Kaspersky Lab, a recognized cybersecurity and anti-virus provider, has been repeatedly put under scrutiny for its Russian origins. Even though Kaspersky has been in business for 20 years, a few government officials around the world think it might be spying for the Russian government.
This—understandably—has some people worried. Is it still safe to use Kaspersky software on your home or work computer?
It all comes down to whether the allegations that the company has ties to state-sponsored spying operations are merely assumptions or supported by evidence.
What Makes Kaspersky a Threat to National Security?
Kaspersky was founded in Russia in 1997 by a Russian national. The company is headquartered in Moscow, but it is a global entity with operations and offices in various locations worldwide.
Kaspersky has a global customer base and offers cybersecurity products and services to individuals, businesses, and governments everywhere. Kaspersky has over 400 million users and holds a range of client data. It can scan emails, system environment information, client device network addresses, and more.
Operating in Russia, Kaspersky has long provided cybersecurity solutions to the country's government, such as the Ministry of Defense. People are concerned about the company's ability to "misuse" the information it has on millions of customers, including foreign governments. It could grant the Russian government access to user data or the company's infrastructure.
If the government data of any country gets leaked or accessed by unauthorized parties, it may compromise that nation's security, expose vulnerabilities, and help enemies gather intelligence or plan cyberattacks.
Suppose Kaspersky gives Russia access to a country's economic data. In that case, this might cause that country to lose money, become less competitive, and have a negative effect on its industries and businesses. So, whether you work for the government or not, it's critical that you protect yourself from data breaches.
Who Made the Allegations, and What Exactly Are They About?
In 2017, the Department of Homeland Security (DHS) directed Federal Executive Branch agencies to identify the use of Kaspersky software on their devices and remove it within 90 days. The following statement from the Department explains why they made their choice:
The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks.
New Hampshire Senator Jeanne Shaheen stated in an interview with NPR that there have been public concerns voiced. Some of these concerns "suggest there has been direct collaboration with certain officials from Kaspersky and the Federal Security Service of the Russian Federation."
Later in September 2019, the US Federal Acquisition Regulation Council officially banned using any hardware, software, or services developed or provided by Kaspersky Lab. The final rule forbids using Kaspersky products on any IT system that interacts with government operations, including payroll systems for contractors with federal practices.
After Russia invaded Ukraine in 2022, the US government issued warnings to companies not to use Kaspersky software. The Federal Communications Commission added Kaspersky to its list of service providers deemed threats to US national security on March 25 of that year.
Following the US government's lead, Germany's Federal Office for Information Security (BSI) also advised people to use the alternatives to Kaspersky products. Five EU nations proposed an EU-wide ban on Kaspersky, which is already banned in Lithuania for federal computers.
But why does everyone want to stop Kaspersky from operating in other countries?
The prohibitions were put into effect out of concern that Russian law enforcement would use the company as a tool to spy on other nations. Kaspersky could possibly grant the Russian government access to elements of critical national infrastructure, allowing it to plan cyberattacks.
Because of the Russia-Ukraine conflict, pro-Russian hacktivist groups have been using DDoS attacks to overwhelm the IT infrastructure of NATO countries and EU nations. Therefore, security concerns about Kaspersky skyrocketed following Russia's invasion of Ukraine.
What Kaspersky Says
Throughout the years, Kaspersky has repeatedly denied any wrongdoing or secret cooperation with Russian intelligence. It has claimed that the accusations are being made on political grounds rather than being supported by a technical analysis of Kaspersky's products.
Kaspersky's response is summed up nicely in this statement:
No credible evidence has been presented publicly by anyone or any organization as the accusations are based on false allegations and inaccurate assumptions, including claims about the impact of Russian regulations and policies on the company.
"Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts, and it's disconcerting that a private company can be considered guilty until proven innocent, due to geopolitical issues." It doesn't get much clearer than that.
The company says that it has helped the US government in the past—with the Harold "Hal" Martin case, who stole 50 terabytes of NSA and other US government information—and that it remains willing to cooperate with US government agencies to resolve the concerns of the FCC and any other regulatory agencies.
But are they telling the truth?
Reality or Assumptions?
As Kaspersky points out, no credible evidence has been publicly presented. Some classified information has been hinted at, but there's no way that we can judge the veracity of that information. If it even exists.
In a Foreign Policy article from August 2017, an anonymous senior intelligence official is quoted as saying that intelligence agencies have been looking for evidence of governmental interference or vulnerabilities in Kaspersky software "for years." But they didn't find anything.
Furthermore, Kaspersky relocated its data processing infrastructure to Switzerland in 2018, which resolved the concerns to some extent. Kaspersky’s Transparency Report of 2021 stated that it denied all requests from the Russian government for customer data.
Back in 2012, Wired wrote a long profile of Kaspersky and his company. They noted a number of ways in which Kaspersky's views align with the Russian government's, and how he seems to have a relationship with some members of the FSB.
Kaspersky products protect many organizations that play an instrumental role in Putin's propaganda, such as state-owned news agency TASS and TV network Russia Today. Eugene Kaspersky, the CEO of Kaspersky, has expressed largely neutral views about the war between Russia and Ukraine.
Should You Be Concerned?
No. Kaspersky consistently ranked very highly in lists of the best security software. Yes, Kaspersky Lab has made software for the Russian government. But they've also made software for other governments around the world.
It seems quite unlikely that Kaspersky Labs, a highly successful international company, is entangled in Russian espionage. And even if they were, they'd be targeting government and military computers, not civilian ones.
If you believe in worldwide conspiracies—then, we have a list of conspiracy websites for you—you might be worried that Russia is using Kaspersky software to infiltrate computers around the world for some nefarious purpose. And while stranger things have happened, it seems awfully unlikely. (Though it would make for a great Tom Clancy novel.)
In addition to Kaspersky's stellar reputation, it also makes a lot of money: $644 million at the time of that Foreign Policy article—enough to release a free version of its software. They have little motivation to risk their reputation to help the Russian government. In the cybersecurity world, your reputation is paramount.
Does that mean they're completely innocent? No. This is a complicated business, and a cybersecurity firm cooperating with an intelligence service isn't a far-fetched idea. But based on the evidence that's publicly available—which is scant—it looks like Kaspersky is telling the truth.
Go With What Makes You Feel Safe
In the end, it's important that your security software makes you feel safe. If you no longer trust Kaspersky, switch to something else. It's as simple as that. Don't jump to conclusions, though, and look at the company's long-standing reputation for excellence.