In late March 2022, the Federal Communications Commission (FCC) placed cybersecurity firm Kaspersky Lab on the list of organization it deems a potential threat to the United States. This is the first Russian company on the list with Kaspersky Lab joining a growing list of Chinese technology and telecommunications companies that include Huawei, ZTE, China Mobile, and China Telecom. While an aggressive move, this is not the first time the United States has suspected Kaspersky Lab of cyber malfeasance enough to question its legitimacy. In 2019, the Federal Acquisition Regulation Council put forth a policy forbidding any federal agency from purchasing Kaspersky products. In 2017, The Department of Homeland Security issued a directing mandating that federal departments and agencies to identify and remove any existing Kaspersky Lab products on government systems due to the risk that they posed.

To be fair, the United States is not the only government that has put Kaspersky Lab in its cross hairs. Coming on the heels of the FCC’s determination, Germany and Italy appeared to have followed suit as well. Germany’s Federal Office for Information Security warned German organizations from using Kaspersky Lab antivirus programs for fear of its use in cyber espionage operations or executing attacks as a result of Germany’s support of Ukraine. Similarly, Garante, the Italian data protection authority, initiated an investigation into possible risks associated with Kaspersky antivirus software. Other governments had raised questions regarding Kaspersky earlier. The United Kingdom, Lithuania, and the Netherlands had also banned Kaspersky product use in 2017 due to possible exploitation and spying concerns.

The recent developments come during the Ukrainian conflict and amidst several governments supporting Ukraine’s effort to repel a Russian invasion. With financial and material support for Kyiv, and economic sanctions implemented against Moscow, some like Kaspersky’s CEO and founder Eugene Kaspersky believe these moves to be more political than expressing genuine security concerns. At its core, the move to ban Kaspersky Lab products is rooted in fears of its potential misuse at the behest of the Russian government to spy or be used as a platform from which to conduct disruptive cyber attacks. After all, Kaspersky Lab is a global company operating in 200 countries supporting approximately 400 million customers, per the company website. Such a reach is impressive for a nation state, no less a private company.

Critics of the company are quick to provide circumstantial data points to support their claims. The obvious one is Eugene Kaspersky’s past and his ties to a cryptography college that was sponsored by the then KGB and his later work with Russian military intelligence. The second piece of evidence that raises red flags is a 2017 allegation that Kaspersky Lab engaged with the Russian Federal Security Service (FSB) to use its software to scan computers worldwide for material of interest. In this instance, Kaspersky Lab provided the FSB with real-time information on hackers’ locations and even sent experts on raids with the FSB. For doubters, this suggests perhaps a closer relationship than what has been projected.

But a smoking gun has not yet materialized and while the previously mentioned data points give pause for concern, they do not provide proof enough to give high confidence of any wrongdoing. Security professionals often cite the fact that any antivirus program can be exploited by hostile actors due to the very nature of how they operate. Once installed, antivirus programs typically have access to all the files and directories on the computer or device. This makes sense as the purpose of such programs is to comprehensively scan the machine to ensure that no known threats are present on the system.

This is accomplished by permitting the program to communicate back for security updates via a special communication channel. These same security professionals would also point out that these same channels can be exploited in a supply chain attack much the same way the SolarWinds hack occurred. There is anecdotal evidence indicating nation state interest in accomplishing this type of compromise.  In 2014, a state-sponsored cyber threat actor attempted to exploit an older version of Kaspersky Lab antivirus software for the purposes of going unnoticed by its victims. Interestingly, it was Kaspersky Lab that detected and reported on the incident, publishing its findings for public consumption, stating that if the attackers hadn’t tried to exploit a patched vulnerability, the activity might have gone unnoticed.

So, in the wake of governments and private organizations pushing away from Kaspersky Lab, the question remains: are Kaspersky products safe or not?  Eugene Kaspersky has repeatedly denied any wrongdoing consistently citing lack of credible evidence, and as a consequence, asserted that any such claims are unsubstantiated.  Kaspersky Lab has been aggressively trying satisfy its critics. The company opened a Transparency Center in the United States in 2021 in a move to establish trust. In the past, Kaspersky has offered to testify before Congress, and surrender his source code for review to assuage fears of backdoors being present.  He did the same for European governments in 2018 when similar concerns were raised. Ultimately, reports authored by the Belgian, French, and German governments found no evidence of wrongdoing by the company.  The U.S. hasn’t taken him up on that offer as of yet to review Kaspersky Lab code.

Recent reporting indicates that the U.S. government gave a classified briefing about Kaspersky Lab to “some” American companies right after the Russian invasion of Ukraine  However, it doesn’t appear that any “new” information has surfaced, suggesting that even within classified channels there appears no definitive damning evidence. The U.S. government has provided technical analysis supporting its attribution conclusions when it comes to identifying state actors associated with China, Iran, North Korea, and Russia. Logic suggests that if it had similar evidence, it would supply it in the case of Kaspersky Lab as well to the public.

Let’s be clear: suspicion of Russian government collusion is a valid security concern but does not constitute bullet proof evidence of guilt. Kaspersky Lab has done work for the Russian government and even has hired ex-Russian intelligenceofficials, just like any other cybersecurity vendor. In a statement in response to the FCC’s decision, Kaspersky Lab cited the “geopolitical climate” tied to the Ukraine situation as the motivations for the banning rather than a “comprehensive evaluation of the integrity” of its products and services, and it may be right. Kaspersky Lab has been on the forefront of advanced persistent threat actor research and analysis, exposing many nation state campaigns including those others have tied to Russia, though it prefers to focus on its technical analysis and leave “attribution” to other companies. It serves as an honest broker in this capacity.

Kaspersky Lab antivirus has been consistently ranked as one of the best programs on the market, but only organizations can decide for themselves if Kaspersky Lab is the right security solution for their needs. There are many things to consider with respect to an antivirus product including reliable detection rates, multi-level viral scanning, real-time protection, and rapid infection removal.  But in my view politics should not be factored into such a decision. If they have concerns over the product, there are several other alternatives out there. But organizations should make an informed decision and not one influenced by the reckless fear that some seem to be basing decisions on.

About the Author

Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.