Senators have moved to bar the Pentagon from using software produced by a Russian-origin cybersecurity firm, underscoring suspicions of its ties to the Russian government.
The move has put the spotlight on Kaspersky Lab, a multinational company with headquarters in Moscow that produces antivirus software and has repeatedly denied having connections to Russian intelligence.
Kaspersky Lab has caught attention from lawmakers on Capitol Hill amid heightened fears over Moscow’s influence campaign during the 2016 presidential election.
{mosads}Members of the Senate Armed Services Committee are looking to use annual defense policy legislation to bar the Defense Department from using software developed by Kaspersky Lab “due to reports that the Moscow-based company might be vulnerable to Russian government influence.”
The prohibition is part of a larger effort by lawmakers to counter Russian aggression using the fiscal 2018 National Defense Authorization Act (NDAA).
The effort has generated renewed scrutiny of the company, which is widely lauded for its antivirus software and research but has generated concerns among current and former U.S. officials that it could be compromised by the Russian government.
The FBI has reportedly been moving forward with a long-running probe into the company, which included recently visiting the homes of several employees.
A spokesman for the company emphasized that Kaspersky Lab is “available to assist all concerned government organizations with any ongoing investigations, and the company ardently believes a deeper examination of Kaspersky Lab will confirm that these allegations are unfounded.”
The move by the Senate Armed Services Committee generated immediate pushback from the company’s founder, Eugene Kaspersky, as well as others in the cybersecurity community who note the lack of public evidence linking the company to Russian intelligence.
“With the U.S. and Russia at odds, somehow, my company, its innovative and proven products as well as our amazing employees are repeatedly being defamed,” Kaspersky wrote in a blog post.
“Obviously, as a private company, Kaspersky Lab and I have no ties to any government, and we have never helped, nor will help, any government in the world with their cyber-espionage efforts.”
“If the U.S. government has Intel that @kaspersky is somehow bad; make it public. Or (my opinion) it’s crap rumors and needs to stop,” Robert M. Lee, founder and CEO of cybersecurity firm Dragos, wrote on Twitter last week.
Kaspersky Lab has long fought allegations that its founder has ties to Russian intelligence services. Those claims were notably laid out in a 2015 Bloomberg News article citing his training at a KGB-sponsored school and work for a Soviet military scientific institute.
“Eugene grew up in the Soviet era, when almost every education opportunity was sponsored by the government in some manner,” a Kaspersky Lab spokesman told The Hill. “Contrary to misinformed sources, serving as a software engineer was the extent of his military experience, and he never worked for the KGB.”
Still, there are concerns within U.S. intelligence circles about the company’s products.
In May, six top U.S. intelligence officials, including CIA Director Mike Pompeo and National Security Agency (NSA) Director Mike Rogers, told the Senate Intelligence Committee they would not be comfortable with Kaspersky Lab software on their computers when asked by Sen. Marco Rubio (R-Fla.).
“A resounding no, from me,” replied acting FBI Director Andrew McCabe.
Michael O’Hanlon, a senior fellow in foreign policy at the Brookings Institution, said lawmakers are right to err on the side of caution when it comes to protecting U.S. military systems and national security assets.
He said regular Americans shouldn’t be concerned about using the antivirus software, but he would not rule out that the company could be vulnerable to influence by the Russian government when it comes to matters of national security.
“My intuition says to me that there is no clear separation of the private sector and the state in Russia,” O’Hanlon said. “Any Russian software firm is potentially a strong business organization … but I also wouldn’t trust them with national security secrets.”
To counter suspicions, Kaspersky has offered to turn over the company’s source code to the U.S. government. “We have nothing to hide,” he tweeted this week.
But Herb Lin, a cybersecurity expert at the Hoover Institution, said handing over the source code would not be enough to determine whether the antivirus software is used for spying or other offensive cyber activities. It would only shed light on how the company’s product finds malware, he said.
Ultimately, many doubt the possibility that the company’s software could have some kind of “backdoor” that could allow for spying.
“I think that it would be shocking to find a demonstrative backdoor,” said Kenneth Geers, a cybersecurity expert at the Atlantic Council and former NSA official. “It’s probably more likely there would be some quiet business partnership.”
“My guess is this fear is a little overblown … and maybe a little more about politics right now rather than reality,” Geers said.
Kaspersky Lab boasts 400 million users worldwide and has operations in nearly 200 countries and territories. The U.S. subsidiary, Kaspersky Lab North America, is based in Massachusetts and separate from the company’s headquarters in Russia.
It is unclear exactly how much business, if any, the Pentagon does with Kaspersky Lab. A Senate committee aide told reporters last week that there was no specific data available and described the move as similar to the panel’s efforts to restrict the military’s use of Russian-made rocket engines for national security space launches.
Lawmakers have raised questions about the use of Kaspersky Lab software at other government agencies as well. In May, Homeland Security Secretary John Kelly told a Senate Appropriations panel that he believes the Department of Homeland Security uses the company’s software on its systems.
The Senate panel’s version of the NDAA was completed behind closed doors last week. The House version does not include language barring the Pentagon from using Kaspersky Lab products.
House and Senate negotiators will soon meet in conference to hammer out a final bill.