By Jim Finkle, Joseph Menn and Dustin Volz
(Reuters) – Eugene Kaspersky, the CEO of the Russian cybersecurity software firm that bears his name, had a big American dream.
He wanted his company to go beyond selling anti-virus software to consumers and small businesses and become a major vendor to the U.S. government – one of the world’s biggest buyers of cybersecurity tools.
Kaspersky set up a U.S. subsidiary, KGSS, in Arlington, Virginia that would be focused on winning that business. He sponsored flashy conferences with high-profile speakers -including Michael Flynn, who was briefly President Donald Trump’s national security adviser – sought to join U.S. trade groups and even underwrote programming on National Public Radio.
All of this was done to burnish Kaspersky’s image and help it become an accepted vendor for the U.S. government despite its Russian roots, according to people familiar with the strategy.
But Eugene Kaspersky was never able to overcome lingering suspicions among U.S. intelligence officials that he and his company were, or could become, pawns of Russia’s spy agencies. Kaspersky “has never helped, nor will help, any government in the world with its cyberespionage efforts,” the company said.
Kaspersky’s American ambitions were further eroded by the sharp deterioration in U.S.-Russia relations following Russia’s invasion of Crimea in 2014, and later when U.S. intelligence agencies concluded that Russia had hacked the 2016 U.S. presidential election.
Testifying before the U.S. Congress in May, U.S. intelligence chiefs for the first time publicly expressed doubt that Kaspersky products could be trusted.
FBI agents last month interviewed Kaspersky employees, asking whether they reported to Russia-based executives and how much data from American customers could be seen by Russian employees, according to three current and former employees. The FBI declined to comment on Thursday.
On Tuesday, the U.S. General Services Administration, the government agency that manages the federal bureaucracy, removed Kaspersky from a list of approved vendors, saying GSA’s mission was to ensure the security of U.S. government systems.
There is also a bill before Congress that would explicitly bar the Defense Department from using any Kaspersky products.
Kaspersky says his company is being targeted for political reasons.
“These reckless actions negatively impact global cybersecurity by limiting competition, slowing down technology innovations and ruining the industry and law enforcement agency cooperation required to catch the bad guys,” he said in a statement to Reuters.
The Arlington offices of KGSS were empty when a Reuters reporter visited them on Thursday. A Kaspersky spokeswoman said most of the staff, which number less than 10, often work from home.
The U.S. clampdown comes even though officials have offered no public evidence to suggest the company has done anything untoward or that the Russian government is using its software to launch cyber attacks.
Two former employees and a person briefed on the FBI case told Reuters that Kaspersky software has at times inappropriately inspected and removed files from users’ machines in its hunt for alleged cyber criminals, even when those files were not corrupted by viruses.
“Kaspersky Lab believes it is completely unacceptable that the company is being unjustly accused without any hard evidence to back up these false allegations,” the Kaspersky spokeswoman said in response in an email.
It is extremely rare for a company to be singled out for federal buying restrictions in the absence of clear evidence of wrongdoing.
“This sets a really dangerous precedent” where other nations could make similar, unsubstantiated claims against U.S. vendors, said Robert M. Lee, a former cyberwarfare operative for U.S. intelligence and now CEO of cybersecurity startup Dragos.
The Russian government has denounced the Kaspersky crackdown and said it does not rule out retaliatory measures. Officials at U.S. tech companies with significant operations in Russia say they fear they could become targets.
Federal contracting databases reviewed by Reuters show only a few hundred thousand dollars in purchases from Kaspersky, and an employee confirmed the company’s federal government revenue was “miniscule.”
But Kaspersky also sells to federal contractors and third-party software companies that incorporate its technology in their products, so its technology may be more widely used in government than it appears from the contracting databases, U.S. officials say.
Founded in 1997, Kaspersky grew rapidly through the 2000s to become one of the world’s leading anti-virus software companies. (Kaspersky’s global reach: http://tmsnrt.rs/2uWTQoV)
But the company was dogged from the start by suspicions about its ties to Russia’s Federal Security Service (FSB), the main successor to the KGB. Eugene Kaspersky attended a KGB school and the company has acknowledged doing work for the FSB.
As the company grew, Kaspersky was determined to overcome those fears.
“We have to be more American than Americans,” Kaspersky told Reuters in 2013, when a U.S. goodwill offensive began.
A cornerstone of the effort was a series of KGSS-hosted conferences in Washington where prominent U.S. officials including Flynn, a former Defense Intelligence Agency director, former CIA and NSA Director Michael Hayden and House of Representatives Homeland Security Committee Chairman Michael McCaul discussed cybersecurity issues.
The company privately courted U.S. intelligence and law enforcement officials by sending experts to brief them on nation-state hacking campaigns uncovered by the firm, according to people present at those meetings.
“They came to us and said, ‘We want to change our image, we know people don’t trust us’,” said one former senior Obama administration official who took part in some of those meetings.
But the suspicions never subsided. When the company sought to join one Washington-based technology trade organization, it was “politely told it couldn’t happen,” according to an industry source with direct knowledge of the matter.
The source said industry group officials had an inside joke: “Kaspersky (membership) is like having the Kremlin join.”
Not coincidentally, Kaspersky’s government sales effort never gained traction. In an email to Reuters, the company noted “complexities associated with doing business with North America’s government sector.”
Privately held Kaspersky said its U.S. revenue, most of which comes from selling anti-virus software to consumers and small businesses, slipped from $164 million in 2014 to about $156 million in 2016.
Some U.S. national security experts say Kaspersky is being treated unfairly. Lee said he has long been bothered by the “public shaming” of Kaspersky by people who make allegations without presenting evidence.
The U.S. government has the right to choose not to use Kaspersky products for any reason, he said, but “the way they are doing it” is wrong.
“I don’t believe in geographic restrictions that say, ‘Because Kaspersky is a Russian-based company, therefore it is bad,'” said former White House cybersecurity policy coordinator Michael Daniel. “You would want your decision to be based on actual corporate bad behavior.”
(Reporting by Jim Finkle in Toronto, Dustin Volz in Washington and Joseph Menn in San Francisco.; Editing by Jonathan Weber and Ross Colvin.)