Congress Casts A Suspicious Eye On Russia's Kaspersky Lab

Enlarge this image toggle caption Alexander Zemlianichenko Jr./Bloomberg via Getty Images Alexander Zemlianichenko Jr./Bloomberg via Getty Images

Other than vodka, the Russian product most familiar to Americans is probably the anti-virus software made by Moscow-based Kaspersky Lab.

Best Buy loads some of the computers it sells with Kaspersky Lab software. The Federal Bureau of Prisons confirms to NPR that it uses the company's products. So do many state and local government entities. (Kaspersky Lab is also among NPR's financial supporters.)

But should legislation recently approved by both the House and Senate Armed Services Committees become law, the U.S. military would be barred from owning or using any products made by Kaspersky.

U.S. lawmakers have become increasingly wary of the Russian cybersecurity firm possibly doing the will of the Kremlin. At a May Senate Intelligence Committee hearing, six intelligence agency chiefs seated at the witness table got put on the spot about Kaspersky.

"Kaspersky Lab software is used by, if not hundreds of thousands, millions of Americans," Florida Republican Marco Rubio told the spy chiefs. "To each of our witnesses I would just ask, would any of you be comfortable with a Kaspersky Lab software on your computers?"

"A resounding no from me," replied Director of National Intelligence Dan Coats.

"No," said National Security Agency Director Admiral Mike Rogers.

"No, Senator," was CIA Director Mike Pompeo's reply.

"No, sir," answered Acting FBI Director Andrew McCabe.

"No, Senator," chimed in Defense Intelligence Agency Director Lt. Gen. Vincent Stewart.

National Geospatial-Intelligence Agency Director Robert Cardillo rounded out the replies: "No, sir."

Kaspersky's Russian roots

That chorus of noes comes as no surprise to James Lewis, a cybersecurity expert at the Center for Strategic and International Studies, a nonpartisan Washington security-issues think tank. He notes that Eugene Kaspersky, the firm's founder and top executive, studied at a KGB cryptography institute and served in the Soviet military.

"And he still has a company that operates out of Moscow," Lewis adds. "So for an intelligence agency, those are gonna be red flags."

Lewis says his own doubts about Eugene Kaspersky grew after a conversation with a former Russian ambassador to the United Nations.

"One day [the ambassador] came up to me and he said, 'In Russia we have saying that once you are a member of security service, you never leave.' And I said, 'Well, that's not true in the U.S.' And he said, 'Well, it should be,' " Lewis recalls.

"And then he walked off, and as he was walking away from me, I thought, what did he just tell me about Eugene Kaspersky?"

YouTube

The Russian cyber empresario has mounted his own counteroffensive.

"I respectfully disagree with their opinion, and I'm very sorry these gentlemen can't use the best software on the market because of political reasons," Kaspersky declared on Reddit's Ask Me Anything forum the same day the intelligence chiefs publicly rejected his company's products.

"Once again, I think that due to political reasons, these gentlemen don't have an option," Kaspersky said, "and are deprived from the opportunity to use the best endpoint security on the market without any real reason or evidence of wrongdoing from our side."

Kaspersky added he would "be very happy to testify in front of the Senate" and answer any questions put to him.

In a separate statement emailed to NPR, a Kaspersky Lab spokesman rejected the legislation banning Pentagon use of its products.

"The company has a 20-year history in the IT security industry of always abiding by the highest ethical business practices," it reads in part, "and Kaspersky Lab believes it is completely unacceptable that the company is being unjustly accused without any hard evidence to back up these false allegations."

The company did not make its CEO available to talk to NPR, but Kaspersky did speak with the Associated Press after the armed forces panels moved against his firm.

"We stay on the bright side," he told the AP, "and never, never, never go to the dark side."

He also confirmed in that interview that there are former Russian spies on the company's staff and that FBI agents recently visited "some" Kaspersky employees in the U.S.

The industry view

Some industry insiders who know the company well stand by it.

"Kaspersky, in the cybersecurity community, has a very good name," says Rick Holland, who tracked the firm for years at Forrester Research.

"I know many people that work there, I know many Americans that work there, so they're thought very highly of," Holland adds. "But given the political climate, it's kind of not surprising that you would see this come up again."

And despite his misgivings about Eugene Kaspersky, CSIS's Lewis has nothing but praise for the company itself.

"They make a good product, they do good research — I use some of their research myself," says Lewis. "So there's no question about the company or what it makes — there's questions about where it happens to be headquartered."

Would Lewis use Kaspersky Lab products to protect his own computer?

"Uh, no," he replies with a chuckle.

It's not clear how much business Kaspersky Lab might lose if the Pentagon usage ban takes effect. Eugene Kaspersky is worried enough to have offered to move more of his company's research to the U.S. and make its source code available for U.S. officials to inspect.

Kaspersky insists his company's products remain indispensable for protecting computers everywhere. "The world is vulnerable," he told a company conference last year.

"It's a dark age of the cybersecurity."