Why U.S. Officials Are Worried About This Russian Firm

Marco Rubio, a Republican senator from Florida. He's sitting behind a wooden dais with the rest of the Senate's Intelligence Committee, and he's questioning a panel of America's most senior intelligence officials. To each of our witnesses, I would just ask, would any of you be comfortable with Kaspersky Lab software on your computers? Resounding note for me, No Senator, no sir, No Senator, no sir. This software from Kaspersky Lab that

none of these intelligence officials want on their computers. It's not just your run of the mill application. It's anti virus software that gets very deep access into our computers to protect us from hackers. Their software is installed all over the United States, in the computers of not just US ordinary consumers, but also in the computers of banks, power plants, internet routers, and even portions of the U. S. Government.

The intelligence officials in this hearing didn't specify why they Seekspersky Lab as a security threat, but the senators, once again without mentioning details, seem to be very concerned about the ties that the company has with Russia's own government, the very government that tried to influence and hack the

U S presidential elections last fall. Today, I'm going to give you a peek into Cospersky's connections with people inside Russia's intelligence services, relationships the company has tried to keep secret. It's an investigation and that we've been working on for about two years now. These are details that have never been reported on before. Hi am Aki Ito, and I'm Jordan Robertson. And this week on Decrypted, we're going to be introducing you to Kaspersky Lab and its founder and CEO,

Eugene Kaspersky in Russia. Eugene is a celebrity entrepreneur, one of the few really big names in Moscow's tech industry. He's built a huge business across the U S and Western Europe, which together make up more than half the company sales. Kaspersky himself has publicly denied working with the Russian government, and he's offered to answer senators questions and to make the company's source code available to the US

government to show that there's no cause for concern. But after listening to this episode, I think you'll understand why the US government thinks Kaspersky maybe vone are able to Russian government influence. Now, none of this is meant to suggest that Kaspersky has actually used its connections with the Russian government for malicious purposes. We do not have any

basis for believing them. But the combination of having relationships with people in Russian intelligence, as well as the ability to closely monitor large swaths of our digital infrastructure, is making American officials nervous, and other unusual things are happening too. According to one recent report, FBI agents visited the homes

of several Kaspersky employees here in the US. Kaspersky confirmed that FBI agents have had brief interactions with some of its US employees, but said the discussions were just due diligence chats. Plus, we'll please some tape that has never been aired before of using Kaspersky himself talking candidly on the record about his relationship with some Russian government officials.

Stay with us. So. Eugene Kaspersky was educated at a KGB sponsored cryptography institute, and he later worked for Russian military intelligence. But the reason he's famous is for his company, Kaspersky Lab. It was a company he started twenty years ago in the early days of anti virus security software, and it's made him a rich man. It's also made him the target of some of these congressional and intelligence

community attacks. Right he's viewed at home in Russia kind of the way we think about Mark Zuckerberg right here in the US he is. Here's how he's viewed in Russia. Well, he's a big boss. He's a renowned industry and business leader. That's Oleg Demodov, a Russian cyber warfare expert with a p i R Center, an international security research organization based in Moscow. You cannot often see him in some regularly

regular level conference or industry events. Ah. He appears in the public not so often, but he any any his speech, any his statement in his blog. AH. In many cases this is gonna be in the event Eugene is a boisterous, barrel chested guy in his fifties. I've met him a few times, and everyone who's met him will tell you the same thing. He's the life of the party. He's gregarious, quick with a joke, and you just get the sense

that this guy knows stuff that others don't like. He's plugged into places not a lot of other people are. And his company, Kaspersky Lab, has a big reputation too.

I can't tell you that in Moscow here, because Barresky Lab has been regarded is probably the most successful company in Russian information security cyber security sector, and that success all came from the anti virus software that the company sells, because Persky makes deals with retailers and PC makers to install it software on the devices, in some cases even before you buy it. And this part of Kaspersky's business is very large. It's what the company is most known for.

