Kaspersky US government ban - what are the reasons behind the decision?
Kaspersky US government ban - what are the reasons behind the decision?

Today Eugene Kaspersky was due to argue his case against a ban by the US government on buying Kaspersky products due to their potential use in spying, and the presumed ability of the Russian government to enforce cooperation from Kaspersky. Specific reasons or evidence were not given. The meeting was postponed and did not happen.

In an email to SC Media UK Eugene Kaspersky commented, I look forward to participating in the hearing once it's rescheduled and having the opportunity to address the committee's concerns directly." 

In response to a request for comment his office also forwarded SC an official Kaspersky Lab company statement regarding the ban, saying: “Kaspersky Lab is disappointed that the US Senate passed the Defense Authorization Act with an amendment focusing on the company, given that Kaspersky Lab is fully committed to fighting cyber-crime and doesn't have unethical ties to any government. Kaspersky Lab will respond to DHS' (Department of Homeland Security) binding operational directive shortly, and the company ardently believes Congress should review that response before considering any action. Digital security is a global issue, as cyber-threats aren't restricted by country borders, and determining security risks based on inaccurate information and companies' countries of origin, only makes everyone more vulnerable by limiting the availability of the most robust and protective solutions on the market. With the recent US government actions affecting the company, Kaspersky Lab greatly appreciates the opportunity to directly refute the false allegations and inaccurate assumptions during congressional testimony on September 27.” 

The Kaspersky case is essentially that no one has presented any evidence of wrong-doing by Kaspersky Labs, it would be commercial suicide for the company to put back doors into its software at the behest of the Russian government, and it is willing to cooperate with US authorities to inspect its source code.

The case against has various elements. There is an ongoing suspicion by many in the US of all things Russian, and Kaspersky Labs in particular, and specifically Eugene Kaspersky too, given that he graduated from The Technical Faculty of the KGB Higher School.  If this were the only reason for the ban then it would appear unjustified. While accusations of collusion with Russian spies and contacts within the company have been raised, revelations to date have not been beyond the collusion between state and industry seen with the US cyber-security industry.

Certainly, ‘being Russian' was seen as the main factor by some commentators such as Graham Cluley who criticised McAfee advertising its wares as a replacement for Kaspersky products on the basis of the US government ban – rather than arguing the merits of its products. 

However, there is also the realpolitik of global politics. Just this week the US Department of Homeland Security has been telling US states which ones have had their elections subverted by Russia, there appears to have been Russian interference in the Presidential election, and the Russian government or its proxies have been active in targeting elections elsewhere, as well as other organisations such as WADA (World Anti-Doping Agency), and even industrial espionage in the attacks on power stations in Ukraine.  Both Russia's capability and willingness to engage in cyber-espionage – and actual practice of cyber-espionage - are beyond dispute according to western intelligence agencies – and using a company subject to Russian government pressure to supply cyber-security products thus appears unwise at best.

Then there is also the basic principle of reciprocity in global trade.  As reported in SC, Russia has been seeking to reduce its dependence on western technology, especially software, and cyber-security systems in particular. Not only is the government banning government use of foreign-owned software, but also state institutions have been told that the government cannot now work with companies running foreign software because that represents a risk for national cyber-security.  Effectively, even private companies in Russia cannot use non-Russian software if they want to do business with the government.

A Reuters report this month has Interfax news agency quoting Russian President Vladimir Putin telling a meeting with Russian technology producers: “In terms of security, there are things that are critically important for the state, for sustaining life in certain sectors and regions. And if you are going to bring in hardware and software in such quantities, then in certain areas the state will inevitably say to you: ‘You know, we cannot buy that, because somewhere a button will be pressed and here everything will go down.” Presumably that applies to the US using foreign software?

Not reported by Reuters, but noted by observers of the Russian software market, the restrictions are even more severe, as,  for software to be approved by the Russian authorities. it is necessary for exclusive world-wide rights to be in the control of a Russian citizen or organisation. The software also needs to be tested and approved for use, handing over the intellectual property to the approval body.  And just to make appearances worse for Kaspersky, Eugene Kaspersky's former wife, Natalya Kaspersky, is a member of this approval body – though she is a respected member of the Russian cyber-security industry, active on several other public and private bodies in Russia.

For some, there's no smoke without fire.  For others that phrase smacks of witch-hunts and smear campaigns.

It could be that Kaspersky is simply the victim of anti-Russian prejudice or it could be collateral damage in a game of global power politics - or there may be specific information that is not being put in the public domain, or indeed simply on the basis of the above situation, the US sees no reason to do business with a Russian owned company. 

No one is questioning the quality of Kaspersky products – which do a great job, nor – publicly – the proven activities of the company which engages in wider efforts to fight cyber-crime.  

The problem with commenting on decisions based on intelligence agency input is that they are the ones with the intelligence, which they tend not to make public, thus outside observations are made without having all the facts. 

In non-democracies the intelligence services simply serve the interests of those in power whereas in a democracy they should work on behalf of us all, who are at liberty to hold them to account so far as we can with our limited knowledge.  That does mean that you do then get the conundrum of how to safeguard democracy against those who play by a different set of rules.

So, can someone tell us, what is basis for the decision?  It may be perfectly reasonable given some of the things Russia is doing, as described above, but it's hard to know unless you tell us.

Further news:

The French Ministry of Armed Forces is also now reported by L'Express to be considering dropping Kaspersky products following a warning from the French intelligence services. Hacking against Emmanuel Macron during the French presidential election, presumed to be by Russians, further reinforced mistrust of Moscow. The Joint Directorate of Infrastructure Networks and Defence Information Systems (Dirisi) has excluded Kaspersky in several recent calls for tenders.