Over the past few months, the U.S. government has taken multiple steps to limit federal agencies from using information security products, solutions, and services from Kaspersky Lab, a security company headquartered in Moscow, over concerns that it has unethical ties to the Russian government. These actions would be completely justified if Kaspersky Lab is colluding with the Russian government to spy on Americans — but, at least so far, the U.S. government has not provided one bit of public evidence.
The U.S. government has taken swift action against the company. First, the General Services Administration (GSA) removed Kaspersky Lab from its pre-approved vendors list in July. Then the Department of Homeland Security issued a directive last week ordering all federal agencies to cease using Kaspersky products within 90 days. The final nail in the coffin came this week when the Senate passed legislation, sponsored by Sen. Jeanne Shaheen (D-N.H.), that bans the Department of Defense from using Kaspersky Lab.
But instead of providing reasons for these actions, government officials have only offered innuendo. For example, Shaheen justified her legislation by pointing to a Senate Intelligence Committee hearing in May, where the heads of the CIA, NSA, and FBI all stated that they would not use Kaspersky Lab software on their own computers in response to a question from Sen. Marco RubioMarco Antonio RubioOvernight Defense & National Security — US tries to deter Russian invasion of Ukraine Senate eyes plan B amid defense bill standoff To counter China, the Senate must confirm US ambassadors MORE (R-Fla.). Interestingly enough, Rubio had received different answers when he asked that same question at a hearing in March. One of the witnesses, Thomas Rid, a professor in the Department of War Studies at King’s College in London, not only replied that he would indeed use Kaspersky Lab products, but he argued that “Kaspersky is not an arm of the Russian government,” pointing out that the company has published information on several Russian state-sponsored cyberattacks.
Undoubtedly, collusion is certainly within the realm of possibility, which is why innuendo has been so effective. After all, the company’s namesake founder, Eugene Kaspersky, was an employee for the Russian government early in his career, and the company has worked for Russian intelligence agencies in the past. However, given that most leading security firms do some work for government agencies, these connections are not that unusual.
For its part, Kaspersky has denied having unethical relationships with any government, including Russia, and says it protects U.S. government information with the same strict legal requirements and industry standards that its U.S. peers use. It is even possible that recent suspicions about the company are the result of a false flag operation by the Russian government as payback for the company investigating Russian state-sponsored attacks, as the Russian government charged the head of Kaspersky Lab’s incident response team with treason in February.
So while there has been a lot of accusations, there has not been any public evidence to back up these claims. This creates three problems.
First, either Kaspersky Lab’s products are malicious or they are not. If Kaspersky is colluding with the Russian government, then this affects 400 million users worldwide, and it is not just U.S. government agencies that should stop using this software, it is all American businesses and consumers, as well as those of U.S. allies. The U.S. government has a responsibility to inform the public of known threats, and if it has discovered a vulnerability, it should create a public vulnerability report so that all organizations — public and private — can respond accordingly. And if Kaspersky is not a tool of the Russian government, then it should not be blacklisted by the U.S. government.
Second, if the concern is not about Kaspersky itself, but rather the Russian government, then why stop with banning a single company? In an op-ed in the New York Times, Shaheen implied that even if the company’s code was secure, the problem was that under Russian law, “the company is required to assist the [Russian] spy agency in its operations.” If the real concern is that no Russian business is trustworthy because of Russian law, then the U.S. government should ban all Russian software, not just Kaspersky Lab’s.
Third, the U.S. government has made no move to penalize foreign firms actually proven to have faulty code. The Czech company Avast, for example, recently discovered that hackers had compromised its popular, free tool CCleaner, making the popular security software distribute malicious code. And yet, there are no calls by the U.S. government to limit software products from Avast or ban Czech software.
As it stands, the U.S. government’s ban looks more like protectionism — where a country shields its domestic industries from foreign competition — than good policy around cyber security. Encouraging such behavior without any evidence only legitimizes protectionist actions taken by other governments that hurt U.S. firms. For example, the Chinese government has banned certain foreign security software, including from American firms, or created procurement lists for security software that only include domestic firms. The U.S. government should oppose these practices rather than mirror them.
Again, if Kaspersky is at fault, then the U.S. government should ban the software. But it should do this through an open and transparent process rather than the type of secretive process more likely to be found in, well, Russia.