I sense a butt, but Kaspersky's technology is also pervasive in less obvious places. The company boasts some four hundred million users worldwide, but according to one person familiar with how the company counts users, as many as two hundred million of those probably don't know it. That's because of undisclosed licensing agreements that put the Kaspersky Lab anti virus system in things like Internet routers that power large corporate

networks and even critical US infrastructure. Kaspersky was founded in Moscow, but has quickly expanded its business to other markets. More than half of Kaspersky Labs revenue last year came from the U S and Europe, according to the research company I d C. And Eugene knows it's critically important that his clients in the West do not associate him too closely with his government, which of course has been actively

hacking political operatives across the US and euro app. Yes, but I do need to emphasize it's not just Russian companies that have to work with the Russian government. I don't think there's a tech company in the world that

can just refuse to cooperate with its home government. Right The Edwards Snowden revelations showed a pretty cozy relationship between the n s A and a lot of American tech companies, so it wouldn't be surprising at all two people in the industry if Kaspersky Lab had to keep some amount of contact with the Russian government complying with legal requests for information and that kind of thing. Those sorts of

requests are very routine and happened here in the US too. Um. But then there's the stuff that you've discovered in your reporting with our cybersecurity reporter Michael Reiley. Right. Our reporting shows that Kaspersky has maintained a much closer working relationship with Russia's main intelligence agency, the FSB, than Eugene Kaspersky has publicly admitted. We found evidence that Kaspersky Lab developed

custom security technology that the FSB asked for. Plus we've uncovered some joint projects between the company and Russian intelligence. Coming up, we'll hear the details on Jordan's and Mike's investigation. That's right after the short break. Hi, I'm Pagat Carrie, a producer Here on Decrypted. We hear a lot about the possibility that robots and algorithms could take away our jobs.

But how real is this threat? If you're seeing or experiencing automation at work, or suspect your job will be impacted, please get in touch with us. We want to hear your story, even use it for a future episode. Record a voice message on your smartphone and email it to decrypted at Bloomberg dot net. Before the break, we were just about have to hear the details of your investigation, Jordan with Mike. That highlighted some of the work that

Kaspersky has done for the FSB, So let's hear these details. So, my colleague Mike Riley and I recently reviewed internal emails from October two thousand nine, suggesting that at least back then, Kaspersky Lab had a close working relationship with the FSB. Now remember that's the main intelligence agency in Russia, right, And what did that relationship look like? These emails actually come from Eugene Kaspersky himself discussing a project with his

senior staff. The emails show that even back in two thousand nine, so again, eight years ago, Kaspersky was making custom software to protect the government's own network from any kind of external hack. And that doesn't sound that unusual, right, Well, it's one thing to make the software and sell it to the government, But the emails also discussed another type

of operation. Kaspersky Lab's own employees appear to have been physically accompanying Russian agents on these raids to locate people thought to be launching hacks or cyber attacks against the government, so not just tracking these hackers down from their offices, but actually riding along on the cop cars. Correct. Have you heard of this kind of thing ever happening before? No. Never.

We talked to lots of cybersecurity experts, and I've never spoken to one who's accompanied a federal law enforcement agent on an arrest. It's very common for private sector security companies here in the US to provide data on criminal hackers to the FBI, which then makes the arrest right And and what else did you find? Those emails, which I should remind everyone were written in two thousand nine,

mentioned two Kaspersky Lab employees by name. One of them was the Kaspersky employee going out on those raids with the FSP agents. In December, the Russian government arrested that man on treas and charges for alleged connections to get this U S intelligence, which is quite the twist. It is.

A senior Russian intelligence official was also arrested, and while we don't know the exact nature of the treason charges, what is clear is that the Russian government is paying very close attention to Kaspersky Lab and its employees for a company that claims to have no connections to the Russian government, having employees ride along on these raids sounds

very much like a connection. And as luck would have it, Mike and I actually broached some of these subjects with Eugene Kaspersky back in for a profile we did on the company for Bloomberg Business Week. Eugene Kaspersky agreed to let us record the interview, which was all on the record, and Jordan's this was the first time that you confronted Eugene Kaspersky with information you'd obtained back then about his

ties to Russian officials. Correct, and his answers were surprisingly candid, even though he'd later deny, saying some of it okay, So let's place some of that tape. Well, I'll play you this bit first. This is where Eugene Kaspersky suggests that his company's interactions with law enforcement, both in Russia and in other countries around the world, happened routinely. Well, actually, we're in touch with the wet us everywhere on the world.

