A pedestrian with a mobile phone in San Francisco on March 21, 2022. (David Paul Morris/Bloomberg)
The National Security Agency is investigating the extent that software made by the Russian cybersecurity company Kaspersky is embedded in U.S. businesses and organizations amid rising security concerns arising from Russia's invasion of Ukraine.
"I am still very worried about U.S. companies that are using Kaspersky," said Rob Joyce, the NSA's director of cybersecurity, in an interview in which he revealed the inquiry. "We think that is ill-advised with this global situation."
Some companies, including those in financial services, voluntarily abandoned Kaspersky antivirus products after the U.S. government banned the company's software from federal systems in 2017, citing espionage fears. But the company's products continue to be used in the U.S., what Joyce called "an installed base across random critical infrastructure and industry."
The Biden administration has repeatedly warned it has intelligence indicating Russia may carry out cyberattacks against U.S. critical infrastructure in retaliation for punitive sanctions imposed over the invasion of Ukraine. U.S. officials say they fear that Russia could use Kaspersky products to infiltrate key sectors of the American economy.
Following the February invasion, the U.S. Federal Communications Commission placed Kaspersky on a list of companies deemed a threat to national security, the first such Russian entity added. And some other countries, including Germany and Italy, have raised concerns about using Kaspersky or Russian cybersecurity products since the war began.
"As there has been no public evidence or due process to otherwise justify any actions against the company since 2017, Kaspersky believes any expansion of prohibitions or limitations are a response to the geopolitical climate rather than a comprehensive evaluation of the integrity of Kaspersky's products and services," a Kaspersky representative said, in a statement to Bloomberg.
Kaspersky, which says it protects 400 million users and 240,000 companies, is based in Moscow and has offices in the U.S., U.K. and elsewhere. Its executives have repeatedly denied having improper ties with the Kremlin or any other government and say they regularly cooperate with law enforcement to catch ransomware thieves.
In 2018, it lost a legal battle to bring a lawsuit against the U.S. government over its 2017 decision to ban federal agencies from using its software, a decision it argued was unconstitutional. In 2018, the company relocated its data storage and processing from Russia to Switzerland in a bid to allay concerns. Kaspersky said the recent FCC listing and German warning were made on "political grounds" and based on unsubstantiated claims.
Following Russia's invasion of Ukraine, Kaspersky Chief Executive Officer Eugene Kaspersky tweeted in March that his company is "in shock regarding the recent events" and has welcomed negotiations, hoping they can end hostilities and result in "compromise".
The NSA's Joyce said antivirus providers gain such sweeping access to systems that customers can't see their activities or understand the decisions they make. The NSA is also worried about "white label" services, in which Kaspersky software runs unbranded inside other products.
"So there are routers, for example, that come with a Kaspersky engine inside them, and it's not clear people understand that that's buried inside a product that looks U.S. or Western. So we're trying to understand where those risks are in the supply chain and where the biggest ones exist," Joyce said.
Kaspersky's anti-virus technologies have been integrated into more than 150 IT partner products, according to its website. Kaspersky has said vendors are responsible for publicly communicating any third-party products they use.
Reuters reported in March that the U.S. government began privately warning some American companies the day after Russia invaded Ukraine that Moscow could manipulate software designed by Kaspersky to cause harm. On Monday, Reuters reported that U.S. Commerce Department has ramped up an investigation into Kaspersky since the invasion of Ukraine.
