Should You Believe the Rumors About Kaspersky Lab?

If you accuse me of stealing your new car, I have a lot of options to prove my innocence. I was out of the country at the time of the alleged theft. I don't have the car. Security cameras show it's sitting in a garage. And so on.

But if you accuse me of hacking in and stealing the design documents for your new car, things get dicey, especially if you start a whispering campaign. Neil sometimes consorts with known hackers (true). Neil regularly meets with representatives of foreign companies (true). Neil maintains a collection of all kinds of malware, including ransomware and data-stealing Trojans (true). Neil has the programming skills to pull off this hack (I wish!).

After a while the original accusation doesn't even matter; you've successfully damaged my reputation. And that's exactly what seems to be happening with antivirus maker Kaspersky Lab.

You can find any number of news articles suggesting improper activities by Kaspersky Lab. The US government removed Kaspersky from its list of approved programs and, more recently, added it to a list of banned programs. Best Buy dropped Kaspersky products from its stores. Kaspersky has hired security experts who previously worked for the Russian government. Kaspersky is a Russian company, darn it!

The list goes on, but what's impressively absent is any factual evidence of security-related misbehavior. To get a handle on this situation, I asked for thoughts from security experts I know, both in the US and around the world.

A moment of disclosure, first. While I wouldn't say I know him well, I have certainly met Eugene Kaspersky and been impressed by his knowledge. I follow him on Twitter, and he follows me. I've even ridden a tour boat with Eugene (and others) into McCovey Cove during a Giants game. Go Giants!

Anti-Russian Antivirus Hysteria

Graham Cluley has been in the computer security business for almost as long as there has been a computer security business. He worked at Dr. Solomon's back in the day, briefly toiled at McAfee, and then represented Sophos for many years. He's now an independent security expert with a popular security blog and podcast series. Cluley worries that the rumors about Kaspersky are, at least in part, a smear campaign, fueled by anti-Russian hysteria.

"I've seen no evidence of Kaspersky having any inappropriate interaction with the Russian government," said Cluley, "and no one seems to have presented any evidence of its software putting its US customers at risk. What I have seen are non-Russian security companies taking advantage of the current smear campaign against Kaspersky to promote their own solutions, which I find rather distasteful."

Cluley noted that anyone worried about software from Russian developers should be equally concerned about large amounts of "technology used throughout American homes and businesses which rely upon—for instance—Chinese developers and manufacturers."

"Unless convincing evidence is presented to the contrary," concluded Cluley, "my belief is that Kaspersky is the unfortunate victim of anti-Russian hysteria."

Put Up or Shut Up

Fahmida Rashid, a security expert who's both a friend and a former PCMag colleague, wrote an in-depth piece about Kaspersky Lab for CSO Magazine. The article goes into careful detail about the accusations against Kaspersky Lab and Eugene Kaspersky, and the absence of any damning proof. I asked her about Best Buy dropping Kaspersky from its in-store lineup, a development that occurred after her article came out.

"Best Buy is allowed to make its own decisions on what to sell or not to sell," noted Rashid. "Unlike the federal government, the retailer doesn't have to explain why it severed ties with a vendor. That said, this decision looks like a marketing decision and not a technical one. Someone in Best Buy is nervous about the negative headlines battering Kaspersky Lab and decided to pull the software off the shelves so that they don't get concerned phone calls from consumers.

"If Best Buy really was concerned about the potential dangers of Kaspersky software," she continued, "it would have explicitly warned past customers to uninstall the product, or publicized the refund/exchange policy more broadly. This is about Best Buy hoping that consumers don't call the company asking why there are Russian-made products on the shelves. This is all optics.

"If you are going to make a stand, be explicit and bold about it," she concluded. "Silently removing products from the shelves and hoping no one notices—and then refusing to discuss why—is just cowardly."

Along those lines, another of my contacts who prefers to remain nameless posited a completely different reason for Best Buy dropping the Kaspersky product line. This summer, the company introduced Kaspersky Free, a no-cost antivirus that encourages users to upgrade to Kaspersky's security suite, an online purchase directly from Kaspesky. I can see how a retailer might resent that move.

It's Not Us Against Them

For years, Simon Edwards managed the grueling anti-malware tests performed by London-based Dennis Labs. More recently, he's taken the helm as founder and CEO of SE Labs, testing security products for consumers, small businesses, and enterprises. Like me, Simon knows just about everybody in the industry. He finds the Kaspersky rumors (or, as he would have it, "rumours") hard to swallow.

Regarding the accusation that Kaspersky products spy on users, he pointed out, "Modern anti-malware products are often in frequent communication with their supporting cloud servers. To maintain the security of their users, they encrypt traffic that flows between their servers and their software. This means that it's hard to know the nature of the data being sent and received."

Hard isn't impossible, though. With enough resources, that traffic could be decrypted. "It would be commercial suicide for a security company to systematically steal data or otherwise compromise its customers," said Edwards. "It would be an extraordinary move, and extraordinary claims demand extraordinary evidence.

