By Ellen Nakashima, Jack Gillum
The US government yesterday moved to ban the use of a Russian brand of security software by federal agencies amid concerns the company has ties to state-sponsored cyberespionage activities.
In a binding directive, acting homeland security secretary Elaine Duke ordered that federal civilian agencies identify Kaspersky Lab software on their networks. After 90 days, unless otherwise directed, they must remove the software, on the grounds that the company has connections to the Russian government and its software poses a security risk.
The Department of Homeland Security "is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks," the department said in a statement. "The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates US national security."
The directive comes months after the federal General Services Administration, the agency in charge of government purchasing, removed Kaspersky from its list of approved vendors. In doing so, the GSA suggested a vulnerability exists with Kaspersky that could give the Kremlin backdoor access to the systems the company protects.
The company said in a statement Wednesday that it "doesn't have inappropriate ties with any government, which is why no credible evidence has been presented publicly by anyone or any organization to back up the false allegations made against the company."
It also said that the Russian law requiring assistance does not apply to the company.
"Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts, and it's disconcerting that a private company can be considered guilty until proven innocent, due to geopolitical issues," Kaspersky said. "The company looks forward to working with DHS, as Kaspersky Lab ardently believes a deeper examination of the company will substantiate that these allegations are without merit."
The department is giving Kaspersky 90 days to prove its products are not a security risk or to mitigate the concerns.
"We've determined that [Kaspersky software] poses an unacceptable amount of risk based on our assessment," said Christopher Krebs, a senior DHS official in the National Protection and Programs Directorate. "If they want to provide additional information or mitigation strategies, our door is open."
The directive comes in the wake of an unprecedented Russian operation to interfere in the U.S. presidential election, with Russian spy services hacking the networks of the Democratic National Committee and other political organizations and releasing damaging information.
At least a half-dozen federal agencies run Kaspersky on their networks, U.S. officials said, although there may be other networks where an agency's chief information security officer - the official ultimately responsible for systems security - might not be aware it is being used.
The order applies only to civilian government networks. The Defense Department, which includes the National Security Agency, does not use Kaspersky software, officials said.
Meanwhile, the directive may also put pressure on state and local governments that use Kaspersky products. Many had been left to speculate about the risks of sticking with the company or abandoning taxpayer-funded contracts, sometimes at great cost. In July, The Washington Post found several state and local agencies that used Kaspersky's anti-virus or security software had purchased or supported the software within the past two years.
The US intelligence community has long assessed that Kaspersky has ties to the Russian government. The company's founder, Eugene Kaspersky, graduated from a KGB-supported cryptography school and had worked in Russian military intelligence.
Rob Joyce, the White House cybersecurity coordinator and a former NSA official, hailed the move. The idea that data collected by software on government networks could wind up with Russian spy agencies "was an unacceptable risk," he said Wednesday at the Billington CyberSecurity Summit in Washington.
Concerns about Kaspersky software had been brewing for years. Federal law enforcement officials warned some congressional staffers as early as November 2015 not to meet with employees from Kaspersky, because of concerns about electronic surveillance. The concerns mounted in recent months, and DHS officials saw an opportunity to take action. Last week, Best Buy announced it would stop selling Kaspersky products, because of fears of ties to Russian government.
Senator Jeanne Shaheen, an outspoken critic of Kaspersky, said the DHS announcement is "a significant step forward in improving our national security and protecting against such vulnerabilities on federal systems." She has proposed amendments to the 2018 National Defense Authorisation Act that would ban the use of Kaspersky products at the Defense Department and across the government.
In announcing its July decision, the GSA underscored that its mission was to "ensure the integrity and security of US government systems and networks" and that Kaspersky was delisted "after review and careful consideration." The action removed the company from the list of products approved for purchase on federal systems and at discounted prices for state governments.
Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology, said he is concerned the public has not seen evidence of malfeasance by Kaspersky but only "intelligence-community rumblings about the potential for back doors" - a reference in the tech world to holes in software that allow unauthorised parties to gain access to a program or system.
But intelligence agencies have information that leads them to believe Kaspersky products are essentially conduits for Russian espionage, officials say privately. At a Senate Intelligence Committee hearing in May, the chiefs of six major US spy agencies all said they would not use Kaspersky software on their computers.