Is Kaspersky Labs a Security Threat to the US?

♠ Posted by Emmanuel in , at 7/27/2017 04:03:00 PM
Is Kaspersky anti-spyware...or is it Russian government spyware? That's the question for US state & local gov't users.
Arguably one of the best-known Russian companies in the world is Kaspersky Labs, the maker of anti-spyware software. Cheekily, you may say that if anyone knows how to spy on others online, it's the Russians given that the US presidency is currently enmeshed in several investigations involving Russian meddling in the 2016 presidential elections. Forthcoming additional sanctions against Russia (among others) aside, however, the commercial implications of alleged Russian spying are limited.

Consider Kaspersky, though. Given its line of business and the country it hails from, it's become something of a hot potato for government procurement Stateside in the anti-spyware arena. Given that the putative head of the US federal government is the president, you may be amused to note that it's the federal government and not local or state governments who have provided guidance against buying Kaspersky's stuff. From the Washington Post:
The federal agency in charge of purchasing, the General Services Administration, this month removed Moscow-based Kaspersky Lab from its list of approved vendors. In doing so, the agency’s statement suggested a vulnerability exists in Kaspersky that could give the Russian government backdoor access to the systems it protects, though they offered no explanation or evidence of it. Kaspersky has strongly denied coordinating with the Russian government and has offered to cooperate with federal investigators.
This action has left state and local governments in a quandary whether to follow suit in avoiding Kaspersky-branded products which some believe may open a backdoor for Russian state spies into US government activities:
The GSA’s move on July 11 has left state and local governments to speculate about the risks of sticking with the company or abandoning taxpayer-funded contracts, sometimes at great cost. The lack of information from the GSA underscores a disconnect between local officials and the federal government about cybersecurity.
Interviews suggest that concerns in recent months from Congress and in the intelligence community about Kaspersky are not widely known among state and local officials, who are most likely to consider purchasing the Russian software. Those systems, while not necessarily protecting critical infrastructure, can be targeted by hackers because they provide access to troves of sensitive information.
Meanwhile accusations and denials are coming up think and fast among the company and its critics:
James Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington, said “it’s difficult, if not impossible” for a company like Kaspersky to be headquartered in Moscow “if you don’t cooperate with the government and the intelligence services.”

Kaspersky has worked to protect its image since the GSA decision. It said this month that it would be willing to turn over its software source code to federal investigators.
The gist of it all is that there is no evidence that Kaspersky Labs is in cahoots with Russian spies, or even that there is an alleged "backdoor" for these spies to exploit. Unless proven otherwise, this instance really is as fine as you'll get of "guilt by association"--flimsy circumstantial evidence of [i] a Russian firm [ii] marketing anti-spyware or even [iii] operating in Moscow are enough to label it guilty as charged.

I personally find Kaspersky cumbersome so I don't use it. However, you'd think there would have to be a higher burden of proof to conclusively order its discontinuance of use in US government offices than what has been provided thus far.