How Kaspersky Lab got on the US government's bad side

An investigation into the cybersecurity company's ties to the Russian government raises many questions and answers few. Here's what we know so far.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
8 min read
Russian cybersecurity company Kaspersky Lab

A peek inside Kaspersky Lab's Moscow headquarters. The US government is concerned about the cybersecurity company's ties to the Russian government.

Sergei Savostyanov\TASS via Getty Images

The US government and one of the most popular and well-reviewed antivirus software companies are going through a messy breakup.

There were happier times. Moscow-based Kaspersky Lab has been a top cybersecurity company with government contracts around the world, including the US. As recently as September, the company's software was one of the highest-rated virus protections, with 400 million users worldwide, according to the company.

Then came allegations of the company's ties to the Russian government. The US House Committee on Science, Space and Technology held a hearing Wednesday into the risks that Kaspersky Lab products may pose for the US.

It's the latest outgrowth of the increased attention on Russian hacking, a national security issue that has prompted lawmakers to look into potential threats to systems like our electrical power grid and electoral process.

Confused and nervous about software you may be running on your computer? Read on.

Why does the US government have an issue with Kaspersky?

The government worries Kaspersky Lab has ties to the Russian government.

The allegations, which have cropped up over the last several months, range from Kaspersky working with the Russian government to Kremlin spies hacking the antivirus software and using it without the company knowing.

A Bloomberg article in July said internal emails showed Kaspersky Lab was working closely with Russia's FSB, the country's equivalent to the FBI. This came a month after FBI agents visited Kaspersky employees in the US, questioning the company's motives.

"The case against Kaspersky Lab is overwhelming," Sen. Jeanne Shaheen, a Democrat from New Hampshire, said in a statement. "The strong ties between Kaspersky Lab and the Kremlin are alarming and well-documented."

What has the US government done?

In September, the Senate passed a bill banning Kaspersky software from all federal computers as part of the annual defense budget.

On Sept. 13, the Department of Homeland Security ordered all federal agencies to remove Kaspersky software from their computer systems. 

Stores like Best Buy, Office Depot and Staples followed suit and removed Kaspersky's software from their shelves. The company's founder, Eugene Kaspersky, on multiple occasions has denied any connections to the Russian government, but Capitol Hill doesn't seem to be buying it.

Anything else?

Yep, there's more. The Wall Street Journal reported on Oct. 5 that Russians had used Kaspersky's software to steal NSA secrets from a staffer's home laptop. In 2015, the antivirus scanner picked up the NSA's hacking tools, which landed in the Kremlin's hands, according to the report.

And then on Oct. 10, The New York Times reported that Israeli intelligence caught Russian hackers looking for secret files in real time using Kaspersky Lab's antivirus software. The software had become an advanced search engine for Russian hackers to steal data, the Times reported.

CyberScoop also reported on the same day that Kaspersky Lab and the US government had a tense confrontation in 2015 after the security company boasted to FBI agents during a sales pitch that the software could be used as a tool for spying on terrorists.

What does Kaspersky Lab have to say?

Eugene Kaspersky called the October reports "false allegations," arguing that no evidence has surfaced, and he launched an internal investigation into the issues raised.

"If there was any evidence that we've been knowingly involved in cyber-espionage, we'd be toast," Kaspersky said in a blog post last week.

On Wednesday, just ahead of the hearing in Congress, Kaspersky Lab released preliminary details from its internal investigation. The company said Russian spies didn't need its antivirus software to steal information from the NSA staffer, because his laptop was already infected with malware. The employee, Kaspersky said, had turned off the antivirus protection while downloading pirated software.

"The user was infected with this malware for an unspecified period, while the product was inactive," the Kaspersky report said.

Earlier in the week, the company also announced a transparency initiative, promising to allow an independent third-party review of its software, including the source code, update code and threat detection rules. The first transparency check center will open in 2018, with two more opening by 2020 across Asia, Europe and the US.

How could antivirus software be hacked?

It's unclear exactly how Kaspersky Lab's software has been compromised, if it was at all. Because all the reports are based on the word of anonymous sources, there aren't many technical details available.

It seems contradictory that software designed to block cyberattacks could itself be hacked, but antivirus tools are prime targets.

Antivirus scanners are designed to search through every file on your device and to block any threats. For a hacker looking for sensitive secrets, an antivirus program is one of the most valuable tools. It's also extremely difficult to hack.

"AV companies will always be a high-profile target for adversaries for numerous reasons," said Lesley Carhart, a digital forensics expert. "The good ones know this and have exceptional security staff to mitigate."

Often, cybercriminals will use simpler means to steal data, like getting victims to install malware disguised in an email.

"Compromising or pressuring a major AV vendor to steal data en masse is noisy, blatant," Carhart said. "Why use a sledgehammer when you can just open the door?"

