NSA probing reach of software from Russia's Kaspersky in US systems

The US Federal Communications Commission placed Kaspersky on a list of companies deemed a threat to national security. PHOTO: REUTERS

NEW YORK (BLOOMBERG) - The United States' National Security Agency (NSA) is investigating the extent that software made by the Russian cyber-security company Kaspersky is embedded in US businesses and organisations amid rising security concerns arising from Russia's invasion of Ukraine.

"I am still very worried about US companies that are using Kaspersky," said Mr Rob Joyce, the NSA's director of cyber security, in an interview in which he revealed the inquiry. "We think that is ill-advised with this global situation."

Some companies, including those in financial services, voluntarily abandoned Kaspersky anti-virus products after the US government banned the company's software from federal systems in 2017, citing espionage fears.

But the company's products continue to be used in the US, what Mr Joyce called "an installed base across random critical infrastructure and industry".

The Biden administration has repeatedly warned it has intelligence indicating Russia may carry out cyber attacks against US critical infrastructure in retaliation for punitive sanctions imposed over the invasion of Ukraine. US officials say they fear that Russia could use Kaspersky products to infiltrate key sectors of the American economy.

Following the February invasion, the US Federal Communications Commission placed Kaspersky on a list of companies deemed a threat to national security, the first such Russian entity added. And some other countries, including Germany and Italy, have raised concerns about using Kaspersky or Russian cyber-security products since the war began.

"As there has been no public evidence or due process to otherwise justify any actions against the company since 2017, Kaspersky believes any expansion of prohibitions or limitations are a response to the geopolitical climate rather than a comprehensive evaluation of the integrity of Kaspersky's products and services," a Kaspersky representative said, in a statement to Bloomberg.

Kaspersky, which says it protects 400 million users and 240,000 companies, is based in Moscow and has offices in the US, United Kingdom and elsewhere. Its executives have repeatedly denied having improper ties with the Kremlin or any other government and say they regularly cooperate with law enforcement to catch ransomware thieves.

In 2018, it lost a legal battle to bring a lawsuit against the US government over its 2017 decision to ban federal agencies from using its software, a decision it argued was unconstitutional. In 2018, the company relocated its data storage and processing from Russia to Switzerland in a bid to allay concerns. Kaspersky said the recent FCC listing and German warning were made on "political grounds" and based on unsubstantiated claims.

Following Russia's invasion of Ukraine, Kaspersky chief executive officer Eugene Kaspersky tweeted in March that his company is "in shock regarding the recent events" and has welcomed negotiations, hoping they can end hostilities and result in "compromise".

The NSA's Mr Joyce said anti-virus providers gain such sweeping access to systems that customers cannot see their activities or understand the decisions they make. The NSA is also worried about "white label" services, in which Kaspersky software runs unbranded inside other products.

"So there are routers, for example, that come with a Kaspersky engine inside them, and it's not clear people understand that that's buried inside a product that looks US or Western. So we're trying to understand where those risks are in the supply chain and where the biggest ones exist," Mr Joyce said.

Kaspersky's anti-virus technologies have been integrated into more than 150 IT partner products, according to its website. Kaspersky has said vendors are responsible for publicly communicating any third-party products they use.

Reuters reported in March that the US government began privately warning some American companies the day after Russia invaded Ukraine that Moscow could manipulate software designed by Kaspersky to cause harm. On Monday, Reuters reported that US Commerce Department has ramped up an investigation into Kaspersky since the invasion of Ukraine.

Remote video URL

Join ST's Telegram channel and get the latest breaking news delivered to you.