GSA removes Kaspersky from GSA Schedule

Cybersecurity

Every day we hear of Russia and thus it should come as no surprise the General Services Administration (GSA) removed Russian cybersecurity firm Kaspersky’s offerings from the GSA schedule. There was no announcement, no fan fare – Kaspersky simply disappeared.

While the backstory seems obvious enough – they are a Moscow-based company with alleged ties to the Russian intelligence apparatus. And there can be no denying Kaspersky products enjoy the front runner position within the Russian government when product selection is being made.

But what about Symantec? They famously jumped into bed with China conglomerate, Huawei, and formed a joint venture (49 percent Symantec/51 percent Huawei) in 2007. In 2012, Symantec sold its 49 percent to Huawei and called it done. Why did the joint venture fail? Some speculated at that time that Symantec  “feared its affiliation with the Chinese telecommunications equipment maker would prevent it from obtaining classified information from the US government about cyber-threats. Given the amount of Chinese espionage taking place in the US, they demonstrated a good bit of prescience in their decision making.

For every vendor to a governmental entity, they too could have the eye of suspicion cast upon them. Being a vendor and being a collaborator are two separate actions. The former is expected, the later is suspected.

In a bit of irony, the US is not the first country to exclude Kaspersky from sales to governmental entities. In 2014, China excluded both Kaspersky and Symantec. The rationale? According to the Chinese Ministry of State Security (MSS), “Symantec software had security vulnerabilities including backdoors which could allow outside access.” No reason was provided for excluding Kaspersky.

Should Kaspersky be excluded?

Eugene Kaspersky the company’s founder says, “nyet.” He pushes aside allegations as “unfounded conspiracy theories … total BS” when asked about his company’s close ties with Russian intelligence agencies. Yet, Bloomberg shared the existence of emails from 2009 (yes that is 8 years ago) which show Kaspersky was involved in a number of special projects from “Lubyanka side” a euphemism for the Russian internal security agency (FSB). The work would include the creation of “active countermeasures.”

Fast forward to 2016, and we see that the FSB arrested one of its own and a Kaspersky engineer for espionage. The irony is that the FSB officer arrested was engaged in the breach of Yahoo!, which resulted in 500 million accounts being compromised. Thus he was also wanted for espionage by the United States – a piece of history there.

Couple this with the congressional hearings on Russian meddling in the US elections and the cacophony of calls for the exclusion of Kaspersky, and there is little reason to question the GSA decision to remove Kaspersky from the GSA schedule. They can always be added back to the list if at a future date they are found to have a sufficiently arms length relationship with the Russian intelligence organizations, for now, why invite them into US government entities?

Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher, served 30+ years within the Central Intelligence Agency. He lived and worked in South Asia, Southeast Asia, the Middle East, Central Europe, and Latin America. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century” (Syngress, March 2008).