“Any major cybersecurity company will have a relationship with the intelligence agency in its country,” he says. “If Kaspersky was based in Manchester, it would have a connection with British intelligence.”
The difference with Kaspersky and Russian intelligence, Galeotti says, is in the “nature” of the relationship.
Emails obtained this summer by Bloomberg from 2009 revealed that a project led by Igor Chekunov, Kaspersky Lab’s chief legal officer and a former member of the KGB, had developed security technology for the FSB.
The relationship was also on display in court documents published this year on the Facebook page of a Russian hacker, Konstantin Kozlovsky. One document, from April 2015, revealed a joint-operation between Kaspersky Lab and the FSB to ferret out cyber criminals that, damningly, was run on Kaspersky premises.
“The main thing here is that Kaspersky staff acted not as experts, but as participants in an FSB operation,” says Andrei Soldatov, a Russian journalist and co-author of “The Red Web.”
A cold wind
Until recently, Kaspersky’s close connection with the FSB was not a major worry in the United States.
As Soldatov explains, prior to allegations that it interfered in the 2016 U.S. presidential elections, the FSB was well regarded in the West. In the war against terror, the agency was viewed as an ally, especially after it tried to warn the United States about the Boston bombers.
That changed after Russia’s annexation of Crimea from Ukraine in 2014 and relations with the West spiraled.
“What we have seen, especially since 2014, is a vastly more confrontational global situation as Russia takes on the West, and with that, the increasing importance of cyber-espionage,” Galeotti says.
Eugene Kaspersky, too, has addressed that shift. “We felt a cold wind started to blow in 2014,” he said in October of his business in Western Europe and the United States.
As Russia was gearing up to launch its cyberwar ahead of 2016, U.S. authorities now worry that Kaspersky — whether by choice or not — helped the Kremlin prepare.
In September, The Wall Street Journal reported that, in 2015, Russian hackers obtained National Security Agency (NSA) hacking tools. According to The New York Times, Israeli hackers had breached Kaspersky Lab and, finding the NSA code, alerted the agency.
Although it is not publicly known how Russian hackers obtained the NSA information, investigators believe they exploited the Kaspersky antivirus software installed on an NSA employee’s home computer.
This month, Trump signed a bill into law banning Kaspersky products from U.S. government machines. The move followed a U.S. Department of Homeland Security’s (DHS) warning that the Russian government could — acting independently or in concert with the cybersecurity firm — “capitalize on access provided by Kaspersky products.”
Kaspersky denies that the firm has helped the FSB in cyber-espionage. In a statement to Bloomberg this summer, the company said it “does regularly work with governments and law enforcement agencies around the world with the sole purpose of fighting cybercrime.”
Structural impediments
Whether or not Kaspersky believes his company has helped the FSB spy, however, might be besides the point.
There are legal structures in Russia that render the work of cybersecurity companies transparent to the FSB, says Soldatov. As he puts it, for cybersecurity firms based in the country, the agency is “impossible to escape.” That’s because encryption developers are required to procure a license from the FSB that “allows the agency access to everything they do.”
There are also laws that allow the Russian government to surveil the country’s internet service providers through a system called the System of Operative-Investigative Measures, or SORM. In October, an American industry official who was briefed by the FBI on Kaspersky Lab pointed to that system as a key concern.