The US government’s decision this week to ban all federal agencies from using software developed by elite cybersecurity firm Kaspersky Labs could be the first salvo in a broader effort to take aim at Russia’s cyber industry.
The order came from Elaine Duke, the Acting Secretary of Homeland Security, who gave federal agencies 90 days to get rid of all Kaspersky software from their networks, The Washington Post reported on Wednesday.
“The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” the DHS said in a statement.
“The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security,” the statement continued.
The US intelligence community has long been wary of Kaspersky and its possible ties to the Kremlin.
The company is currently under active FBI counterintelligence investigation, and the Senate Intelligence Committee is probing the nature of its relationship to the Kremlin, calling it an “important national security issue.”
The FBI also interviewed at least a dozen employees of the firm in late June, visiting them at their homes on the East and West Coasts to gather information about how Kaspersky works.
Kaspersky’s products are widely used across the US, and officials worry that Russian state actors could exploit Kaspersky’s software and gain access to sensitive user data as well as critical infrastructure.
Alex McGeorge, the head of threat intelligence at Immunity Inc., told Business Insider that the US government’s decision to ban federal agencies from using Kaspersky products could be part of an effort to punish Russia for its increasingly aggressive behavior in the cyber arena, and will likely be more effective than more traditional avenues for recourse, like imposing economic sanctions.
A central figure in the cyber space
Russia has increasingly emerged as a central figure following a slew of high-profile cyberattacks carried out across the globe over the past few years. In addition to interfering in the US election, Russia is also thought to be the culprit behind an elaborate effort to turn Ukraine into a cyber-weapon testing ground.
In 2015, a massive cyberattack leveled against the country’s power grid cut electricity to almost 250,000 Ukrainians. Cybersecurity experts linked the attack to IP addresses associated with Russia.
Since then, Wired magazine’s Andy Greenberg reported, Ukraine has seen a growing crisis in which an increasing number of corporations and government agencies have been hit by cyberattacks in a “rapid, remorseless succession.”
Officials also believe Russia may have been behind this summer’s “Petya” cyberattack that crippled countries and corporations across the globe.
Investigators have additionally linked Russia to attacks on at least a dozen US nuclear facilities. The hacks, though confined to the enterprise side of the nuclear plants, raised red flags as they could be a preliminary step toward an attack against the US power grid, cybersecurity experts previously told Business Insider.
Perhaps most notably, the US intelligence community concluded that Russia was behind an elaborate and multi-faceted influence campaign aimed at tilting the 2016 election in Donald Trump’s favor. That effort included, among other things, cyberattacks against the Democratic National Committee and breaching US voting systems in as many as 39 states in an attempt to target and manipulate voter data.
‘A continued trend’
The US’ actions against Kaspersky could be “just the beginning” of its retaliation against Russia and could prompt a chain reaction “we’re only just beginning to see,” McGeorge said.
Greg Martin, the CEO of cybersecurity firm JASK, echoed that assessment, telling Business Insider that the US’ apparent shift toward targeting key players in Russia’s cyber industry will likely be “a continued trend.”
Federal agencies are not the only ones who have cut ties with Kaspersky. Last week, it emerged that Best Buy, the country’s largest electronics retailer, had pulled all Kaspersky products from its shelves and its website.
A source told Star Tribune, which first broke the news, that Best Buy felt there were “too many unanswered questions” about Kaspersky’s dealings, which prompted its decision to end its relationship with the firm. In addition to federal agencies banning Kaspersky, the US’ largest brick-and-mortar electronics company’s decision to cut ties with the Russian firm will also likely impact its revenue from the home user stream, McGeorge noted.
Kaspersky is registered with the FSB, Russia’s spy agency, but it claims it has no connection to Russian intelligence.
“Kaspersky Lab doesn’t have inappropriate ties with any government,” the firm told Business Insider in a statement last month. The company said no credible evidence has established ties to ties between Kaspersky and the Kremlin, and that it’s merely “caught in the middle of a geopolitical fight” and being treated unfairly.
It did not return a request for comment about the US government’s latest move against it, though Putin’s spokesperson, Dmitry Peskov, said Russia “regrets” the decision.
Peskov told journalists on Thursday the US’ action “cast a shadow over the image of our American colleagues as reliable partners” and was designed to cripple Kaspersky’s competitive advantage on the international market.
– An employee works near screens in the virus lab at the headquarters of Russian cyber security company Kaspersky Labs in Moscow
‘There is something more afoot’ vis-a-vis Kaspersky’s Russia ties
The government’s decision to penalize Kaspersky could also bear implications for the US cybersecurity industry, which sells plenty of software to Russian companies and banks, as well as other foreign corporations.
“These types of actions can sometimes have consequences,” Martin said, adding that Russia could theoretically “turn around and ban Russian companies from buying US cybersecurity software.”
Indeed, a similar event occurred in 2015, when China removed Apple and Cisco from its approved list of technology vendors after Edward Snowden disclosed that the National Security Agency regularly accessed US company data and hardware to spy on foreign adversaries.
Despite the risks, however, cybersecurity experts were unequivocal in their assessment that the US government made the right call in blacklisting Kaspersky.
There is no concrete evidence available to the public indicating that Kaspersky engaged in any wrongdoing as far as working with the Russian government goes. That said, “there may very well be classified intelligence showing that there’s some collusion” between Kaspersky and the Kremlin, Martin said, adding that if that were the case, “it wouldn’t be totally surprising.”
Key figures in the US intelligence community, as well as President Donald Trump’s cybersecurity adviser and Democratic and Republican lawmakers, have repeatedly warned against using Kaspersky’s products.
Rob Joyce, the Trump’s administration’s cybersecurity coordinator, said last month that he does not use the firm’s products.
“I worry that as a nation state Russia really hasn’t done the right things for this country and they have a lot of control and latitude over the information that goes to companies in Russia,” Joyce said. “So I worry about that.”
Michael Morell, the former deputy director of the CIA, also reiterated the intelligence community’s belief of a link between Kaspersky and the Kremlin. “There is a connection between Kaspersky and Russian intelligence, and I’m absolutely certain that Russian intelligence would want to use that connection to their advantage,” Morell told CBS News.
McGeorge said that whatever evidence the intelligence community has of Kaspersky’s involvement in Russia’s cyber campaign has motivated the US government “to significantly degrade Kaspersky’s ability to do effective business in the US.”
The frequent warnings from US lawmakers, “combined with the decision by Best Buy, who is not an arm of the US government, suggests that there is something more afoot” regarding Kaspersky’s ties to the Kremlin, he added.
Eugene Kaspersky, the firm’s founder, accepted an invitation on Thursday to testify before the House Committee on Science, Space, and Technology over the security of his company’s products. His appearance before the US Congress will mark the highest-profile attempt yet to address longstanding accusations that Kaspersky could be working as an arm of the Kremlin.