"It's also important to understand that the global security community is relatively small," Edwards pointed out. "People who used to work for Russian security companies, in Russia, may now work for American security companies, in America. The same applies in reverse. It seems very simplistic to characterize a company as being 'them' or 'us' when the experts that power these businesses are from all countries in the world, and move between companies regularly."

I can certainly vouch for that. Many of the people I know in the industry have worked for three, four, or more different security companies in the US and Western Europe, as well as in Russia and Eastern Europe and all over the world.

We Protect Consumers; So Does Kaspersky Lab

When I first met Dennis Batchelder, he was the Director of Program Management for antivirus matters at Microsoft. After more than eight years in that position, he founded AppEsteem, a company devoted to eliminating the practice of bundling unwanted (or even malicious) software along with the software you chose to download. He boiled down his Kaspersky comments to a few simple points.

• Kaspersky protects consumers, and they do a damn good job of it.
• As long as Kaspersky is committed to protecting consumers, we're committed to working with them to help them better protect consumers from deceptive software.
• We'd stop working with them if we received evidence that their relationship with the Russian government caused consumers to be hurt.

Clearly Batchelder has seen no such evidence.

Embedded in Sensitive Areas

One of my long-time contacts really wanted to share information with me, but absolutely could not have his name or company name mentioned. I'll call him Deep Throat. Briefly, he sees no evidence to connect Kaspersky with spying, hacking, or other malfeasance, but worries that the security industry will become increasingly politicized.

Recommended by Our Editors

Kaspersky Denies Close Ties to Russian Intelligence

"I have known Eugene and many of the staff at Kaspersky for many years," he said, "and I have never had any reason to believe they are engaged in anything suspicious with regard to their software. Eugene and others have demonstrated that they are reliable experts, fighting the same fight as myself and thousands of others."

Deep Throat continued, "The problem is that to do business in Russia...Well, you have to comply with whatever rules are imposed on you. I can't imagine not having interference from the Kremlin if you are a $1B+ company. That doesn't mean back doors, but it is hard to know what it might mean."

His own opinion is that "whatever is going on in the US is politics and likely nothing more," but that politics is encroaching into the security industry. "We are embedded in incredibly sensitive areas of computer networks around the world. Now that nation-state hacking is an everyday occurrence, there will be suspicions about your adversaries planting flaws. We saw the same kind of suspicion about Huawei a few years ago."

Deep Throat concluded on a sobering note. "The other option is that the NSA has detected some sabotage and is ringing some quiet alarm bells. I hope not." I hope not, as well. If they have real evidence, they should trot it out.

Kaspersky Lab Responds

As expected, Kaspersky Lab denies any inappropriate ties to the Russian government and all accusations of spying or other illicit activity. In an official release, the company stated, "[Kaspersky Lab] doesn't have inappropriate ties with any government, which is why no credible evidence has been presented publicly by anyone or any organization to back up the false allegations made against Kaspersky Lab. The only conclusion seems to be that Kaspersky Lab, a private company, is caught in the middle of a geopolitical fight, and it's being treated unfairly even though the company has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts."

Eugene Kaspersky himself has offered to testify before any relevant committees, and make the source code for security products available, so that experts can perform a detailed audit. So far, US agencies haven't taken him up on either offer. According to the release, "Kaspersky Lab has only received a general reply from one agency."

In response to the Department of Homeland Security's ban on Kaspersky Lab software, Eugene Kaspersky tweeted, "When politics use the news to shape facts, no one wins." He also referred to the ongoing slew of allegations as a new "Cold War witch hunt."

The company's official response to the DHS ban: "Given that Kaspersky Lab doesn't have inappropriate ties with any government, the company is disappointed with the decision by the US Department of Homeland Security (DHS), but also is grateful for the opportunity to provide additional information to the agency in order to confirm that these allegations are completely unfounded."

The Evidence, Please

Kaspersky Lab has the biggest market share of security vendors in Europe. Globally, it's the fourth-largest antivirus company by revenue, and 85 percent of its revenues come from outside Russia. Collaborating with the Russian government would put that global success at risk. It would be corporate suicide. That doesn't mean that it's an impossible scenario, but I can't believe it without hard evidence.

If Kaspersky products send private information to the Kaspersky Lab cloud, even in encrypted form, the NSA's cryptanalysts and security scientists should have no trouble decoding that activity. A full audit of the source code for Kaspersky products could prove or disprove allegations. I, for one, would be fascinated to see Eugene Kaspersky interviewed by a Senate committee or other government agency. None of this has happened.

Yes, Eugene Kaspersky has met Vladimir Putin. And Elon Musk has met Donald Trump. When your company is big enough, you hobnob with the government. Until I see some hard evidence to back up the rumors about Kaspersky, I'll treat them as rumors and nothing more. I'll continue to recommend products such as Editors' Choice Kaspersky Anti-Virus.

How a VPN Works