One key thread of the investigation into purported Russian hacking gets unraveled today when a U.S. congressional committee kicks off hearings on the alleged espionage role of Russian security software maker Kaspersky Lab and its nerd genius founder/owner/CEO Eugene Kaspersky. It’s a probe that the current administration and the Republican Congress are eager to pursue, partly because it can embarrass their Democratic predecessors.
But more than just politics is at play here–there are serious questions about Kaspersky, with plenty of intrigue around its suspected ties to the Kremlin, as well as bipartisan concerns about why the Obama administration bought its products. After all, buying made-in-Moscow anti-malware software for the U.S. Defense Department does look like a bit of a head-scratcher in retrospect.
Since then, the firm has fallen into disfavor. Last month, the Department of Homeland Security banned Kaspersky products from all federal agencies (except the Pentagon, which is outside its jurisdiction). Consumer electronics chains Best Buy, Staples, and Office Depot followed suit, pulling Kaspersky products from their shelves. And anonymous National Security Agency leakers planted pungent though tangled stories in the press about the company. The Wall Street Journal reported that an NSA employee (or maybe contractor) had loaded sensitive documents onto his/her home computer, from whence Vladimir Putin’s spies filched them using the Kaspersky program installed there. The New York Times followed up with a tale of Israeli cyber-spies sneaking into Kaspersky Lab’s internal network, then alerting the NSA about back doors to the Kremlin it found there.
American national security experts are inclined to credit their government’s suspicion. “Without public evidence, its smoke but no fire. But it’s enough to encourage everybody to ditch Kaspersky,” Nicholas Weaver, senior researcher for networking and security at Berkeley’s International Computer Science Institute, tells Fast Company.
America’s word is not what it once was around the globe, though, and other spooks are begging to differ. Germany’s Federal Office for Information Security, or BSI, gave Kaspersky the all-clear earlier this month. “There are no plans to warn against the use of Kaspersky products since the BSI has no evidence for misconduct by the company or weaknesses in its software,” the agency told Reuters. (The Germans have not forgotten that it was Uncle Sam, not Russia, who bugged Angela Merkel’s cell phone a few years back.)
And global cop Interpol and regional subsidiary Europol broadened their collaboration with Kaspersky even as U.S. authorities black-balled him. An Interpol grandee decried Washington’s moves to “Balkanize” the international struggle with cybercrime. “The reality is criminals are working together,” Noboru Nakatani, director of the agency’s Global Complex for Innovation, told Reuters. “Do you think the governments or the good people are doing the same?”
Kaspersky Lab itself is vigorously defending its reputation via a battery of PR pros at its U.S. headquarters outside Boston. On the eve of its congressional grilling, the company announced a “global transparency initiative” whose cornerstone is “opening the source code of its software–including software updates and threat-detection rules updates–for independent review and assessment.” Eugene Kaspersky volunteered to testify on the Hill but was not invited, at least for the Science Committee’s opening hearing today.
Spy Vs. Spy
If Kaspersky has turned Russian spy, it must be unwillingly, people who know him say. Much has been made of young Eugene’s (or Yevgeny Valentinovich’s, as he was then known) roots in the Soviet security apparatus. Raised in Moscow, he went to college at the KGB Higher School, then entered military intelligence. But this was the 1980s, and the security apparatus was the only game in town for a math-gifted Russian youth. Eugene defected to private business as soon as such a thing existed, in 1991 at age 26.
His partner was his then-wife Natalya, who managed the shop while Eugene buried himself in the algorithms. “This was kind of a typical Russian couple where the woman has the people skills,” recalls one veteran Western investor in Moscow. “For Eugene, business and government were both beneath him compared to the technical beauty of the code.” Kaspersky had met and debugged a computer virus known as Cascade while in state service in 1989, and decided to focus on cybersecurity thereafter.
The marriage broke up–Natalya left for one of the company’s engineers, according to Moscow scuttlebutt–and Eugene learned to come out of his shell. He mastered English and secured a place among the geek universe’s more rousing conference speakers and wittier bloggers/ tweeters. “What just hit the fan?” he asks in an October 18 tweet. “FAQ about the recent false allegations in the U.S. media about Kaspersky Lab.” (The Boston crew admits that “native speakers” help the boss with his English idiom.)
