The US government ramped up an investigation into Russian cybersecurity vendor Kaspersky Lab as the war in Ukraine escalated, it has been revealed. While government agencies across the Atlantic are already banned from using Kaspersky, critical national infrastructure providers and private companies are not. Whether Kaspersky ends up being banned from the US entirely remains to be seen, but security researchers say there is no evidence the company has ever bowed to pressure to assist intelligence services in the Kremlin.
The US government hastened a national security probe into Kaspersky earlier this year, Reuters reported this week, citing three sources with knowledge of the investigation. The heightened fears of Russian cyberattacks after its invasion of Ukraine led to the White House intervening, the sources said. Kaspersky says it is a privately managed company with no ties to the Russian government.
Why is the US government probing Kaspersky?
Kaspersky has been under investigation by the US Commerce Department since last year due to its connections to Russia. But the investigation has made little progress, leading to officials from the White House and other branches of the US government to urge the department to prioritise the probe, Reuters said.
This new-found urgency could be because the US government feels that, through its software, Kaspersky could potentially give the Russian government access to elements of critical national infrastructure such as power grids, telecommunications infrastructure, and managed service providers. These sectors “may be at higher risk,” says Allan Liska, computer security incident response team lead at security company Recorded Futures.
Kaspersky was placed on a list of companies deemed a threat to US national security by the Federal Communications Commission in March. It is the only Russian company on the list, which is dominated by Chinese telecommunications firms such as Huawei.
Other governments around the world have taken varying degrees of action against Kaspersky and other Russian tech vendors. The German government has told businesses to stop using Kaspersky, and the Italian government has removed its system from public sector organisations. Kaspersky says both decisions are politically motivated. In March, the UK National Cyber Security Centre (NCSC) issued a warning urging UK companies to consider the risk of using Russian software. The NCSC’s technical director Ian Levy said businesses had to be “realistic” about the possibility of attacks.
Is using Kaspersky a security risk?
US government departments have been prohibited from using Kaspersky products since September 2017. This reportedly came after hackers working for the Russian Government used Kaspersky’s antivirus software to steal classified information from the National Security Agency in 2015. Kaspersky investigated and said it found no evidence of such actions.
However, two months later MI6 raised concerns about Kaspersky software being distributed by Barclays Bank to more than two million of its UK customers. The Lithuanian government banned its use on sensitive systems and the Dutch government announced it would be phasing out the use of its software “as a precautionary measure”.
Despite this widespread suspicion from law enforcement, there does not appear to be any real evidence that Kaspersky was causing harm to sensitive systems, argues Jon DiMaggio, chief security strategist at security company Analyst1. “As an investigator into cyberattacks, I want evidence before I place judgment,” he says. “If there was such a vital concern when the US found evidence in 2017 that they believed proved Kaspersky was a threat to National Security, why was the software not banned across the board?”
He adds: “We can’t ban all companies based on their country of residence. For that reason, I question if this is political and a charge based on Kaspersky’s Russian association.”
Recorded Future’s Liska says it is legitimate to raise questions about Kaspersky. “I do think this universal concern has increased,” he says. “It’s a realistic concern and it is therefore understandable why Kaspersky is banned within the US government. But, he says, “before making a blanket statement like ‘nobody should be using Kaspersky’ I think we need to see more evidence.”