Written by Chris Bing

A former senior U.S. official blocked Moscow-based cybersecurity firm Kaspersky Lab from joining a prominent trade group made up of U.S.-based cybersecurity companies earlier this year, multiple people with knowledge of the proposed deal tell CyberScoop.

When Kaspersky representatives approached the Cyber Threat Alliance (CTA) — a U.S.-based not-for-profit membership organization largely made up of American technology firms who voluntarily share threat intelligence with one another — the group’s leader, Michael Daniel, quietly turned the company away, the sources said. Daniel is a former White House cybersecurity coordinator.

“It didn’t really go anywhere because they got Heisman-ed from the get go,” one source described, referencing the college football trophy that represents a player forcefully pushing someone out of the way.

Daniel spoke with CyberScoop and acknowledged that Kaspersky had shown interest in joining the CTA. Kaspersky is not currently a member.

The choice to exclude Kaspersky alludes to knowledge of the U.S. government’s dealings with the Russian company that have since come to public light.

Daniel, who played a key role in coordinating the U.S. intelligence community’s cyber-operations during the Obama administration, declined Kaspersky’s advances because he knew that a looming battle between the U.S. government and the Russian cybersecurity firm had been stirring behind closed doors for some time and that it could escalate at any minute, the sources said.

Daniel became the CTA’s first president in Feb. 2017 shortly after the inauguration of President Donald Trump. Over the last eight months, the nonprofit has grown substantially under Daniel’s leadership, said Jeff Greene, senior director of global government affairs and policy with Symantec, a founding member of CTA.

This previously unreported, private conversation between the CTA and Kaspersky occurred prior to public revelations and media reports alleging that Kaspersky acts as a digital espionage tool for Russian intelligence agencies — a charge the company repeatedly denied. Kaspersky CEO Eugene Kaspersky recently said it’s possible that his company had been exploited by spies without his knowledge or blessing.

The individuals who spoke with CyberScoop for this story did so on condition of anonymity in order to discuss a confidential decision.

Daniel, in an interview with CyberScoop, declined to discuss how or why he specifically rejected Kaspersky’s interest. He did say, however, that the experiences and knowledge he took from government are today helping him make educated decisions when it comes to accepting and declining potential members. During his time at the White House, Daniel would have had access to classified information concerning foreign digital espionage.

“Trust is extremely important to us,” said Daniel about the CTA. “We’re highly aware of what could happen if we just allowed anybody into this process … we expect our members to contribute as much as they receive.”

He continued, “and that extends to data integrity as well … We are cognizant of what could happen if someone were to, you know, poison the well or do something else malicious to affect our data.”

The CTA, which has grown to 14 members, is one of the largest nonprofit organizations actively facilitating the exchange of threat intelligence between the private sector and, on occasion, the U.S. government. It includes representation from some of the industry’s most prominent brands, including Symantec, Palo Alto Networks, Check Point Technologies, Cisco, Fortinet and RSA — nearly all of which have invested in recent years in recruiting talent from the NSA, CIA and Department of Defense.

Kaspersky spokespeople say the company’s relationship with the Russian government is focused on combating cybercrime.

Executives from CTA member companies said Wednesday during a conference in Washington, D.C. that admission to the group can provide a valuable market advantage that could one day help edge out other competitors. Because the group is structured like a private club, where only members provide and can access each others active reports containing technical indicators about active cyberattacks, the CTA’s growth has the ability to significantly impact the overall market in the future.

While most CTA members and affiliates are American companies, some are headquartered in allied countries, like Israel.

Daniel told CyberScoop that nationality does not affect a company’s application to join the CTA — unless it were based in a sanctioned country — but rather each potential participant is judged on a case-by-case basis which includes a review of that firm’s business and management connections.

CTA members are judged and admitted to the program based on their ability to provide a continuous stream of valuable data regarding unique malware samples, active threats and specific hacking groups. It’s because members consistently contribute such information that the CTA is seen as useful to the industry and attractive to potential members.

Although Kaspersky’s public image at the moment makes it seem like Daniel had a simple choice concerning the Russian firm, the decision carried considerable weight in early 2017.

Experts agree that beyond the current controversy, Kaspersky remains one of the best firms in the business when it comes to capturing cyberthreat intelligence.