Is Kaspersky still safe to use or does it pose a cyber security threat?

Kaspersky Internet Security software
(Image credit: Getty Images)

Kaspersky is one of the oldest names in the antivirus game, founded in 1997, but has recently gone through several rounds in the PR boxing ring. This is in no small part due to the geography of its head office – Moscow, Russia.

Questions around Kaspersky have been raised over the last few years, including whether the firm has ties to the Russian government in any capacity, and whether the products are vulnerable. While these concerns have rumbled for some time, Russia’s invasion of Ukraine has thrown them into the spotlight.

Cyber security authorities from countries including the UK and the US have lined up in recent days to dissuade businesses from using Kaspersky’s products. This may prompt many organisations into asking whether Kaspersky’s products are, ultimately, safe to use. Arriving at a definitive answer, though, is far from straightforward.

Serious allegations, severe real-world consequences

Since the invasion, Germany, the US, and the UK have all released separate advisories warning businesses of the alleged risks of using Kaspersky’s products. The perceived heightened risk of Kaspersky, now war has broken out, essentially stems from the legal obligation for Russian-based businesses to comply with requests from the Russian Federal Security Service (FSB). A similar law exists in China and has largely underpinned the West’s discomfort around companies like Huawei.

Such highly official and serious stances, adopted by several governments in a coordinated manner, are rare, and send an explicit message. Germany was the first to go public with its concerns that Kaspersky could be compelled into carrying out cyber attacks against Russia’s enemies, at the behest of the Kremlin. Within days, both the US and UK also released their own statements suggesting similar scenarios and warning businesses against using the company’s products. The US went a step further, though, by making Kaspersky the first Russian addition to the FCC’s blacklist, joining the likes of Huawei and ZTE, officially branding it a threat to US national security.

What Kaspersky is most aggrieved with is the lack of evidence each government has presented in its respective advisories. A Kaspersky spokesperson, indeed, told IT Pro in March these advisories were “not based on any technical assessment of Kaspersky products” and “made on political grounds” – a statement the firm has reiterated since.

A history of alleged Russian ties

To suggest Kaspersky has been viewed with suspicion in recent years would be an understatement. Despite analyst house Gartner saying in 2012 there’s no material evidence to suggest Kaspersky is malicious in its products or behaviours, or has ties to the Russian government, that did little to quell a wave of allegations against the company since.

RELATED RESOURCE

Introducing the zero trust edge model for security and network services

Get a better understanding of emerging zero trust solutions

FREE DOWNLOAD

The US has been particularly persistent in scrutinising Kaspersky, across several administrations, but it arguably all came to a head in 2017. High-profile US media organisations made a number of serious allegations against the company at the time which set in motion a catastrophic chain of events for Kaspersky.

Chief among them was the Wall Street Journal alleging in October 2017 the company’s products were used by Russian state-affiliated hackers to steal hacking tools used by an NSA contractor. Kaspersky vehemently denied these allegations, countering with the assertion the NSA contractor in question accidentally leaked their tools to Kaspersky during the course of normal use of its antivirus product.

Weeks later, the UK’s MI6 expressed concern over Barclays distributing Kaspersky software to more than two million of its online banking customers free of charge. These concerns soon led to Barclays halting its free software initiative, and prompted the NCSC to issue a warning against using Kasperky products at the government level.

Before the year was out, the Trump administration later approved a law banning Kaspersky products across federal and military systems – an order over which Kaspersky unsuccessfully tried to sue the US government.

The move catalysed a global shift in attitude towards the cyber security company. Following the announcement, Lithuania announced a similar ban, as did the Dutch government six months later. The EU officially branded Kaspersky “malicious” and the company, arguably, has since never managed to shake this onslaught of negative PR.

Its tainted image also hasn’t been helped by the fact that its CEO, Eugene Kaspersky, was a former member of the Russian military and was also educated by a KGB-sponsored school through which he earned a technical degree.

What does this mean for Kaspersky products?

With numerous strands to this tale, there’s a lot to unpack. What’s notable is the lack of evidence made public supporting the recent allegations against Kaspersky. Although the claims haven’t been substantiated publicly, governments often withhold such information on national security grounds.

It might also be argued this situation has been fuelled by longstanding geopolitical tensions between the US and its allies, and the Russian and Chinese governments. Both Kaspersky and Huawei were banned by the Trump administration on the basis of alleged ties to the Kremlin and the Chinese state respectively. The principles of these bans were eventually mirrored in domestic laws and initiatives elsewhere. Both the UK and US said Huawei’s infrastructure needed to be ripped out to preserve national security, while concerns around Kaspersky, as we’ve mentioned, go back to 2017 when the NCSC warned against using Kaspersky products at the government level – something it recently repeated in March 2022.

Kaspersky defended itself when the US initially banned it in 2017, but it’s curious it didn’t launch legal action against the Wall Street Journal after the newspaper alleged it stole NSA hacking tools. You could argue that Kaspersky didn’t want to damage its reputation by taking on a well-respected member of the free press, but if the claims were wholly untrue, then you would expect it to follow up in some way on the grounds of defamation.

Without access to information or intelligence likely held back from the public, it’s difficult to say with certainty if Kaspersky products are safe to use, just as we cannot definitively say Huawei is trustworthy either. Governments, when pressed for proof, have been unwilling to provide it in either case. All we can say is it’s notable many Western governments have united in the calls against using Kaspersky products, although the firm has consistently denied any explicit links to the Russian state.

The legal obligation to comply with Russian government orders, though, is true – and a significant reason why cyber security agencies are, only now, warning businesses against using it. With more than 400 million users and 240,000 corporate clients, the legal requirement for a cyber security company as prevalent as Kaspersky to comply with Kremlin orders is, indeed, troubling, even if hypothetical or unlikely. Because of this, it might be wise to err on the side of caution.

Connor Jones
Contributor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.