But antivirus tools aren't foolproof. Last year, a Google researcher found security flaws with the antivirus software Symantec, which allowed potential hackers to run viruses without permission. In September, the popular CCleaner software became part of a cyberattack after hackers quietly inserted codes to turn the cleaning program into malware.

Is Kaspersky's software hacking me?

It depends who you are.

The same way that James Bond doesn't go around shooting everybody in the movies, international spies aren't exactly out to search for every single person's secrets. The average person will likely never have to worry about KGB agents rummaging through his or her family vacation photos, but it's a different story if you're a government official.

Nation-state hackers are acting in their country's interests, and that means launching attacks on targets with sensitive data, like NSA employees. While stores have removed Kaspersky from their inventories, if you're the type of person who buys antivirus software off a shelf, you're probably not someone who needs to worry about Russian hackers, security experts said.

"Your average person is probably pretty boring to the Russian government," said Jake Williams, founder of Rendition Security. "The people this applies to are those who might be a target of a foreign government."

So should I get rid of Kaspersky?

If you believe Russian spies have any reason to target you, yes. For the average person, there's no immediate danger, but it's worth considering.

If you do uninstall Kaspersky's software, make sure you still have some kind of protection on your device. Again, you're much better off using Kaspersky's antivirus software than nothing at all.

And if you do get rid of Kaspersky, don't move to an antivirus tool that's not ranked as high. On AV-Comparatives' monthly ranking from September, only Bitdefender, F-Secure, Panda, Tencent and Trend Micro blocked as many attacks as Kaspersky did.

Kaspersky still does its job well for most people, blocking ransomware, trojans and malware from your devices. But there are a handful of antivirus software companies out there that aren't facing national scrutiny.

Given recent reports, people with sensitive data might want to think twice about installing it.

"I still assess the risk as low for most people, but I certainly wouldn't put it on any machine I cared about," Williams said.

Has everyone dumped Kaspersky?

Not quite. Interpol, an international police organization based in France, signed an agreement to further its cooperation with Kaspersky on Oct. 12.

Germany's federal cyberagency continues to use Kaspersky's software, pointing out that no evidence has surfaced about Russian ties. And in September, the company landed a contract with the Brazilian Armed Forces as well.

On Oct. 17, the company pointed to a customer satisfaction award, boasting of its high ratings from users in nearly 200 countries.

What came out of the hearing?

We didn't get any answers from Eugene Kaspersky or any employees. In fact, no new information came out of the hearing.

Kaspersky accepted an invitation to testify to Congress on Sept. 27 at a hearing that was postponed until Wednesday. But his invitation was rescinded without notice. Nobody from the company testified at Wednesday's hearing.

Instead, we heard from these security experts:

  • Donna Dodson, chief security adviser at the National Institute of Standards and Technology
  • David Shive, chief information officer for the General Services Administration
  • James Norton, president of Play-Action Strategies, a consulting firm
  • Sean Kanuck, director of Future Conflict and Cybersecurity at the International Institute for Strategic Studies

It's unclear why Kaspersky was uninvited.

"The committee is planning a series of hearings on the topic, and the committee did not extend an invitation to Mr. Kaspersky for the Oct. 25 hearing," Thea McDonald, a spokeswoman for the House committee, said last week.

The committee declined to answer whether that means Kaspersky will be attending a hearing in the future. Kaspersky received a travel visa to the US in September, according to Tass, Russia's official news agency.

The Department of State said it's not allowed to disclose details on individual visa applicants.

"We have seen the reports that the committee plans to have a series of hearings, and while the committee has not communicated this directly to Kaspersky Lab, we look forward to being provided the opportunity to address their concerns," a Kaspersky spokeswoman told CNET last week.

The majority of the questions at the hearing would have been well-suited for the NSA, the DHS or Kaspersky to answer, but none of the invited speakers were from those organizations. Shive said the GSA did not do technical analysis on Kaspersky, so he could not provide any insight on the software's risk. 

Norton and Kanuck, despite their expertise on cybersecurity, did not offer information that the public wasn't already aware of. And Dodson touched on NIST's security guidelines, but did not tie them to Kaspersky's software. 

When asked when Kaspersky will be able to testify to Congress, Rep. Darin LaHood, a Republican from Illinois, said, "We'll entertain that as we move along."

Originally published Oct. 24 at 5 a.m. PT.
Update, Oct. 25 at 7:23 a.m. PT:  Adds information from Kaspersky Lab's report on its internal investigation.
Update, Oct. 25 at 11:12 a.m. PT: Adds details from the House committee hearing.

Rebooting the Reef: CNET dives deep into how tech can help save Australia's Great Barrier Reef.

The Smartest StuffInnovators are thinking up new ways to make you, and the things around you, smarter.