July 3, 2017
U.S. intelligence
agencies have turned up the heat in recent days on Kaspersky Lab, the Moscow-based
cybersecurity giant long suspected of ties to Russia’s spying apparatus.
Now, official
Kremlin documents reviewed by McClatchy could further inflame the debate about
whether the company’s relationship with Russian intelligence is more than rumor.
The documents are
certifications issued to the company by the Russian Security Service, the spy
agency known as the FSB.
Unlike the
stamped approvals the FSB routinely issues to companies seeking to operate in
Russia, Kaspersky’s include an unusual feature: a military intelligence unit
number matching that of an FSB program.
“That strikes me
as much more persuasive public evidence,” said Paul Rosenzweig, a former deputy
secretary for policy at the Department of Homeland Security. “It makes it far
more likely that much of the rumor and uncertainty about Kaspersky are true.
One of
Kaspersky's certificates that carries a military intelligence unit number.
(Greg Gordon /McClatchy/TNS)
For years,
suspicions that Kaspersky is connected to Russia’s spying apparatus have dogged
the company, a leading global seller of anti-virus programs. Founder and CEO
Eugene Kaspersky studied cryptography, programming and mathematics at an
academy operated by the KGB, the FSB’s Soviet-era predecessor, then worked for
the Ministry of Defense.
Since he
established the firm in Russia 20 years ago, Kaspersky has grown to serve more
than 400 million users worldwide, according to its website, and is the largest
software vendor in Europe. Its security software is also widely available in
the United States in Target, Walmart and other retail outlets.
Federal agencies
use it as well, with Kaspersky serving as a subcontractor on a smattering of
federal software contracts. So has, ironically, the Democratic National Committee,
even after its emails were breached last summer by Russian hackers.
But amid
investigations into Russia’s cyber meddling in last year’s U.S. elections,
concerns have grown that Kaspersky software could somehow be used to launch a
crippling cyberattack on the U.S. electric grid or other critical
infrastructure, such as railroads, airlines or water utilities. ABC News
reported in May that the FBI warned industry leaders about those risks last
year – a meeting confirmed by McClatchy.
In recent days,
two events kept Kaspersky in the news: FBI agents fanned out to interview Russian
Kaspersky employees based in the United States, and a Senate committee approved
legislation to curb federal use of the company’s products.
Even so, no proof
has ever been made public to refute the company’s vehement denials that it has
connections to Russian intelligence.
The documents
obtained by McClatchy, however, could provide additional evidence that the
clandestine FSB has a tight relationship with Kaspersky.
“A worldwide
deployment of sensors may be too great a temptation for any country’s
intelligence services to ignore.”
— Kenneth Geers,
former NATO cyber expert
In a statement to
McClatchy, the company did not directly address the reference to an FSB
military unit number in several of its certificates dating to 2007. The
certificates are posted on Kaspersky’s web site.
Kaspersky said
the FSB’s certification review “is quite similar to that of many countries,”
including those of the European Union and the United States. It includes an
analysis of the company’s source code “to ensure that undeclared functionality
and security issues –- like backdoors – do not exist,” the company said.
However, Russia’s
certification reviews do not require the company to divulge “the necessary
information to permit those (spy) organizations to bypass products’ security
mechanisms,” Kaspersky said.
A former Western
intelligence official who examined the documents for McClatchy described as
“very unusual” the assignment of a military intelligence number on Kaspersky’s
certificates.
In Russia’s
closed society, the FSB retains the right to access any company’s data
transmissions, and no firm is allowed to use encryption to block the
intelligence agency’s intrusions, the former Western spy said.
Kenneth Geers, a
former NATO cyber expert who is a fellow at the Washington-based Atlantic
Council, also reviewed the company’s FSB certificate.
Geers said he
could not say with certainty the degree to which the documents show a formal
connection between Kaspersky and the FSB.
But “the
suggestion is that this is a government op (operation), a unit with a direct
government affiliation,” he said.
“No one should be
surprised if there are closer relationships between IT vendors and law
enforcement, worldwide, than the public imagines,” Geers said.
Case in point:
Whistleblower Edward Snowden revealed that American telecommunications
companies shared vast amounts of personal data with the ultra-secret U.S.
National Security Agency, where Geers once worked.
It’s certainly
possible, Geers said, that Kaspersky’s software contains a secret “backdoor” to
allow Russian special services access for law enforcement and
counterintelligence purposes.
“If such a secret
backdoor exists, I would not be shocked,” Geers said. “A worldwide deployment
of sensors may be too great a temptation for any country’s intelligence
services to ignore.”
“Kaspersky may
also have been required by Russian authorities to participate in a quiet
business partnership with the government,” he said.
A former CIA
station chief in Moscow agreed that Kaspersky may have had little choice.
“These guys’
families, their well-being, everything they have is in Russia,” said Steve
Hall, who later headed the agency’s Russian operations before retiring in 2015.
