WASHINGTON — US intelligence officials are expressing concern over a Russian cybersecurity company’s access to US government systems and pushing the General Services Administration for answers on how long it has been approved for use by US agencies.

Three US intelligence officials told BuzzFeed News they were concerned by what they categorized as a close relationship between the company, Kaspersky, and the Russian government, and what giving the company access to US government systems could mean. All of the officials who spoke with BuzzFeed News requested anonymity to discuss internal intelligence community conversations about Kaspersky.

A spokesperson for Kaspersky told BuzzFeed News that the company “has no ties to any government, and the company has never helped, nor will help, any government in the world with its cyberespionage efforts. For 20 years, Kaspersky Lab has been focused on protecting people and organizations from cyberthreats, and its headquarters’ location doesn’t change that mission--just as a U.S.-based cybersecurity company doesn’t send or allow access to any sensitive data from its products to the U.S. government, Kaspersky Lab products also do not allow any access or provide any secret data to any country’s government.” The concern over Kaspersky’s access to US government agencies comes amid rising alarm in Washington over the security of government systems, and the hacking of the DNC and Clinton campaign, which the intelligence community has blamed on Moscow.


The officials said that they had not seen any evidence linking Kaspersky to the Kremlin’s election operation, but said the concerns are, instead, stemming from broader concern over Russian meddling in US affairs.

Kaspersky, which provides global cybersecurity and antivirus services, has long refuted claims that it is has ties to the Kremlin. In a blog post addressing claims of his ties to the Russian government and its security services, the company’s founder Eugene Kaspersky wrote that he worked “for the Ministry of Defense as a software engineer for several years… Let me spell it out and use a few capitals: I’ve NEVER worked for the KGB.”

The company did not grant BuzzFeed News’ multiple requests for interviews with Kaspersky, with the company’s DC-based team, or with Kaspersky researchers in the US.

Public contracting records show Kaspersky began getting US government contracts to protect online systems at the National Institutes of Health in 2008, and by 2014, the company’s products were being used by the Department of Justice, the Treasury Department, and several offices within the State Department, including some US embassies. According to the Federal Procurement database, Kaspersky’s most recent contract was signed with the Consumer Product Safety Commission in June 2016.

Concern over Kaspersky’s role in US government contracts has been amplified in recent months as intelligence officials grapple with Russia’s continued efforts to meddle in US affairs. The announcement by US intelligence agencies that Russian state-sponsored hackers had not only breached the emails of Democratic Party members, but used that information to try and influence the 2016 presidential elections, has awakened US government officials to the vulnerability of the US to cyberattacks from an enemy state, and to Moscow in particular. While cybersecurity experts have warned for years that US systems were poorly guarded, and vulnerable to everything from simple spear phishing schemes, to more sophisticated malware, few in government realized the scope of what attackers could accomplish once they were within a US system — or just how much the US relies on its online systems to store and share information.


“We have seen the problems that can arise by giving contractors access to sensitive systems, I think the US government needs to think long and hard about which type of contractors it outsources work to in the cybersecurity realm,” said one DOD official who works within cyber operations, in reference to recent concerns that a contractor with the NSA was responsible for leaking the NSA’s hacking tools to WikiLeaks. “We are going to see more and more private cybersecurity firms brought in. There need to be smart questions asked about who they are, and what they get access to once they are in the system.”

Kaspersky’s use within the US government has been of concern — particularly by the FBI — for at least a year, the three intelligence officials said. But it wasn’t until recently that the wider intelligence community began paying attention, once the scope of its multiple US government contracts became clear. Part of the problem, two of those officials said, is that Kaspersky is generally provided to US government agencies via third-party contractors. There’s a running concern, they said, that the US government was not properly vetting the access agreements between those third-party vendors and Kaspersky.

“FBI has been very worried about it partly because they know how Russian operatives work here,” one of the intelligence officials said.

A Kaspersky spokesperson said the company was “not aware of any official concerns, and the company’s reputation and success depends on abiding by normal business ethics, which is why it’s disappointing that Kaspersky Lab is being unjustly judged by ‘concerned sources’ without any hard evidence to back up their false allegations.”


GSA, which approves contracts for government use, did not respond to requests for official comment by deadline. Intelligence officials, too, have struggled to get answers from GSA on the scope of Kaspersky’s use within the government.

“What we're looking at is a company that is ingrained across almost 3,500 different products,” one GSA official said of Kaspersky, requesting anonymity to explain why it’s been so difficult to determine the extent of Kaspersky’s use on US systems.

The scope of Kaspersky’s use within US systems, the official said, could be even larger than it appears based on public contracting records. The official did not go into detail, but said Kaspersky software appears to be a “licensed component of other cyber products” sold by other vendors in use by the US government.