Kaspersky Lab response clarifying the inaccurate statements published in a New York Times op-ed on September 4, 2017

“The company ardently believes a deeper examination of Kaspersky Lab will confirm that these allegations are unfounded, as Kaspersky Lab, and its executives, do not have inappropriate ties to any government. In addition, Eugene Kaspersky, CEO and founder of Kaspersky Lab, has repeatedly offered to meet with government officials, testify before the U.S. Congress and provide the company’s source code for an official audit to help address any questions the U.S. government has about the company.”

Below, the inaccurate assertions included in the op-ed are addressed point by point:

Inaccurate claim #1 -- “...threat is posed by antivirus and security software products created by Kaspersky Lab, a Moscow-based company with extensive ties to Russian intelligence.”

“Kaspersky Lab doesn’t have inappropriate ties with any government, which is why no credible evidence has been presented publicly by anyone or any organization to back up the false allegations made against the company. The only conclusion seems to be that Kaspersky Lab, a private company, is caught in the middle of a geopolitical fight, and it’s being treated unfairly even though the company has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts.”

“Kaspersky Lab has always acknowledged that it provides appropriate products and services to governments around the world to protect those organizations from cyberthreats, but it does not have unethical ties or affiliations with any government, including Russia. In addition, more than 85 percent of its revenue comes from outside of Russia, which further demonstrates that working inappropriately with any government would be detrimental to the company’s bottom line. These ongoing accusations also ignore the fact that Kaspersky Lab has a 20 year history in the IT security industry of always abiding by the highest ethical business practices and trustworthy technology development.”

Inaccurate claim #2 -- “The firm’s billionaire founder, Eugene Kaspersky, graduated from the elite cryptology institute of the K.G.B., the Soviet Union’s main intelligence service, and was a software engineer for Soviet military intelligence.”

“Eugene Kaspersky grew up in the Soviet era, when almost every education opportunity was sponsored by the government in some manner and military service was mandatory. After graduating from a prestigious Soviet high school with a focus in mathematics, he then studied cryptography at a university that was sponsored by four state institutions, one of which was the KGB. Upon graduating in 1987, he was placed at a Ministry of Defense (MoD) scientific institute, where he served as a software engineer. Serving as a software engineer was the extent of his military experience, and contrary to misinformed sources, he never worked for the KGB.”

Inaccurate claim #3 -- “But Kaspersky Lab has committed missteps that reveal the true nature of its work with Russia’s Federal Security Service, or F.S.B., a successor to the K.G.B. Bloomberg recently reported on emails from October 2009 in which Mr. Kaspersky directs his staff to work on a secret project “per a big request on the Lubyanka side,” a reference to the F.S.B.’s Moscow offices.”

“Regardless of how the facts are misconstrued to fit in with a hypothetical, false theory, Kaspersky Lab, and its executives, do not have inappropriate ties with any government. The company does regularly work with governments and law enforcement agencies around the world with the sole purpose of fighting cybercrime. In the internal communications referenced within the recent Bloomberg article, the facts are once again either being misinterpreted or manipulated to fit the agenda of certain individuals desperately wanting there to be inappropriate ties between the company, its CEO and the Russian government, but no matter what communication they claim to have, the facts clearly remain there is no evidence because no such inappropriate ties exist. The company's point-by-point public rebuttal may be found here: https://usa.kaspersky.com/about/press-releases/2017_kaspersky-lab-response-clarifying-inaccurate-statements-published-in-bloomberg-businessweek-on-july-11-2017.”

Inaccurate claim #4 -- The McClatchy news service uncovered records of the official certification of Kaspersky Lab by Russian military intelligence, which experts in this field call “persuasive public evidence” of the company’s links to the Russian government.

“Regarding the McClatchy article, it was simply a mistranslation and lack of understanding by the journalist. In Russia, high-tech companies, including those headquartered domestically and outside the country, who want to sell their products to government bodies must obtain mandatory certificates issued by the Federal Service for Technical and Export Control (FSTEC) and the Federal Security Service (FSB). In the FSB, this certification is handled by the Center for Information Protection and Special Communications (CIPSC that also has a formal name of ‘Military Unit 43753’), which is also responsible for information security of highly critical government systems. Thus, CIPSC serves both as a certifying authority and as a requester for certification for internal procedures. This is why the older certificate has both Kaspersky Lab and ‘Military Unit 43753’ as holders. The new certificates (publicly available on Kaspersky Lab’s website) are assigned from CIPSC. CIPSC was certifying products for governmental use since early 1990s. Examples of other vendor’s certificates may be found here: Example 1, Example 2.”

Inaccurate claim #5 -- “The challenge to United States national security grew last year when the company launched a proprietary operating system designed for electrical grids, pipelines, telecommunications networks and other critical infrastructure. The Defense Intelligence Agency recently warned American companies that this software could enable Russian government hackers to shut down critical systems.”

“Kaspersky Lab’s products and solutions are designed to protect against cybercriminals and malicious threat actors, not enable attacks against any organization or entity. The company does not develop any offensive techniques and has never helped, or will help, any government in the world in their offensive efforts in cyberspace. Kaspersky Lab released a complete security solution that will help protect Industrial Control Systems and networks located around the world from cyberattacks. The systems controlling important operations involving electricity, water and manufacturing have been widely publicized as being extremely vulnerable to cyberthreats, and the Kaspersky Lab solution will help manufacturers and critical infrastructure operators, including those in the U.S, prevent a crippling cyberattack against these sensitive systems that everyone relies upon.

Kaspersky Lab is proud to work with governments around the world to protect their infrastructure and networks as well as collaborate with the authorities of many countries and international law enforcement agencies to fight cybercrime.”

Inaccurate claim #6 -- “When a user installs Kaspersky Lab software, the company gets an all-access pass to every corner of a user’s computer network, including all applications, files and emails.”

“Unlike in many other products, Kaspersky Lab users have control over telemetry (data) sharing with their participation in Kaspersky Security Network (KSN) being voluntary. In addition, business and government users may choose to install a local and private KSN center on their premises to make sure the data never leaves their facility. Also, all data processed and/or transferred is robustly secured through encryption, digital certificates, segregated storage and strict data access policies.”

Inaccurate claim #7 -- “Russian law requires telecommunications service providers such as Kaspersky Lab to install communications interception equipment that allows the F.S.B. to monitor all of a company’s data transmissions.”

“Russia, and other countries, have implemented surveillance legislation aimed at stopping terrorist activities; however, those laws and tools are applicable to telecom companies and Internet Service Providers (ISPs). Kaspersky Lab does not provide communication services, thus the company is not subject to these laws and other government tools, including Russia’s System of Operative-Investigative Measures (SORM). Also, it’s important to note that the information received by the company, as well as traffic, is protected in accordance with legal requirements and stringent industry standards, including encryption, digital certificates, firewalls and more.”