Kaspersky showed world-class cybersleuth chops in 2010 by unmasking the Stuxnet worm that had wreaked havoc with Iran’s nuclear centrifuges, among other targets. The discovery enhanced his reputation, but may well have made enemies who are taking revenge now in the U.S. and Israeli security services, the presumed joint masterminds of Stuxnet.
Kaspersky has regularly intervened on the side of the good guys in cyberspace, too. In just the past few weeks, the Lab has tipped Adobe off to a new malware threat to its Flash software, and flagged ATM-busting software called Cutlet Maker for sale on the Dark Net. The company pulled in revenue of $644 million last year, basically by making software as good as that of competitors like Symantec, but cheaper, experts say. “Kaspersky offers a best-in-class product that is competitively priced for its performance,” says Sean Kanuck, a former head of cyber issues for the U.S. National Intelligence Council who will testify at the House hearing. Forbes estimates Eugene Kaspersky’s net worth at $1.3 billion.
The Window Closes On Modernization
But the geopolitical foundation that underpinned this success has eroded, to say the least. Kaspersky came of age business-wise as post-Soviet Russia opened to the West, and became a guru for talented countrymen who aimed to work globally on equal terms. “Back in 1997 we had a sauna in our office, and Eugene Kaspersky used to come to us for good steam and conversation,” recalls Pavel Cherkashin, who now lives in San Francisco and runs a venture capital fund called GVA Capital. “I got a lot of great business advice from him at that time.”
Kaspersky’s best shot at true globalization may have come in 2011, when a Connecticut private equity fund called General Atlantic agreed to buy Natalya’s 20% stake in the company for a reported $200 million, and move it toward an IPO. That was also the height of Russia’s “modernization” drive under President Dmitry Medvedev. He had recently broken ground on Skolkovo, the would-be Russian Silicon Valley outside Moscow, with massive promised multi-billion dollar investments there from Microsoft, Cisco, Boeing, and other American tech titans. Barack Obama and Hillary Clinton were holding to their Russia “reset” strategy and hoping for reform.
Then the window closed. Eugene Kaspersky bought back his ex-wife’s stake from General Atlantic in early 2012. A few months later, Putin reassumed Russia’s presidency, ending the modernization charade. Russia’s 2014 invasion of Ukraine and 2016 election fiddling have all-but returned relations with the West to a Cold War footing, and shrunk the space for a unique company like Kaspersky Lab to stay neutral. “Kaspersky has a direct financial interest in maintaining the company’s reputation, but the pressure from the security services can sometimes be pretty heavy,” says William Courtney, a one-time U.S. diplomat in Moscow who now monitors Russian cyber-strength for the RAND Corporation.
In fact, the Kremlin could peek at Kaspersky clients’ data without the company’s direct complicity, though they would have to have some idea of what they were looking for, Kanuck says. Russian telecommunications law requires providers, like those that presumably operate Kaspersky’s servers, to provide access to state security organs. “They may be owned by the FSB and not know it,” adds Kenneth Geers, a former NATO ambassador to Estonia and cyber-conflict scholar at the Atlantic Council, referring to the Federal Security Service, the KGB’s post-Soviet successor.
Confronting The Collision Between Tech And Politics
Kaspersky’s predicament may be extreme as the best-known tech brand from a country (Russia) that seems to be going out of its way to poison relations with the company’s top customers (Europe and the U.S.). But the whole tech universe must confront the collision between its ideal of borderless talent pools and markets with a political world that grows grouchier and more paranoid by the day. U.S. tech giants are widely assumed to have their own quiet dialogue with the Washington deep state, and be available in extremis for national security functions. For that matter, corporate labels say little about where modern software or hardware was really produced. “The box may say designed by Apple in California, but the code has been written by thousands of people in dozens of countries over decades,” Geers observes.
Without a “mature conversation” on how to ring-fence risk–for instance by requiring certain sorts of data to be held on servers in the user’s home country–cyber-diplomacy could degenerate into genuine Balkanization, Kanuck warns. “At a policy level, if the U.S. starts proscribing foreign vendors, we have to be ready for them to take a similar view of Microsoft, Cisco, or whoever,” he says.
Mature conversation is not the order of the political day just now, unfortunately. Watch the Kaspersky case carefully.
Craig Mellow is a freelance business writer and former Moscow correspondent.