Kaspersky is “a
Russian company,” Hall said. “Any time (Russian President Vladimir Putin) wants
Kaspersky to do something – anything – he’ll remind them that’s where their
families are and where their bank accounts are. There’s no doubt in my mind it
could be, if it’s not already, under the control of Putin.”
Kaspersky has
rejected any notion that it might be an intelligence front, citing its years of
delivering quality products.
“As a private
company, Kaspersky Lab has no ties to any government, and the company has never
helped, nor will help, any government in the world with its cyber espionage
efforts,” Eugene Kaspersky said in May during an “Ask Me Anything” session on
the Web site Reddit.
Indeed, many
cyber experts, including those with federal government backgrounds, have
praised the quality of Kaspersky software. The company also has a record of
exposing cyberattacks, including the U.S. government’s Stuxnet attack that
disabled Iran’s nuclear weapons development even though the Iranian equipment
wasn’t connected to the Internet.
“It is common
view around the intelligence community that [Kaspersky] is treated [by the
Kremlin] like an arm of the Russian government.”
— Former Obama
administration cyber official
But several other
experts said they were “not shocked” by the disclosure of the language in Kaspersky’s
FSB certificate.
“It is common
view around the intelligence community that [Kaspersky] is treated [by the
Kremlin] like an arm of the Russian government,” said a former Obama
administration cyber official, who asked for anonymity because of the sensitivity
of the matter.
Kaspersky has
gained an unwanted spotlight lately amid the Justice Department’s investigation
headed by outside Special Counsel Robert Mueller into whether the Kremlin
colluded with President Donald Trump’s 2016 campaign.
At a recent
Senate Intelligence Committee hearing in May, Sens. Marco Rubio, a Republican
from Florida, and Joe Manchin, a Democrat from West Virginia, raised concerns
about Kaspersky.
Rubio asked a
phalanx of intelligence agency chiefs sitting before the panel, “Would any of
you be comfortable with the Kaspersky Lab software on your computers?”
Before him were,
among others, the leaders of the FBI, CIA and the National Security Agency.
To a man, each
said “no.”
The FBI
interviews of Kaspersky employees occurred on June 27, in the wake of
disclosures that the company paid retired Army Lt. Gen. Michael Flynn more than
$11,000 in consulting fees last fall before he began a short-lived stint as
White House national security adviser.
The day after the
interviews, the Senate Armed Service Committee approved legislation that would
bar the Pentagon from buying Kaspersky products.
“The ties between
Kaspersky Lab and the Kremlin are very alarming,” said Democratic Sen. Jeanne
Shaheen of New Hampshire. “This has led to a consensus in Congress and among
administration officials that Kaspersky Lab cannot be trusted to protect
critical infrastructure, particularly computer systems vital to our nation’s
security.”
Her amendment to
the Defense authorization bill prohibiting Pentagon purchase of the software as
of October 2018 won overwhelming approval.
It would bar
contracts with any firm in which Kaspersky has majority ownership. It also
would require the Defense Department to sever connections with any network
associated with Kaspersky.
“This is
something that probably should have been done a while ago,” said the
unidentified U.S. government official, lamenting that “practicing cyber hygiene
is not always the best in government.”
If the ban
becomes law, there could be reverberations, a Russian news agency reported. It
quoted a top Kremlin communications official, Nikolai Nikiforov, as warning
that if the United States freezes out Kaspersky, Putin’s government could not
rule out retaliation.
A spokesperson
for the FBI declined to comment.
But the bureau
has long suspected that some of Kaspersky’s American-based employees were
engaging in intelligence activities, said a U.S. government official, who
declined to be identified because of the sensitivity of the matter.
Federal agencies
currently hold at least 20 contracts in which Kaspersky products are used. The
General Services Administration makes them available on an approved product
list for much of the government.
CDW Corp., a top
government tech contractor that has provided Kaspersky software and maintenance
through four contracts with the Consumer Safety Product Commission (as recently
as May 23), declined to say whether it plans to continue offering Kaspersky
software.
Dell Inc., the
giant computer manufacturer, offers Kaspersky in many of its products. The
company did not respond to a request for comment.
So why do federal
agencies still use Kaspersky software if there has been such uneasiness about
it inside national security circles?
“Under
acquisition rules, it is very difficult for an agency to rely on classified
information in order to make purchasing decisions,” said J. Michael Daniel,
White House cybersecurity coordinator during the Obama administration.
“A lot of
acquisition officers didn’t seek out that information because they couldn’t use
it in the decision-making process,” said Daniel, now president of the Cyber
Threat Alliance, a group committed to improving cyber defenses.
The U.S. intelligence
community’s conclusion that Russian cyber operatives pirated thousands of
emails from the Democratic National Committee beginning in 2015 helped trigger
the inquiries into possible Kremlin interference in the election.
But two months
after the DNC disclosed that its servers had been hacked – in an apparent
attempt to help prevent further intrusions – the party purchased Kaspersky
software on Aug. 25, 2016, for $137.46, according to Federal Election
Commission records. It was the only federal political committee that reported
buying Kaspersky software in the 2016 cycle, according to FEC records.
David Goldstein
and Greg Gordon