Backlash for popular cybersecurity company after Russian hack controversy?
Some Americans are talking about dropping Kaspersky computer security products over fears of Russian government connections.
Andres is removing the Kaspersky Lab security software from his computer.
The former software engineer in California has used the Russian company’s products—like antivirus software and other tools—for years.
“Kaspersky has high ratings with all the people that we listen to,” said Andres (not his real name).
“Then, in 2016, when the issue of Russian hackers started to gain attention, I couldn’t help but wonder—here is most of the free world using a software product written in Russia, a police state rumored to host huge state-run hacking projects.” Andres said. “What could possibly go wrong?”
The seed was planted. And this spring, Andres made the decision to cut and run.
“I don’t see how Kaspersky could not be compromised, even if Eugene Kaspersky did not want that to happen,” Andres told Archer News. “Who in Russia is going to say ‘no’ to the KGB [former Soviet security agency] AND run a successful business?”
He’s not the only one concerned.
Talk of dropping Kaspersky has popped up in forums online, like this comment after news in January that the Russian government arrested a Kaspersky cybersecurity manager—as well as a Russian military intelligence official—for an alleged crime that occurred before the manager worked for Kaspersky.
“I am now very weary [sic] to the use of any of their products and would advise caution to anyone else who uses or would consider using any of their products!!!” wrote a nervous commenter.
TechTalk commenters expressed concern over news of the arrest of a Kaspersky manager in January.
Archer News asked Kaspersky Lab if this nervous talk is translating into lost dollars for the company.
The company said its 2016 global revenue grew 4% over the year before.
“In 2016 we saw a strong growth of 25% in the enterprise segment, 55% in non-endpoint revenue and even 60% in revenue from services,” Kaspersky Lab said in an e-mail. “With a relatively stable consumer business, there has been a healthy growth in overall revenue.”
Growth overall, but what about revenue in the U.S., where the claims of election hacking and political influence have dominated headlines for months?
The company said those figures are not publicly available.
It did, however, have an answer to questions about the fear of connections to the Russian government.
“We have no political ties to the Russian government or any other government,” the company said.
Suspicions about the company’s affiliations have arisen before.
In 2015, Bloomberg published an article saying Kaspersky Lab had “close ties to Russian spies.”
Kaspersky himself went to a school sponsored by government agencies including the KGB, according to the article, and worked for the Russian government before he started his own company.
The founder also spends time at the local sauna or “banya” with Russian intelligence officials, the article said.
People with “closer” ties to Russia’s military or intelligence services have taken some high-level manager jobs at Kaspersky since 2012, the Bloomberg reported, and the company assists the FSB—successor to the KGB—with criminal investigations.
Bloomberg headline from 2015.
At the time, Kaspersky defended himself, saying some of the Bloomberg report was false, and some was cobbled together to sound sensational and exploit paranoia.
“[T]here’s no evidence of ‘closer’—not even close—ties to Russia’s military or intelligence services,” he wrote in a blog post. “Must say though, I’d be really interested to find out who’s joined our top management team since 2012 who has ‘closer ties to Russia’s military or intelligence services’. I’m dying of curiosity!”
The company does fight cybercrime, he said.
“And without cooperating with law enforcement agencies around the globe (including in the U.S., the UK, Japan, other European countries; INTERPOL and Europol) our battle would have been significantly less effective than it has been recreational—if not completely futile,” Kaspersky wrote.
The 2015 Bloomberg report did not win over the mind of cybersecurity expert Graham Cluley.
“You know what, I’d be surprised if a company that counters internet crime doesn’t occasionally work with law enforcement and intelligence agencies tasked with protecting their countries from attack,” he wrote in a post after the Bloomberg article came out.
“So, big deal if Kaspersky sometimes works with the FSB,” he said. “Just like if FireEye [a U.S. cybersecurity company] works with the FBI and the CIA. Or Sophos [a UK cybersecurity company] with the NCA and GCHQ [UK government agencies].”
“Unless Bloomberg can come up with evidence that Kaspersky’s relationship with the FSB is unhealthy or has compromised its customers, then I’m not sure what there is to worry about,” Cluley said.
Now in 2017, the controversy may be rising again, with the Bloomberg article once again taking center stage.
In April, former U.S. Secretary of Labor Robert Reich brought up the claims reported by Bloomberg and hinted at a connection with the U.S. government.
“Connect the dots. What do you think?” the author and professor wrote in a post.
A Lawfare contributor also referred to “close connections” to Russian spies in January, after the arrest of the Kaspersky manager.
“Kaspersky himself has close connections to the KGB (as an aside, that is one reason why I personally do not use Kaspersky’s products),” wrote Paul Rosenzweig, founder of the homeland security consulting company Red Branch Consulting.
Kaspersky Lab reiterated to Archer News this month that it works with investigators from many different countries.
“We cooperate with Russian law enforcement agencies by providing technical expertise, just as we cooperate with those of many other countries, including the USA and EU [European Union] members,” Kaspersky Lab said.
“We offer consultation and analysis services, and provide expertise during legal trials and investigations. Our corporate clients include government bodies in a number of countries, including Russia,” the company said.
Performance over location?
Now in 2017, Cluley said his opinion on the Kaspersky situation hasn’t changed.
“I don’t think there’s anything inherently wrong with a security product just because its headquarters is in Russia,” he said to Archer News. “Just as I wouldn’t think that would be a good reason to not buy an antivirus product if it was made in France or Germany or the UK.”
Cluley encouraged customers to look at performance over location when deciding to change security products.
“Anyone deciding to ditch Kaspersky should do so if they believe they have any evidence that the product is deficient in some manner, or if the company has provided them with some poor service, or if they have some evidence that the software is compromised in some fashion,” he said.
“I haven’t seen any evidence that Kaspersky’s product is compromised by Russian intelligence—which presumably is the fear,” he added.
Across the borders
Many popular computer security products come from other countries, as Ken Colburn, CEO of Data Doctors Computer Services, pointed out in a post on The Arizona Republic site.
Colburn’s list includes:
AVG & Avast – Czech Republic
Bitdefender – Romania
ESET – Slovakia
F-Secure – Finland
Kaspersky – Russia
Panda – Spain
Sophos – UK
Trend Micro – Japan
“Keep in mind that all of these companies are global players and any evidence that they are working with their own government to disclose user information would all but destroy their businesses,” Colburn said.
Still, each person has to decide their own level of trust and comfort, according to Colburn.
For Andres, that level of trust and comfort does not include Kaspersky—and products from some other countries.
“Would I buy security software written in China? Ha,” he said. “Now to find a good replacement and change all my passwords… or go off the grid.”
Some others might be uncomfortable using a U.S. company that works with federal law enforcement agencies, for fear of surveillance by their own government.
“Can you really believe American-made software of any kind is more secure when the NSA apparently has extra-constitutional powers?” asked an online commenter after the Bloomberg article in 2015.
“Ask Bob Rankin” commenters expressed concern over American government surveillance of security software after the 2015 Bloomberg article.
The fear over Russian cyber attacks has generated new awareness about where your security software comes from.
And in some cases, it will mean Russian companies will lose customers.
“It’s very hard for a company with Russian roots to become successful in the U.S., European and other markets,” Kaspersky wrote. “Nobody trusts us—by default. Our only strategy is to be 1000% transparent and honest. It took years to explain who we are. Many people attempted to find ‘dirt’ on us—and failed. Because we’ve nothing to hide.”