We're in touch with the Center Police and cybersecuritiy UH. And in the Russia, the cyber police is for their low level cyber crime, and there was a serious attacks like carbon for example. This level it's ah FSB development, which is kind of DHS right side the side. So of course we've worked very close to them because there's

so much crime in Russia. But after quite openly talking about the work that he does with the FSB, Eugene Kospersky reverts to this favorite punch line of his, which is that he's closer to the FBI in America than he is with Russian authorities. He repeated a version of this on May eleven, where he said, and I quote, we don't have ties to any government other than paying taxes. We paid tax is in many countries as we are

a very international company. Here's the club. So there are rumors about our very special links in creaming we'll have. I'd like say that, of course we have in touch with these guys, but I think that in Israel, in in the United States, we have much better connections. This love enforcement And in this interview in Mike and I asked Eugene about this thing we heard about where he goes to the banya with members of the Russian military

and Russian intelligence. Is a Russian sauna that's right, And we wanted to ask specifically about this because if it's true, that would suggest he has friendly relationships with people in Russian intelligence. When I go to Bunnet, it's like a difference not only from the company, but we don't talk about business. There are those friends FSB, military generals or some of those, or military personnel. And therefore, did we have one guy there it's a friend of us, uh,

he's City diet As. He simply there because well, actually he was responsible for certification, so to get the military contract in the New States, in the Europe and the rest of the same, you have for positivetification. So we went to was that man for long years? Okay, so we've got through some of the details of your investigation, Jordan's with Mike that suggested Kaspersky Labs relationship with Russian intelligence is much closer than the company has publicly admitted.

So let's take off the main points. Sure. First, there's the information from the company's internal emails suggesting that Kaspersky Lab employees participated in raids with Russian agents. Then there's the employee who apparently went on those raids getting arrested by the Russians on treason charges. And of course there's Eugene Kaspersky himself telling us on the record that he goes to these Banya knights with his friends, some of

whom are Russian military and intelligence officials. So let's swim out to the geopolitical situation. Tensions are mounting, with Congress and the FBI looking separately into allegations that Russia was trying to influence the U S election. And it isn't

just a US. Russia's cyber operations have been getting increasingly aggressive in France, the Netherlands and Germany too, So Kaspersky's wide business network in the US, combined with a working relationship with the Russian government, is what's making officials here

in the US nervous. For them, even the possibility of Kaspersky's platform being used as a backdoor into computers, firewalls, and routers around the world is terrifying, although we don't have evidence that the company ever tried to do this.

And in a statement, Democratic Senator Jean Chaheen called the ties between Kaspersky and the Kremlin quote alarming, and she said it's because of that that the Congress and the administration thinks quote Kaspersky Lab cannot be trusted to protect critical infrastructure, particularly computer systems vital to our nations security, and that fear comes from the very nature of the

software that Kaspersky has installed on our computers. They would know the security posture and the security risk of their customers, so they would know if a certain customer is not very security oriented and has a lot of threats detected on its end points, they would get a snapshot of

what the architecture is somewhat like. That's Rob Westerfeld, who's an analyst with market research firm I d C. What Rob saying here is that Kaspersky Lab could easily find out which of its clients would be most vulnerable to an attack. That's enormously valuable in securing those systems or planning an attack. And let's be super clear here, this is all very hypothetical. There's absolutely no evidence that Kaspersky is misusing its access. That's right, it's just as potential

that's getting officials worried. There's always a risk there, and there could be a risk. That risk could be repeated by any security vendor. They could have a rogue employee that is doing that, and so you know, it's a virtually impossible for a security vendor to be probed extremely heavily in order to tell whether the level of that risk exists. Although in Russia many people blame the scrutiny Kaspersky Lab is under on politics, here's the security analyst.

