Kaspersky controversy: U.S. intelligence heads warn not to trust Russian security company; KGB-trained CEO stands by record
SAN FRANCISCO -- At the Healthcare IT News and HIMSS Privacy and Security Forum, CynergisTek CEO Mac McMillan said Kaspersky Lab's technologies are widely deployed throughout the world, have been around for two decades and "are at the heart of a lot of things."
McMillan’s comments came in reaction to news that federal investigations have been launched into the company, specifically its relationship with Vladimir Putin's regime.
The increasingly fraught relationship between Russia and the U.S. has deepened concerns among some intelligence officials that the Kremlin spies could exploit Kaspersky Lab software "to snoop on Americans or sabotage key U.S. systems," according to a recent ABC News report.
And while McMillan wouldn't weigh in one way or the other as to the validity of the intelligence community's concerns, he said any technology is at least potentially vulnerable to exploitation.
"Are there backdoors, are there things that other actors can take advantage of? We know it's possible. To think it's not is naive," said McMillan. "I never say never. As long as geopolitical interests are involved, just about anything is possible."
McMillan said Kaspersky's technology has generally been solid, and that includes products used by the government and private sector.
The software is installed on 400 million computers worldwide, and Kaspersky tools are deployed at 270,000 organizations globally. It has a healthcare security division, with U.S. hospital clients.
Because its products are deployed so widely, "if this turns out to be true it's going to be devastating in a lot of ways,” he said. “It's going to call into question all manner of programs and systems."
U.S. intelligence officials concerned about Kaspersky at a Thursday hearing of the U.S. Senate Select Committee on Intelligence, Sen. Marco Rubio, R-Florida, asked a panel of top intel chiefs a pointed question.
"Kaspersky Lab software is used by hundreds of thousands, millions of Americans," said Rubio. "To each of our witnesses, I would just ask: Would any of you be comfortable with Kaspersky Lab software on your computers?"
The panel – including Acting FBI Director Andrew McCabe, CIA Director Mike Pompeo, Director of National Intelligence Dan Coats, NSA Director Admiral Michael Rogers, Defense Intelligence Agency Director Lt. General Vincent Stewart and Director of the National Geospatial-Intelligence Agency Robert Cardillo – was unanimous in its response.
"A resounding 'no' from me," said Coats.
The others at the table responded similarly:
Eugene Kaspersky trained at a KGB-founded university
Coincidentally, Kaspersky Lab Founder and CEO Eugene Kaspersky participated in a Reddit "Ask me Anything" session that very morning – where a questioner presented him with the intelligence officials' comments.
"I respectfully disagree with their opinion," he said – adding that he was "very sorry" the intelligence community felt they couldn't use his software "because of political reasons."
He also brushed off allegations of Russian influence on his company as "unfounded conspiracy theories."
ABC News reported that the Senate intel committee had sent a "secret memorandum" to Coats and U.S. Attorney General Jeff Sessions that "raised red flags regarding Kaspersky's ever-growing market presence on the U.S. market, including in U.S. critical infrastructure, where its security software is often found installed."
It also reported that, earlier this year, the U.S. Department of Homeland Security drew up its own secret report on Kaspersky, which in turn caused an FBI investigation into its relations with the Russian government.
Before founding his company in 1997, Kaspersky himself was trained at a KGB-affiliated school and worked as a Soviet intelligence officer. A 2012 profile of him by WIRED alleged that he still "has deep ties to the KGB’s successors in Moscow."
But as one Gartner researcher put it: "There’s no evidence that they have any back doors in their software or any ties to the Russian mafia or state. It’s a red herring, but there is still a concern that you can’t operate in Russia without being controlled by the ruling party."
In a press release this week, Kaspersky Lab countered that, as a private entity, it "has no ties to any government, and the company has never helped, nor will help, any government in the world with its cyberespionage efforts."
Kaspersky Lab products "do not allow any access or provide any private data to any country’s government," it continued, and customers "have full control over telemetry" (data sharing) and can disable it completely at any time.
Moreover, "Kaspersky Lab routinely attains licenses and certifications from the countries it operates in, including one from the U.S. National Institute of Standards and Technology, certifying the company’s encryption technologies for businesses as fully compliant with the Federal Information Processing Standards (FIPS) 140-2," according to the statement.
Finally, the company promised to make itself available to "assist all concerned government organizations with any ongoing investigations."
Security: Who can you trust?
Before co-founding CynergisTek, McMillan held multiple top-level positions in the U.S. government. He served as director of security for two Department of Defense agencies and was designated accreditation authority for several sensitive network and information system deployments worldwide. He also served as an intelligence officer and lieutenant colonel in the U.S. Marine Corps.
"I don't ever trust any (product) that comes from a foreign country; I don't even trust anything that comes from an ally," McMillan said."Because of the the things I've seen and heard about and learned about in my career over the years, if it isn't built here, I'm generally not a fan of it.”
McMillan said that applies specifically to co-location hosting sites because at least if they are on American soil they are subject to U.S. laws rather than the whims of some government that may or may not respect similar laws.
"We advise our hospitals all the time: Keep it in America. At least if that data center is on American soil, I know it's subject to our laws, our control," he said.
"Putting massive amounts of data in India or China or Russia, or states that have demonstrated that they don't respect those things is crazy. It's taking unnecessary risk," he added. "Vendors come to me all the time from places like Israel, and I don't even entertain them -- and they're an ally."