cybercrime Record
The Russian security firm has continued to refute allegations that it colludes with the Russian government. But it acknowledges that it sometimes assists in law enforcement investigations domestically and abroad, working with Interpol and Europol, for example, to provide malware cybercrime-related expertise. It says it has not received nor would comply with any secret requests or projects from any government.
"The company has a 20-year history in the IT security industry of always abiding by the highest ethical business practices and trustworthy development of technologies, and Kaspersky Lab believes it is completely unacceptable that the company is being unjustly accused without any hard evidence to back up these false allegations," the company says in a statement.
"Kaspersky Lab, a private company, seems to be caught in the middle of a geopolitical fight where each side is attempting to use the company as a pawn in their political game," the statement adds. The company also notes that Eugene Kaspersky "has repeatedly offered to meet with government officials, testify before the U.S. Congress and provide the company's source code for an official audit to help address any questions the U.S. government has about the company."
Detailed Rebuttal of Serious Allegations
Kaspersky Lab also refuted numerous allegations contained in the Tuesday Bloomberg report. For example, the report claimed that the company "has developed security technology at the [Russian FSB] spy agency's behest and worked on joint projects the CEO knew would be embarrassing if made public."
Bloomberg's report, based on internal corporate emails that it obtained, also claimed that "Kaspersky provides the FSB with real-time intelligence on the hackers' location and sends experts to accompany the FSB and Russian police when they conduct raids."
In a detailed rebuttal, Kaspersky Lab said the Bloomberg report took information and emails out of context and that reporters failed to solicit its side of the story in advance of publication.
"Regardless of how the facts are misconstrued to fit in with a hypothetical, false theory, Kaspersky Lab, and its executives, do not have inappropriate ties with any government," the company says in a statement. "The company does regularly work with governments and law enforcement agencies around the world with the sole purpose of fighting cybercrime."
Kaspersky Lab also said the supposed project for the FSB referenced a distributed denial-of-service attack defense tool. The company, which is private, said it began building the tool to sell to customers after the FSB warned that Russian businesses were being hit hard by DDoS attacks.
The firm also reiterated that it regularly assists law enforcement agencies at home and abroad. "When assisting in official Russian cybercrime investigations, in accordance with Russian law, we only provide technical expertise throughout the investigation to help them catch cybercriminals," Kaspersky Lab said.
Sometimes, that assistance includes ride-alongs. "Concerning raids and physically catching cybercriminals, Kaspersky Lab might ride along to examine any digital evidence found, but that is the extent of our participation, as we do not track hackers' locations," it says. "Kaspersky Lab doesn't provide any government agencies, nor other parties, with information on location of people and doesn't gather 'identifying data from customers' computers' because it is technically impossible."
Conspiracy Theory Flaw
Despite the apparent White House brouhaha over the Russian government potentially using Kaspersky Lab as an attack vector against America, it's unclear that such a strategy would succeed. Certainly it was not necessary for Russia to do this in its alleged disruption of the 2016 U.S. presidential election.
In fact, many information security experts say that any attempt to compel domestic anti-virus software developers to aid their government by adding backdoors or malware exceptions would be unlikely to succeed, not to mention a potential death sentence for the business involved (see Anti-Virus Conspiracy Theories Cut Both Ways).
Instead, some experts say that it is much more likely that intelligence agencies would discover or purchase details about flaws in anti-virus software that they could then surreptitiously exploit via targeted attacks (see Yes Virginia, Even Security Software Has Flaws).