WASHINGTON — US intelligence officials are expressing concern over a Russian cybersecurity company’s access to US government systems and pushing the General Services Administration for answers on how long it has been approved for use by US agencies.
Three US intelligence officials told BuzzFeed News they were concerned by what they categorized as a close relationship between the company, Kaspersky, and the Russian government, and what giving the company access to US government systems could mean. All of the officials who spoke with BuzzFeed News requested anonymity to discuss internal intelligence community conversations about Kaspersky.
A spokesperson for Kaspersky told BuzzFeed News that the company “has no ties to any government, and the company has never helped, nor will help, any government in the world with its cyberespionage efforts. For 20 years, Kaspersky Lab has been focused on protecting people and organizations from cyberthreats, and its headquarters’ location doesn’t change that mission--just as a U.S.-based cybersecurity company doesn’t send or allow access to any sensitive data from its products to the U.S. government, Kaspersky Lab products also do not allow any access or provide any secret data to any country’s government.” The concern over Kaspersky’s access to US government agencies comes amid rising alarm in Washington over the security of government systems, and the hacking of the DNC and Clinton campaign, which the intelligence community has blamed on Moscow.
The officials said that they had not seen any evidence linking Kaspersky to the Kremlin’s election operation, but said the concerns are, instead, stemming from broader concern over Russian meddling in US affairs.
Kaspersky, which provides global cybersecurity and antivirus services, has long refuted claims that it is has ties to the Kremlin. In a blog post addressing claims of his ties to the Russian government and its security services, the company’s founder Eugene Kaspersky wrote that he worked “for the Ministry of Defense as a software engineer for several years… Let me spell it out and use a few capitals: I’ve NEVER worked for the KGB.”
The company did not grant BuzzFeed News’ multiple requests for interviews with Kaspersky, with the company’s DC-based team, or with Kaspersky researchers in the US.
Public contracting records show Kaspersky began getting US government contracts to protect online systems at the National Institutes of Health in 2008, and by 2014, the company’s products were being used by the Department of Justice, the Treasury Department, and several offices within the State Department, including some US embassies. According to the Federal Procurement database, Kaspersky’s most recent contract was signed with the Consumer Product Safety Commission in June 2016.
Concern over Kaspersky’s role in US government contracts has been amplified in recent months as intelligence officials grapple with Russia’s continued efforts to meddle in US affairs. The announcement by US intelligence agencies that Russian state-sponsored hackers had not only breached the emails of Democratic Party members, but used that information to try and influence the 2016 presidential elections, has awakened US government officials to the vulnerability of the US to cyberattacks from an enemy state, and to Moscow in particular. While cybersecurity experts have warned for years that US systems were poorly guarded, and vulnerable to everything from simple spear phishing schemes, to more sophisticated malware, few in government realized the scope of what attackers could accomplish once they were within a US system — or just how much the US relies on its online systems to store and share information.
“We have seen the problems that can arise by giving contractors access to sensitive systems, I think the US government needs to think long and hard about which type of contractors it outsources work to in the cybersecurity realm,” said one DOD official who works within cyber operations, in reference to recent concerns that a contractor with the NSA was responsible for leaking the NSA’s hacking tools to WikiLeaks. “We are going to see more and more private cybersecurity firms brought in. There need to be smart questions asked about who they are, and what they get access to once they are in the system.”
Kaspersky’s use within the US government has been of concern — particularly by the FBI — for at least a year, the three intelligence officials said. But it wasn’t until recently that the wider intelligence community began paying attention, once the scope of its multiple US government contracts became clear. Part of the problem, two of those officials said, is that Kaspersky is generally provided to US government agencies via third-party contractors. There’s a running concern, they said, that the US government was not properly vetting the access agreements between those third-party vendors and Kaspersky.
“FBI has been very worried about it partly because they know how Russian operatives work here,” one of the intelligence officials said.
A Kaspersky spokesperson said the company was “not aware of any official concerns, and the company’s reputation and success depends on abiding by normal business ethics, which is why it’s disappointing that Kaspersky Lab is being unjustly judged by ‘concerned sources’ without any hard evidence to back up their false allegations.”
GSA, which approves contracts for government use, did not respond to requests for official comment by deadline. Intelligence officials, too, have struggled to get answers from GSA on the scope of Kaspersky’s use within the government.
“What we're looking at is a company that is ingrained across almost 3,500 different products,” one GSA official said of Kaspersky, requesting anonymity to explain why it’s been so difficult to determine the extent of Kaspersky’s use on US systems.
The scope of Kaspersky’s use within US systems, the official said, could be even larger than it appears based on public contracting records. The official did not go into detail, but said Kaspersky software appears to be a “licensed component of other cyber products” sold by other vendors in use by the US government.
Kaspersky launched a US subsidiary in Washington, DC, in the summer of 2014. Called Kaspersky Government Security Solutions, and known as KGSS, it was tasked, according to four former employees, with establishing closer relationships with government officials in the hope of securing more US federal contracts. The former employees said the company regularly handed over intelligence gathered by Kaspersky’s global network of researchers to US government officials as a way of currying favor with the US government. A Kaspersky spokesperson said the company had been doing business in North America since 2005, and that its technology had been certified by the National Institute of Standards and Technology as fully compliant with the Federal Information Processing Standard.
“There is a lot of good threat intel and threat research that the company made available to intel community and that was readily offered and accepted,” said Chris Doggett, a former president of Kaspersky Lab who worked with KGSS from its start in 2014 through December 2015.
He said KGSS “went through extensive efforts to have it be independent” from Kaspersky, saying they were “absolutely separate” but not giving specific examples in how the two companies set themselves apart. US intelligence officials, however, do not believe that to be the case.
The US intelligence officials BuzzFeed News spoke with said it did not appear Kaspersky or its subsidiary had any outstanding contracts in the US intelligence community. (Contracts within the US intelligence community are traditionally classified.)
Until recently, few officials even knew that Kaspersky was a GSA-approved product, let alone the scope of its use. One of the intelligence officials was visibly stunned when BuzzFeed News pointed out the longstanding contracts between Kaspersky and the State Department.
The Kaspersky issue has come up several times in recent closed meetings to the Senate Intelligence Committee, several officials said. In one instance, according to one official present at a recent classified briefing, Senate Intelligence Committee members were floored that Kaspersky products were approved for government use.
On March 30, the committee discussed Kaspersky during a hearing on Russia’s cyber operations. Senator Marco Rubio asked cybersecurity and national security experts testifying before the committee if they would put Kaspersky products onto any of their devices. General Keith Alexander, former director of the NSA, said, “I wouldn't, you shouldn't either. There are other US firms that answer and solve problems that will face you.” However, Thomas Rid, a professor at the Department of War Studies at King’s College London, argued that he would use Kaspersky, telling the senators, “Kaspersky is not an arm of the Russian government.”
Kaspersky, Rid added, has published information about Russia’s state-sponsored cyberattacks, while many US companies have refused to do the same in the US.
Officials are now left trying to figure out how Kaspersky’s cybersecurity products were ever cleared for use by the US government — and how to get them out.
As of Monday, Kaspersky cybersecurity products were still available for official use through the GSA’s website.