Senior members of the U.S. intelligence community are for the first time publicly expressing concern that one of the world's largest cyber-security firms -- Moscow-based Kaspersky Lab -- could pose a threat to the U.S. homeland.
The acting head of the FBI, Andrew McCabe, told the Senate Intelligence Committee today that his agency is "very concerned about it ... and we are focused on it closely."
Robert Cardillo, the director of National Geospatial-Intelligence Agency, said he is "aware of the Kaspersky Lab challenge and/or threat." CIA Director Mike Pompeo said the matter "has risen to the director of the CIA as well." And the head of the National Security Agency, Adm. Mike Rogers, said he is "personally aware and involved" in "national security issues" associated with Kaspersky Lab.
Until those remarks at a Senate Intelligence Committee hearing today, such concerns have been communicated only behind closed doors and in private memos, as ABC News first disclosed in a report Tuesday.
"I think we do ourselves a disservice by not speaking about this openly," Michael Carpenter, who until January served as the Defense Department's deputy assistant secretary for Russia, Ukraine and Eurasia, told ABC News.
Current and former U.S. officials worry that Russian intelligence could seek to exploit Kaspersky Lab's widely-used software to steal and manipulate users' files, read private emails or attack critical infrastructure in the United States. And they point to Kaspersky Lab executives with previous ties to Russian intelligence and military agencies.
In a secret memorandum sent last month to Director of National Intelligence Dan Coats and Attorney General Jeff Sessions, the Senate Intelligence Committee raised possible red flags about Kaspersky Lab and urged the intelligence community to address potential risks posed by the company's powerful market position.
"This [is an] important national security issue," declared the bipartisan memorandum, described to ABC News by congressional sources.
In February, the Department of Homeland Security issued a secret report on the matter to other government agencies. And the FBI is investigating the nature of Kaspersky Lab’s relationship to the Russian government, sources with knowledge of the probe told ABC News.
The company has repeatedly insisted it poses no threat to U.S. customers and would never allow itself to be used as a government tool.
Products from Kaspersky Lab are widely used in homes and businesses throughout the United States and around the world.
But ABC News found that -– largely through outside vendors -– Kaspersky Lab software has also been procured by such federal agencies as the U.S. Bureau of Prisons, the Consumer Protection Safety Commission and even some segments of the Defense Department.
"We are tracking Kaspersky and their software," the Director of the Defense Intelligence Agency, Lt. Gen. Vincent Stewart, told the Senate panel today. "As well as I know, and I checked this recently, no Kaspersky software on our networks."
But when asked whether any federal contractors might be using Kaspersky Lab software on U.S. systems, Stewart said, "The contractor piece might be a little bit harder to define, but at this point we see no connection to Kaspersky and contractors supporting our [information technology]."
Sen. Joe Manchin, D-West Virginia, described concerns related to Kaspersky Lab as "more than a challenge," saying, "We are very much concerned about this, very much concerned about the security of our country."
When Sen. Marco Rubio, R-Florida, asked the panelists whether they'd be willing to use Kaspersky Lab software on their devices, Director of National Intelligence Coats said: "A resounding no from me."
The five other U.S. intelligence officials on the panel unanimously agreed.
Manchin urged each of the U.S. officials testifying to verify that Kaspersky Lab software is not on their agencies' systems.
In a statement issued Tuesday, Kaspersky Lab insisted: "As a private company, Kaspersky Lab has no ties to any government, and the company has never helped, nor will help, any government in the world with its cyberespionage efforts."
"The company has a 20-year history in the IT security industry of always abiding by the highest ethical business practices, and Kaspersky Lab believes it is completely unacceptable that the company is being unjustly accused without any hard evidence to back up these false allegations," the statement said.
"Kaspersky Lab is available to assist all concerned government organizations with any ongoing investigations, and the company ardently believes a deeper examination of Kaspersky Lab will confirm that these allegations are unfounded.”
In fact, the FBI and other agencies in the U.S. intelligence community have yet to publicly present any evidence connecting company executives with Russian security services. And sources who spoke with ABC News did not offer any evidence suggesting Kaspersky Lab has helped breach a U.S. system or taken hostile action on behalf of the Russian government.
"For 20 years, Kaspersky Lab has been focused on protecting people and organizations from cyberthreats, and its headquarters' location doesn't change that mission," Kaspersky Lab said in its statement. "[J]ust as a U.S.-based cybersecurity company doesn’t allow access or send any sensitive data from its products to the U.S. government, Kaspersky Lab products also do not allow any access or provide any private data to any country's government."
In an interview with ABC News, Eugene Kaspersky said, "My response if I’m asked to spy on anyone coming from any state, any government -— not only Russian —- will be definite 'no.'"
Experts emphasize there is one key thing to remember about Kaspersky Lab: "They do some good things, and they have good products," said Carpenter, the former Defense Department official.
Founded in 1997, the company boasts an estimated 400 million users in nearly 200 countries. And it reportedly rakes in hundreds of millions of dollars a year, not only through its anti-virus software but also through the analysis it conducts about emerging threats.
"We do not care who's behind the cybercampaigns we expose,” Eugene Kaspersky said in 2015, responding to a Bloomberg News report about his alleged ties to Russian officials. "There is cyber-evil, and we fight it."
In 2013, Kaspersky Lab outed what it called Red October, an alleged Russian hacking campaign to spy on diplomatic agencies in Eastern Europe. Kaspersky Lab researchers were also behind the discovery of Stuxnet, the U.S. National Security Agency's special cyberbomb targeting Iranian nuclear facilities in 2009 and 2010.
Answering online questions through the website Reddit as today’s Senate Intelligence Committee hearing was getting underway, Eugene Kaspersky said he is “tired” of answering "silly questions about my ties with the Kremlin.
"All these stories, they don’t make me happy," he wrote. "But to some extent they give us something close to free advertising."