A rather interesting development has cropped up in the security world. The Department of Homeland Security (DHS) has banned the use of Kaspersky security software on federal computers. This — understandably — has some people worried. Is it still safe to use Kaspersky software on your home or work computer?
We’ve collected the facts, tried to make sense of the claims, and put together what we’ve found. Here’s what we know so far.
What the DHS Says
According to the DHS Statement on the Issuance of Binding Operational Directive 17-01, the Department has direct Federal Executive Branch agencies to identify the use of Kaspersky software on their devices and remove it within 90 days. Why?
The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks.
The statement also says DHS is worried that the Russian government could capitalize on Kaspersky products being on US federal computers, with or without the cooperation of Kaspersky. The statement is sparse on information backing up these claims.
New Hampshire senator Jeanne Shaheen has led the charge in Congress to ban Kaspersky products from federal computers. In an interview with NPR, she stated that there have been public concerns voiced. Some of these concerns “suggest there has been direct collaboration with certain officials from Kaspersky and from the FSB.”
We haven’t seen any evidence that this is case. Shaheen also stated that there’s relevant classified information that could support this idea. Because it’s classified, though, we have no idea if it’s true. Or if it even exists.
(Shaheen is known for supporting the war in Iraq, which was predicated on faulty intelligence. We all know how that turned out. A number commentators have noted the similarity of these two cases.)
What Kaspersky Says
The cybersecurity firm, as you might imagine, is not happy about this development. Kaspersky has been in the business for 20 years, and has a stellar record for protection. They’re consistently ranked very highly in lists of the best security software.
Kaspersky’s response is summed up nicely in this statement:
No credible evidence has been presented publicly by anyone or any organization as the accusations are based on false allegations and inaccurate assumptions, including claims about the impact of Russian regulations and policies on the company.
The company works with governments around the world to provide cybersecurity products. And most of their business is done outside of Russia. They even point out that the laws discussed in the DHS statement don’t apply to them: they only apply to telecoms providers and ISPs.
“Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts, and it’s disconcerting that a private company can be considered guilty until proven innocent, due to geopolitical issues.” It doesn’t get much clearer than that.
But are they telling the truth?
What We Know So Far
As Kaspersky points out, no credible evidence has been publicly presented. Some classified information has been hinted at, but there’s no way that we can judge the veracity of that information. If it even exists.
And with US-Russian relations currently in a rather fraught place, the idea of “geopolitical issues” influencing this decision does seem credible.
In a Foreign Policy article from August 2017, an anonymous senior intelligence official is quoted as saying that intelligence agencies have been looking for evidence of governmental interference or vulnerabilities in Kaspersky software “for years.” But they didn’t find anything.
Did US intelligence find new information? It’s possible. But there’s no way to know.
Of course, nothing in the political world is as clear-cut as it seems at first. Back in 2012, Wired wrote a long profile of Kaspersky and his company. They noted a number of ways in which Kaspersky’s views align with the Russian government’s, and how he seems to have a relationship with some members of the FSB.
They also note that many of these relations are similar to those between big US companies and Washington. And that Kaspersky has a dedicated crew seeking to stamp out cyberespionage. This is the team that discovered Stuxnet, a US-Israeli cyberweapon deployed in Iran.
The article paints a conflicting picture. Especially when you take into account its terribly misleading title, “Russia’s Top Cyber Sleuth Foils US Spies, Helps Kremlin Pals.”
Competent, and Complicated
But in the end, it’s a picture of a competent businessman. He understands the political climate and turns it to his advantage when he can. He may agree with the Russian party line on internet privacy, but so do many other people around the world.
He’s a complicated man in a complicated business. That certainly doesn’t make him a tool of the FSB.
Yes, Kaspersky Labs has made software for the Russian government. But they’ve also made software for other governments around the world. They’re probably closer to the FSB than they are to other governmental organizations. But that’s to be expected, as they’re based in Russia, and the FSB handles much of the country’s cyber concerns.
Should You Be Concerned?
No. There’s almost certainly no cause for concern.
It seems quite unlikely that Kaspersky Labs, a highly successful international company, is entangled in Russian espionage. And even if they were, they’d be targeting government and military computers, not civilian ones.
If you believe in worldwide conspiracies, you might be worried that Russia is using Kaspersky software to infiltrate computers around the world for some nefarious purpose. And while stranger things have happened, it seems awfully unlikely. (Though it would make for a great Tom Clancy novel.)
In addition to Kaspersky’s stellar reputation, they also make a lot of money: $644 million at the time of that Foreign Policy article — enough for them to release a free version of their software. They have little motivation to risk their reputation to help the Russian government. In the cybersecurity world, your reputation is paramount.
Does that mean they’re completely innocent? No. As I mentioned, it’s a complicated business. And a cybersecurity firm cooperating with an intelligence service isn’t a far-fetched idea. But based on the evidence that’s publicly available — which is scant — it looks like Kaspersky is telling the truth.
Go with What Makes You Feel Safe
In the end, it’s important that your security software makes you feel safe. If you no longer trust Kaspersky, switch to something else. It’s as simple as that. I’d encourage you not to jump to conclusions, though, and look at the company’s long-standing reputation for excellence.
Of course, we’ll be keeping an eye on this development. Whether it ends up being political maneuvering or a genuine threat, we’ll be sure to let you know.
Do you still trust Kaspersky software? Or will you be switching to something else? Share your thoughts in the comments below!
Image Credit: Anton_Sokolov/Depositphotos