Oh leg Again, people in Russia understand well why this is happening now, this is a kind of alarm is wideless bread in the American military communities, special services community, and tolist extent less extent law enforcement community with regard to Russia and the so called the Russian threat in cyberspace. So at the top of the show, we mentioned that FBI asians visited the homes of some of Kaspersky's US employees. Jordan,

would we know about this so far? Well, we don't know exactly why the FBI agents decided to make those visits. Reports say it has to do with a counterintelligence inquiry. And what does that mean? So counterintelligence means they're looking

for foreign spies right here in the US. That's pretty interesting. Now, that doesn't necessarily mean the FBI thinks that Caspersky employees themselves are involved in espionage, or even that they know anything about it, but for whatever reason, the FBI apparently thought it was worth the effort to pay them a visit. We also saw news of a Senate bill that will ban the Department of Defense from using Kaspersky software. The legislation said that Kaspersky Lab quote might be vulnerable to

Russian government influence. Now let's make this clear. It's not like the Pentagon us as much Kaspersky Lab software anyway, so the idea may not actually do all that much. But we recently reported at Bloomberg that Russia is threatening some kind of retaliation if this bill goes through. We don't have details on what kind of measures that could entail, but the threat from Russia shows just how important this one company could become. In response to this escalated concern

over Cospersky Lab, Eugene Coosperski himself went on Reddit. During the Senate hearing we've mentioned at the top of the show, he repeated the same message he's maintained for years, that the allegations are unfounded conspiracy theories and amount to simple

Russia baiting. Eugene Kaspersky said his only ties to the Russian government are the taxes his company pays and even went so far as to say that Caspersky Lab doesn't share any user data with any government, including Russian And by the way, we ask Spersky Lab for comment on our story today, they said, quote, Kaspersky Lap has always acknowledged that it provides appropriate products and services to governments around the world to protect those organizations from cyber threats.

But it does not have any unethical ties or affiliations with any government, including Russia. And where do you think this is gonna go? What do you think it's going to happen next? Well, the latest development is Eugene Kaspersky has offered to give the US government his company source code for review. This is not an uncommon thing for companies doing business with the federal government, but many security

experts say it's not the point. Uh. The point, they say is that this software could be used for potentially malicious purposes independent of what's in the source code. And the reason is security software receives continuous updates, and if any of those updates are malicious, uh, the theory goes, the software could be used for for bad intentions. So Jordan's with the US relationship with Russia, where it is now, just tensions being higher than they have in a really

long time. Do you think a company like Kaspersky Lab even stands a chance in the federal government market. I think Caspersky Lab is going to find it very very hard to penetrate the US federal market, and they've all but acknowledged that this really isn't a market they're pursuing. However, on the consumer side, their software is actually really good at what it does, and it has the endorsement of a lot of cybersecurity professionals, so on that side they

still see potential for very very big growth. But really, what's happening here is just as the US doesn't buy missiles and other weapons systems from foreign countries, we're starting to see the same thing play out in the cybersecurity market, where if your security software is made by made in a country that is considered an adversary, you may not have great success here in the US. And that's it for this week's episode of Decrypted. Thanks for listening. Let

us know what you thought of the show. Please record a voice message and send it to Decrypted at Bloomberg dot net. Also, I'm on Twitter at Jordan's are one thousand and I'm at Akio seven. If you haven't already, please subscribe to our show wherever you get your podcasts, and while you're there, leave us a rating and a review. This really helps us find more listeners for a show. This episode was produced by Pia Gadkari Liz Smith at Magnus Hendrickson. Thanks to Nico Grant for his help on

this show. My business Week story was co written by Michael Reilly and edited by Jeff Muscus. You can read it at Bloomberg dot com, slash business Week, or in the New Business Week app. Alec McCabe is head of Bloomberg podcast. We'll see you next week.